+ Reply to Thread
Results 1 to 6 of 6

Thread: Critical VB Update Released

  1. #1
    Full Member Marshall is on a distinguished road
    Join Date
    May 2004
    Posts
    69

    Critical VB Update Released

    Not sure if you have heard yet, as the forum is still 3.0.3, but there was version 3.0.5 released which fixes a big security issue in vB if you have register_globals on. It is at http://www.vbulletin.com/forum/showthread.php?t=125480


    vBulletin 3.0.5



    Critical Update

    The discovery of a serious security vulnerability in versions of vBulletin 3 up to and including 3.0.4 has necessitated the immediate release of a version to plug the hole.

    The vulnerability affects anyone running vBulletin 3 on PHP 4 with register_globals enabled in php.ini.

    This is a CRITICAL update, and urge all affected customers to upgrade vBulletin with the utmost urgency.

    vBulletin 3.0.5 includes all the updates recently released as part of vBulletin 3.0.4, including a long list of fixes for minor annoyances and bugs found since version 3.0.3.

    If you are running vB 3.0.0, 3.0.1, 3.0.2, 3.0.3 or 3.0.4 and are unable to upgrade immediately, we recommend that you download the init.php file attached to this message and overwrite the init.php in the includes folder of your existing vBulletin installation. This will patch the flaw. If you are running a RC or Beta version of vB 3, you will need to upgrade to 3.0.5 now. Note that this version of init.php supercedes the init.php patch available with the 3.0.4 release.



    Important Warning About Sensitive Data

    Due to the nature of the vulnerability discovered in vBulletin 3, and as part of our ongoing effort to maximize security, we must assume that one or all of the vBulletin servers may have been compromised.

    Therefore, we would STRONGLY RECOMMEND that any customers who may have submitted sensitive data; such as vBulletin admin control panel or server login details, to Jelsoft staff in the past should take steps to alter these details, so that any information that may have been accessed by an unauthorized party could not be used.

    We would like to reassure our customers that Jelsoft keeps NO RECORD of credit card numbers used in transactions, making it impossible for these details to be discovered or abused.

    Additionally, steps have been taken and are ongoing to ensure that any potentially leaked data does not contain sensitive data.



    Security Issues in PHP 4.3.9, 5.0.2 and Older

    As we have mentioned before, a security issue was detected in PHP versions up to and including 4.3.9 and 5.0.2. Updated versions have been released by the PHP team.

    The internet is currently crawling with worms hunting for vulnerable servers, with many sites having fallen foul of these bugs already. We would therefore remind our customers to upgrade to the latest versions of PHP as soon as possible.

    The updated PHP versions, which fix the vulnerability are:
    PHP 4.3.10
    PHP 5.0.3



    Backing Up Your Forums

    Please be sure to check your backups, that they are complete before continuing with an upgrade. We had reports that PHP was causing time out errors when creating the back up SQL, and this was causing for incomplete or corrupted backups. The safest way to do a backup is to use the mysqldump utility through SSH/Telnet, as it will not suffer from any such problems. Full instructions for backing up your database are available in the vBulletin 3 Manual.

  2. #2
    WebmasterLingo greggcz is on a distinguished road greggcz's Avatar
    Join Date
    Jan 2004
    Location
    Clifton, NJ
    Posts
    114
    Even though I did not update the whole site (too many customizations ?) I patched the whole so we're safe
    WebmasterLingo - It's all about your website..

  3. #3
    Active Member bluzman32 is on a distinguished road
    Join Date
    Dec 2004
    Posts
    124
    Does vbulletin allow public access to the upgrades if you own a lifetime license or did you have to pay for the upgrade?

  4. #4
    WebmasterLingo greggcz is on a distinguished road greggcz's Avatar
    Join Date
    Jan 2004
    Location
    Clifton, NJ
    Posts
    114
    Quote Originally Posted by bluzman32
    Does vbulletin allow public access to the upgrades if you own a lifetime license or did you have to pay for the upgrade?

    Good question, I'd like to know myself.


    BTW: WML is already upadated to latest version
    WebmasterLingo - It's all about your website..

  5. #5
    WebmasterLingo greggcz is on a distinguished road greggcz's Avatar
    Join Date
    Jan 2004
    Location
    Clifton, NJ
    Posts
    114
    I should also mentioned that we in fact got hacked because of that security whole. Hackers did not change any files but they did attempt to install some IRC and DDoS perl scripts.
    WebmasterLingo - It's all about your website..

  6. #6
    Active Member bluzman32 is on a distinguished road
    Join Date
    Dec 2004
    Posts
    124
    I believe I have heard that lifetime licenses do not get access to upgraded versions and must pay a little extra for the updates, but I am not all that sure about it.

+ Reply to Thread

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

     

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts