PSDPlayer
03-12-2007, 03:22 AM
An exploit was recently reported which affects vBulletin versions 3.5.x and 3.6.x. Although the report is inaccurate and the published exploit does not work as claimed unless a highly unlikely set of circumstances exist, it has highlighted a potential security issue in these vBulletin versions.
Therefore, we have decided to release updated versions, these being vBulletin 3.5.8 and 3.6.5. We recommend that all customers running vBulletin 3.5.x or 3.6.x upgrade to the appropriate version or apply the supplied patch as soon as possible.
It is worth noting that in order to exploit the problem highlighted by the report, the attacking user must satisfy the following conditions:
* Must already have moderator privileges
* Must share the same IP address as an existing administrator who is currently logged in to the Admin Control Panel
* Must know the Alt-IP and user agent (exact browser identification) of the administrator OR must know the license number of the site being attacked
Given these requirements, the privilege escalation exploit claimed by the report is almost impossible to achieve.
---------- ADDITIONAL NOTES FOR VBULLETIN 3.6.5 -----------
As well as fixing the security flaw described above, version 3.6.5 also contains fixes for a number of minor bugs affecting Safari cookies, IE7 compatibility, infractions and recent FreeBSD PHP installations. Details of the bugs fixed can be found via the URL listed above.
So we upgraded.
Therefore, we have decided to release updated versions, these being vBulletin 3.5.8 and 3.6.5. We recommend that all customers running vBulletin 3.5.x or 3.6.x upgrade to the appropriate version or apply the supplied patch as soon as possible.
It is worth noting that in order to exploit the problem highlighted by the report, the attacking user must satisfy the following conditions:
* Must already have moderator privileges
* Must share the same IP address as an existing administrator who is currently logged in to the Admin Control Panel
* Must know the Alt-IP and user agent (exact browser identification) of the administrator OR must know the license number of the site being attacked
Given these requirements, the privilege escalation exploit claimed by the report is almost impossible to achieve.
---------- ADDITIONAL NOTES FOR VBULLETIN 3.6.5 -----------
As well as fixing the security flaw described above, version 3.6.5 also contains fixes for a number of minor bugs affecting Safari cookies, IE7 compatibility, infractions and recent FreeBSD PHP installations. Details of the bugs fixed can be found via the URL listed above.
So we upgraded.