vBulletin Vulnerability

JELSOFT SECURITY BULLETIN
http://www.vbulletin.com/
January 7th, 2005

This email contains important security-related information.
Please read it carefully.

* vBulletin 3.0.4 / 3.0.5 Released
* Important Warning About Sensitive Data
* Security Issues in PHP 4.3.9, 5.0.2 & Older
* Your License Information
* Contact Us

------------ VBULLETIN 3.0.4 / 3.0.5 RELEASED ------------

The discovery of a serious security vulnerability in versions of vBulletin 3 up to and including 3.0.4 has necessitated the immediate release of a version to plug the hole. This is a CRITICAL update, and we urge all customers running affected software to upgrade vBulletin with the utmost urgency.

vBulletin 3.0.5 includes all the updates recently released as part of vBulletin 3.0.4, including a long list of fixes for minor annoyances and bugs found since version 3.0.3.

vBulletin 3.0.5 is available for immediate download from the vBulletin Members' Area.
http://www.vbulletin.com/members/

If you are unable to upgrade immediately, you should at least download the patched version of includes/init.php from the release announcement thread and replace your existing version with it.

Please read the announcement for upgrade and installation instructions, as well as the list of bugs fixed and other
changes:

http://www.vbulletin.com/forum/showthread.php?t=125480

--------- IMPORTANT WARNING ABOUT SENSITIVE DATA ---------

Due to the nature of the vulnerability discovered in vBulletin 3, and as part of our ongoing effort to maximize security, we must assume that one or all of the vBulletin servers may have been compromised.

Therefore, we would STRONGLY RECOMMEND that any customers who may have submitted sensitive data; such as vBulletin admin control panel or server login details, to Jelsoft staff in the past should take steps to alter these details, so that any information that may have been accessed by an unauthorized party could not be used.

We would like to reassure our customers that Jelsoft keeps NO RECORD of credit card numbers used in transactions, making it impossible for these details to be discovered or abused.

Additionally, steps have been taken and are ongoing to ensure that any potentially leaked data does not contain sensitive data.

------ SECURITY ISSUES IN PHP 4.3.9, 5.0.2 & OLDER -------

The PHP development team recently released PHP 4.3.10 and
5.0.3 in order to patch serious security issues in previous versions.

With the emergence of malicious code such as the Santy/NeverEverNoSanity worms, which are responsible for defacing and damaging a large number of sites, we join with the PHP team in advising all customers running PHP versions older than 4.3.10 or 5.0.3 to upgrade as soon as possible to one of the patched versions.

Click to expand...