Thanks For Visiting Us At vBModder. Join Today!

Go Back   vBulletin Modification Discussions > Site Business > News and Announcements > Jelsoft vBulletin Announcements
Reload this Page

vBulletin 3.6.5 Released

Home Register FAQ Members List Calendar Mark Forums Read
vBSEO Info Tags

Reply
 
LinkBack Thread Tools
Old 03-01-2007, 03:08 PM   #1 (permalink)
Administrator
 
Code Monkey's Avatar
 
Join Date: May 2006
Posts: 2,193
Code Monkey is on a distinguished road
iTrader: (0)
Post vBulletin 3.6.5 Released
vBulletin 3.6.5



This morning, an exploit was reported, which affects vBulletin versions 3.5.x and 3.6.x. Although the report is inaccurate and the published exploit does not work as claimed unless a highly unlikely set of circumstances exist, it has highlighted a potential security issue in these vBulletin versions.



Therefore, we have decided to release updated versions, these being vBulletin 3.5.8 and 3.6.5. We recommend that all customers running vBulletin 3.5.x or 3.6.x upgrade to the appropriate version or apply the supplied patch as soon as possible.



It is worth noting that in order to exploit the problem highlighted by the report, the attacking user must satisfy the following conditions:
  • Must already have moderator privileges
  • Must share the same IP address (or the number of IP octets specified in the Admin Control Panel for IP address matching) with an existing administrator who is currently logged in to the Admin Control Panel
  • Must know the Alt-IP and user agent (exact browser identification) of the administrator
  • OR must know the license number of the site being attacked
Given these requirements, the privilege escalation exploit claimed by the report is almost impossible to achieve.







Bugs Fixed in vBulletin 3.6.5



The Security Flaw
The reported security flaw described in this announcement, which could potentially allow a SELECT query to be hijacked, has been addressed.
Safari Cookies
A problem where users of the Apple browser Safari would be logged off the system prematurely when vBulletin runs on specific servers has been resolved.

More info...
Internet Explorer 7 Compatability
Much has been said about Microsoft's decision to make the Javascript prompt() function throw a security warning whenever it is called. This change resulted in vBulletin's text editor system throwing security warnings whenever a user tried to insert an image or an email link. The use of prompt() for Internet Explorer 7 users has now been discontinued in favour of an alternative method of collecting user input.

More info...



Additionally, improvements in Internet Explorer 7 mean that certain aspects of the vBulletin pop-up menu system, which were previously required to circumvent rendering issues, can now be bypassed. Most notable amongst these is the code that hides all <select> elements that would intersect with the menu when opened.
Fix for Infractions Bug
A problem where infraction expiration was not cleaned-up properly has been addressed.

More info...
Workaround for a FreeBSD Regular Expression Error on Login
Some users running recent versions of PHP running on FreeBSD have encountered a bug in the regular expression engine that caused an error to be shown when logging in. We have worked around this problem. However, it may still appear in other areas, so we are trying to find a proper fix for the issue.




Updating your vBulletin to Fix the Potential Exploit



There are two ways in which you can fix the potential exploit in your version of vBulletin:
  1. Full Upgrade: The best way to fix the problem is to perform a full upgrade by downloading the complete 3.6.5 package from the vBulletin Members' Area and following the regular upgrade instructions.
  2. Patch: A second option is to download the patch files discussed in this thread and upload them to your web server, overwriting the existing files. The patch is available from the Members' Area patch page or you can find it attached to this thread.
Please note that vBulletin 3.6.5 requires at least PHP 4.3.3 and MySQL 4.0.16 or later.







A Note Regarding vBulletin 3.6.6



The publication of this exploit has required a swift release of an updated version to fix the published problem. The original intention for vBulletin 3.6.5 had been to include a number of other bug fixes and improvements that have been reported since 3.6.4.



Unfortunately, the necessity of bringing out a version quickly to fix the exploit has meant that many of these fixes have not had sufficient time to be fully tested to the extent that we would like and have therefore been kept back for vBulletin 3.6.6.



We understand that this may be frustrating to our customers, and in order to minimize the inconvenience, we have ensured that this vBulletin 3.6.5 release contains no template or phrase changes, which will hopefully make upgrading as painless as possible.





Link To Original Article

__________________
Please do not PM me unless it's personal. General vBulletin or mod questions by PM will be ignored.

Try the vBSEO Demo

Click here for Instant Community
Code Monkey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Sponsored Links

Reply

« Previous Thread | Next Thread »



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are On
Pingbacks are On
Refbacks are On


Powered by: vBulletin Version® 3.6.4, Copyright ©2000 - 2006, Jelsoft Enterprises Limited.
A vBSkinworks Design Recoded By vBModder.
All Code Distributed On This Site is © 2006 by it's author.
Search Engine Optimization by vBSEO 3.1.0

All times are GMT -7. The time now is 10:01 PM.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Forum Information
Online Users 57
Registered 1
Guests 56
Members 3144
Active Members 227
Threads 1575
Posts 6982
Top poster: Code Monkey (2193)
Welcome to our newest member, VbGuru
Most users ever online was 235, 04-11-2007 at 08:59 AM.
Advertising
Affiliates
Speak Out! vBulletin gets the web talking!


Partners
vBulletin Setup SEO

vBulletin graphics resource images

Modification Discussions -Contact Us - vBulletin Modder - Archive - Top