The discovery of a serious security vulnerability in versions of vBulletin 3 up to and including 3.0.4 has necessitated the immediate release of a version to plug the hole.
The vulnerability affects anyone running vBulletin 3 on PHP 4 with register_globals enabled in php.ini.
This is a CRITICAL update, and urge all affected customers to upgrade vBulletin with the utmost urgency.
vBulletin 3.0.5 includes all the updates recently released as part of vBulletin 3.0.4, including a long list of fixes for minor annoyances and bugs found since version 3.0.3.
If you are running vB 3.0.0, 3.0.1, 3.0.2, 3.0.3 or 3.0.4 and are unable to upgrade immediately, we recommend that you download the init.php file attached to this message and overwrite the init.php in the includes folder of your existing vBulletin installation. This will patch the flaw. If you are running a RC or Beta version of vB 3, you will need to upgrade to 3.0.5 now. Note that this version of init.php supercedes the init.php patch available with the 3.0.4 release.
Important Warning About Sensitive Data
Due to the nature of the vulnerability discovered in vBulletin 3, and as part of our ongoing effort to maximize security, we must assume that one or all of the vBulletin servers may have been compromised.
Therefore, we would STRONGLY RECOMMEND that any customers who may have submitted sensitive data; such as vBulletin admin control panel or server login details, to Jelsoft staff in the past should take steps to alter these details, so that any information that may have been accessed by an unauthorized party could not be used.
We would like to reassure our customers that Jelsoft keeps NO RECORD of credit card numbers used in transactions, making it impossible for these details to be discovered or abused.
Additionally, steps have been taken and are ongoing to ensure that any potentially leaked data does not contain sensitive data.
Security Issues in PHP 4.3.9, 5.0.2 and Older
As we have mentioned before, a security issue was detected in PHP versions up to and including 4.3.9 and 5.0.2. Updated versions have been released by the PHP team.
The internet is currently crawling with worms hunting for vulnerable servers, with many sites having fallen foul of these bugs already. We would therefore remind our customers to upgrade to the latest versions of PHP as soon as possible.
The updated PHP versions, which fix the vulnerability are:
Backing Up Your Forums
Please be sure to check your backups, that they are complete before continuing with an upgrade. We had reports that PHP was causing time out errors when creating the back up SQL, and this was causing for incomplete or corrupted backups. The safest way to do a backup is to use the mysqldump utility through SSH/Telnet, as it will not suffer from any such problems. Full instructions for backing up your database are available in the vBulletin 3 Manual.
Installing or Upgrading vBulletin
Please see the appropriate manual sections: Installing vBulletin and Upgrading vBulletin.
Note: At approximately 11:25 PM (EST) on Jan 8th, the members' area package and the attached init.php were updated with this bug fix.