vBulletin 3.6.5 - An early release - Forums Help - vBulletin, IPB, phpBB, SMF skins and community

ForumsHelp · 03-01-2007, 04:16 PM

According to vBulletin.org and vBulletin.com, a bug has been reported that affects both vb 3.6.x and 3.5.x versions, and as a fast reaction to this bug, two new versions have been released, these versions are vBulletin 3.6.5 and vBulletin 3.5.8.

Although the bug reported can hardly affect forums and needs a lot of circumstances but it's adviced to upgrade now in order to make sure that your forum is safe.
The circumstances needed for this bug need the attacker to have:

Must already have moderator privileges
Must share the same IP address (or the number of IP octets specified in the Admin Control Panel for IP address matching) with an existing administrator who is currently logged in to the Admin Control Panel
Must know the Alt-IP and user agent (exact browser identification) of the administrator
OR must know the license number of the site being attacked

Given these requirements, the privilege escalation exploit claimed by the report is almost impossible to achieve.

And due to the early release, this version lacked some updates and fixes that were expected in vBulletin 3.6.5 but in the meanwhile it has a good number of fixes, which are:
Bugs Fixed in vBulletin 3.6.5

The Security Flaw

The reported security flaw described in this announcement, which could potentially allow a SELECT query to be hijacked, has been addressed.

Safari Cookies

A problem where users of the Apple browser Safari would be logged off the system prematurely when vBulletin runs on specific servers has been resolved.
More info...

Internet Explorer 7 Compatability

Much has been said about Microsoft's decision to make the Javascript prompt() function throw a security warning whenever it is called. This change resulted in vBulletin's text editor system throwing security warnings whenever a user tried to insert an image or an email link. The use of prompt() for Internet Explorer 7 users has now been discontinued in favour of an alternative method of collecting user input.
More info...

Additionally, improvements in Internet Explorer 7 mean that certain aspects of the vBulletin pop-up menu system, which were previously required to circumvent rendering issues, can now be bypassed. Most notable amongst these is the code that hides all <select> elements that would intersect with the menu when opened.

Fix for Infractions Bug

A problem where infraction expiration was not cleaned-up properly has been addressed.
More info...

Workaround for a FreeBSD Regular Expression Error on Login

Some users running recent versions of PHP running on FreeBSD have encountered a bug in the regular expression engine that caused an error to be shown when logging in. We have worked around this problem. However, it may still appear in other areas, so we are trying to find a proper fix for the issue.

Updating your vBulletin to Fix the Potential Exploit

There are two ways in which you can fix the potential exploit in your version of vBulletin:

Full Upgrade: The best way to fix the problem is to perform a full upgrade by downloading the complete 3.6.5 package from the vBulletin Members' Area and following the regular upgrade instructions.
Patch: A second option is to download the patch files discussed in this thread and upload them to your web server, overwriting the existing files. The patch is available from the Members' Area patch page or you can find it attached to this thread.

Please note that vBulletin 3.6.5 requires at least PHP 4.3.3 and MySQL 4.0.16 or later.

tsho44 · 04-26-2007, 09:34 PM

thanks for the notes.

03-01-2007, 04:16 PM	#1 (permalink)
User Profile ForumsHelp Senior Member Join Date: Apr 2006 Age: 32 Posts: 968 Total Points: 294,373 Donate My Zoints Profile My Photos: (1) My Mood:	vBulletin 3.6.5 - An early release According to vBulletin.org and vBulletin.com, a bug has been reported that affects both vb 3.6.x and 3.5.x versions, and as a fast reaction to this bug, two new versions have been released, these versions are vBulletin 3.6.5 and vBulletin 3.5.8. Although the bug reported can hardly affect forums and needs a lot of circumstances but it's adviced to upgrade now in order to make sure that your forum is safe. The circumstances needed for this bug need the attacker to have: Must already have moderator privileges Must share the same IP address (or the number of IP octets specified in the Admin Control Panel for IP address matching) with an existing administrator who is currently logged in to the Admin Control Panel Must know the Alt-IP and user agent (exact browser identification) of the administrator OR must know the license number of the site being attacked Given these requirements, the privilege escalation exploit claimed by the report is almost impossible to achieve. And due to the early release, this version lacked some updates and fixes that were expected in vBulletin 3.6.5 but in the meanwhile it has a good number of fixes, which are: Bugs Fixed in vBulletin 3.6.5 The Security Flaw The reported security flaw described in this announcement, which could potentially allow a SELECT query to be hijacked, has been addressed. Safari Cookies A problem where users of the Apple browser Safari would be logged off the system prematurely when vBulletin runs on specific servers has been resolved. More info... Internet Explorer 7 Compatability Much has been said about Microsoft's decision to make the Javascript prompt() function throw a security warning whenever it is called. This change resulted in vBulletin's text editor system throwing security warnings whenever a user tried to insert an image or an email link. The use of prompt() for Internet Explorer 7 users has now been discontinued in favour of an alternative method of collecting user input. More info... Additionally, improvements in Internet Explorer 7 mean that certain aspects of the vBulletin pop-up menu system, which were previously required to circumvent rendering issues, can now be bypassed. Most notable amongst these is the code that hides all <select> elements that would intersect with the menu when opened. Fix for Infractions Bug A problem where infraction expiration was not cleaned-up properly has been addressed. More info... Workaround for a FreeBSD Regular Expression Error on Login Some users running recent versions of PHP running on FreeBSD have encountered a bug in the regular expression engine that caused an error to be shown when logging in. We have worked around this problem. However, it may still appear in other areas, so we are trying to find a proper fix for the issue. Updating your vBulletin to Fix the Potential Exploit There are two ways in which you can fix the potential exploit in your version of vBulletin: Full Upgrade: The best way to fix the problem is to perform a full upgrade by downloading the complete 3.6.5 package from the vBulletin Members' Area and following the regular upgrade instructions. Patch: A second option is to download the patch files discussed in this thread and upload them to your web server, overwriting the existing files. The patch is available from the Members' Area patch page or you can find it attached to this thread. Please note that vBulletin 3.6.5 requires at least PHP 4.3.3 and MySQL 4.0.16 or later. __________________ vB Alien Custom vBulletin Skin Design & vBulletin Services

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

04-26-2007, 09:34 PM	#2 (permalink)
User Profile tsho44 Junior Member Join Date: Apr 2007 Posts: 1 Total Points: 175 Donate My Zoints Profile My Photos: (0)	thanks for the notes.