vBulletin 3.5.8 Released

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Kier
    Former Lead Developer, vBulletin
    • Sep 2000
    • 8179
    #1

    vBulletin 3.5.8 Released

    vBulletin 3.5.8

    This morning, an exploit was reported, which affects vBulletin versions 3.5.x and 3.6.x. Although the report is inaccurate and the published exploit does not work as claimed unless a highly unlikely set of circumstances exist, it has highlighted a potential security issue in these vBulletin versions.

    Therefore, we have decided to release updated versions, these being vBulletin 3.5.8 and 3.6.5. We recommend that all customers running vBulletin 3.5.x or 3.6.x upgrade to the appropriate version or apply the supplied patch as soon as possible.

    It is worth noting that in order to exploit the problem highlighted by the report, the attacking user must satisfy the following conditions:
    • Must already have moderator privileges
    • Must share the same IP address as an existing administrator who is currently logged in to the Admin Control Panel
    • Must know the Alt-IP and user agent (exact browser identification) of the administrator
    • OR must know the license number of the site being attacked
    Given these requirements, the privilege escalation exploit claimed by the report is almost impossible to achieve.


    Updating your vBulletin to Fix the Potential Exploit


    There are two ways in which you can fix the potential exploit in your version of vBulletin:
    1. Full Upgrade: The best way to fix the problem is to perform a full upgrade by downloading the complete 3.5.8 package from the vBulletin Members' Area and following the regular upgrade instructions.
    2. Patch: A second option is to download the patch files discussed in this thread and upload them to your web server, overwriting the existing files. The patch is available from the Members' Area patch page or you can find it attached to this thread.
    Tags: None
    • Kier
      Former Lead Developer, vBulletin
      • Sep 2000
      • 8179
      #2
      Patching instructions

      Patches are now available in the members' area. You may view available patches here. Alternatively, you may use the zip attached to this post to apply the patch. Both methods are equivalent.

      Go to the page mentioned above and download the "Security patch for 3.5.7" or download the zip at the end of this post. Extract the zip archive, then connect to your web server using FTP and overwrite the following files using the replacement versions from the zip.
      • inlinemod.php

      Notes:
      1. If you cannot download the attachment in this post, you are not currently registered as a license customer. Please see this thread for instructions on how to proceed.
      2. You do not need to download this patch if you perform a full upgrade to 3.5.8.
      3. If you only apply a patch, your version number will not change. Your version number will only be updated to 3.5.8 if you perform a full upgrade.
      Attached Files

        Comment

        • Kier
          Former Lead Developer, vBulletin
          • Sep 2000
          • 8179
          #3
          Files & Templates Changed Since 3.5.7
          • inlinemod.php
          • admincp/attachment.php
          • includes/class_core.php
          • install/ - assume it's all changed

          There are no changed templates since 3.5.7.

            Comment

            • Kier
              Former Lead Developer, vBulletin
              • Sep 2000
              • 8179
              #4
              Discussion Thread

              To discuss the release of vBulletin 3.5.8, please use the following thread:
              vBulletin 3.5.8 Discussion Thread

                Comment

                Previous template Next
                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                Working...