Kier
Fri 4th Nov '05, 3:46pm
JELSOFT SECURITY BULLETIN
http://www.vbulletin.com/
November 4th, 2005
This email contains important security-related information.
Please read it carefully.
* vBulletin 3.5.1, 3.0.10 & 2.3.8 Released
* Your License Information
* Contact Us
-------- VBULLETIN 3.5.1, 3.0.10 & 2.3.8 RELEASED --------
Newly discovered flaws in both Microsoft Internet Explorer
and PHP have necessitated a security release for all three
vBulletin branches.
The first flaw is in Microsoft Internet Explorer. It
affects vBulletin image uploads and potentially opens a
cross-site-scripting exploit. It has affected many
web-based applications that allow image uploads, including
phpBB and Hotmail. Although a fix from Microsoft would be
preferable, we have implemented a work-around in all three
branches of vBulletin to prevent the Internet Explorer flaw
from being exploited.
The second flaw is in PHP and may allow the entry of
unsanitized data into several areas in vBulletin. This may
create security holes that are not directly caused by
vBulletin, simply exploited through vBulletin as it uses
affected PHP code. PHP 4.4.1 has been released to address
this issue (no updated PHP5 is available yet). If you are
running PHP 4, it is strongly recommended that you update
your PHP installation to 4.4.1!
I'd just like to reiterate that neither of these flaws are
directly related to vBulletin. Rather, they are flaws in
software that ties into vBulletin. We are simply creating
workarounds for these issues to prevent them from being
exploited.
Patch files for vBulletin 3.5.0, 3.0.6 - 3.0.9 and
2.3.4 - 2.3.7 are attached to the release announcement thread
(see below), though we would recommend that you fully upgrade
your board rather than simply patch it wherever possible. The
zip files contain partial directory structures of the upload/
folder that would normally be found in the package you
downloaded from the members' area. You should simply download
the correct file for your board and extract it. Connect to
your server via FTP and upload the contents of the zip file
to your main board directory. This should overwrite files
already on your server -- if it does not, then your board
will not be patched!
The release announcement thread can be found here:
http://www.vbulletin.com/forum/showthread.php?t=161721
http://www.vbulletin.com/
November 4th, 2005
This email contains important security-related information.
Please read it carefully.
* vBulletin 3.5.1, 3.0.10 & 2.3.8 Released
* Your License Information
* Contact Us
-------- VBULLETIN 3.5.1, 3.0.10 & 2.3.8 RELEASED --------
Newly discovered flaws in both Microsoft Internet Explorer
and PHP have necessitated a security release for all three
vBulletin branches.
The first flaw is in Microsoft Internet Explorer. It
affects vBulletin image uploads and potentially opens a
cross-site-scripting exploit. It has affected many
web-based applications that allow image uploads, including
phpBB and Hotmail. Although a fix from Microsoft would be
preferable, we have implemented a work-around in all three
branches of vBulletin to prevent the Internet Explorer flaw
from being exploited.
The second flaw is in PHP and may allow the entry of
unsanitized data into several areas in vBulletin. This may
create security holes that are not directly caused by
vBulletin, simply exploited through vBulletin as it uses
affected PHP code. PHP 4.4.1 has been released to address
this issue (no updated PHP5 is available yet). If you are
running PHP 4, it is strongly recommended that you update
your PHP installation to 4.4.1!
I'd just like to reiterate that neither of these flaws are
directly related to vBulletin. Rather, they are flaws in
software that ties into vBulletin. We are simply creating
workarounds for these issues to prevent them from being
exploited.
Patch files for vBulletin 3.5.0, 3.0.6 - 3.0.9 and
2.3.4 - 2.3.7 are attached to the release announcement thread
(see below), though we would recommend that you fully upgrade
your board rather than simply patch it wherever possible. The
zip files contain partial directory structures of the upload/
folder that would normally be found in the package you
downloaded from the members' area. You should simply download
the correct file for your board and extract it. Connect to
your server via FTP and upload the contents of the zip file
to your main board directory. This should overwrite files
already on your server -- if it does not, then your board
will not be patched!
The release announcement thread can be found here:
http://www.vbulletin.com/forum/showthread.php?t=161721