01-22-2005, 01:17 AM
| THREAD STARTER
#1 (permalink)
|
| Senior Member Join Date: Jun 2003 Location: Naperville Illinois
Posts: 1,786
| New vBulletin Security Update
Direct from an email I just recieved:
| | Quote: |
JELSOFT SECURITY BULLETIN
http://www.vbulletin.com/
January 21st, 2005
This email contains important security-related information.
Please read it carefully.
* vBulletin 3.0.6 / 2.3.6 Released
* Performance Hit Since PHP 4.3.10 / 5.0.3
* Your License Information
* Contact Us
------------ VBULLETIN 3.0.6 / 2.3.6 RELEASED ------------
vBulletin 3.0.6 and 2.3.6 are security and bug fix releases. They fix a recently discovered XSS issue regarding BB code parsing.
All versions of vBulletin prior to 3.0.6 and 2.3.6 are vulnerable. The only workaround is to disable BB code parsing in signatures and all forums where untrusted users can post.
We strongly urge all customers to either fully upgrade or patch their installations as soon as possible. A patch is available for includes/functions_bbcodeparse.php
(vBulletin 3) and admin/functions.php (vBulletin 2).
Overwrite the version on your server with the file in the appropriate zip. The patch(es) can be downloaded from here:
http://www.vbulletin.com/forum/showthread.php?t=127027
After a full upgrade your forum will once again be secure.
If you would rather simply patch your forum, please take note of the following:
Board is running vBulletin 2.3.5 or earlier
- Download patch for 2.3.5
- Overwrite admin/functions.php
Board is running vBulletin 3.0.4 or earlier
- Download patches for 3.0.5 and 3.0.6
- Overwrite includes/init.php
- Overwrite includes/functions_bbcodeparse.php
- Overwrite private.php
Board is running vBulletin 3.0.5
- Download patch for 3.0.6
- Overwrite includes/functions_bbcodeparse.php
Once you have performed the steps outlined above, your board will be secure.
We would again like to reiterate that security is our primary concern. In the past weeks, there have been several reports of security issues in vBulletin that have prompted the recent releases. We realize that these releases can be a burden on you. For that, we are sorry, but once we have become aware of a security issue, it is our duty to provide a fix to that issue. We are also performing internal security audits and looking into changes to our core systems to prevent issues such as these from occurring in the future.
Please read the announcement for upgrade and installation instructions, as well as the list of bugs fixed and other
changes:
http://www.vbulletin.com/forum/showthread.php?t=127027
-------- PERFORMANCE HIT SINCE PHP 4.3.10 / 5.0.3 --------
Many people have noticed that vBulletin (and a lot of other PHP applications) suddenly started to run significantly slowed than normal after installing PHP 4.3.10 or 5.0.3 in order to patch the security flaw in previous versions of PHP.
This cause of this slow-down has been identified as a problem with the unserialize() function in PHP. For more details, see http://bugs.php.net/bug.php?id=31332.
????: NamePros.com http://www.namepros.com/the-break-room/66215-new-vbulletin-security-update.html
????: NamePros.com http://www.namepros.com/showthread.php?t=66215
This problem has now been fixed by the PHP developers, though the fixed version has yet to be released in a 'stable'
version. However, the latest CVS snapshots of PHP 4.3.x and 5.0.x, available from http://snaps.php.net contain the fix and restore the original speed of unserialize().
While we would not recommend running a 'dev' version of PHP on any production server, we understand that the performance problem has been a major issue for some people.
If you are badly affected, you may want to consider running a 'dev' version of PHP at your own risk in order to overcome the performance problem.
|
__________________
| | Quote: | Clan-Forums.com >> $30 BoardingForum.com >> $100
TalkWebHosting.com >> $200 AvoidChapter13.com >> $100
Send PM to make lesser offers on the above names.
| |
| |
