(No Ratings Yet)
Loading ...vBulletin 3.7.0 Release Candidate 4
April 23, 2008 Posted in: vBulletin
A security hole involving a CSRF (cross-site request forgery) vulnerability was reported to us over the weekend, requiring changes to significant numbers of templates and files in all of our products including vBulletin 3.x, Blog and Project Tools. The CSRF problem potentially enabled an administrator who had been lured to a third-party site to unknowingly submit forms located on the forum he or she administers, resulting in potential damage to the forum. Actions performed via the Admin Control Panel are not vulnerable.
Incidentally, this vulnerability is not unique to vBulletin - many web applications are affected and always have been, due to the very nature of the web.
It was decided that rather than push ahead and release 3.7.0, it would be better to roll out a further release candidate containing the fix for this problem, as the changes are widespread and it would not be prudent to label 3.7.0 as ’stable’ before it has had at least one outing in pre-release form.
As we release vBulletin 3.7.0 Release Candidate 4, we are simultaneously releasing 3.6.10, which contains various bug fixes back-ported from 3.7.0, and of course the fix for the security problem. New versions of Blog and Project Tools will follow shortly in the coming days.
Unfortunately, due to the number of file and template changes required by the security fix, it is not practical to provide a patch or plugin to resolve the problem - only a full-scale upgrade will be sufficient.
We recommend that all customers upgrade as soon as possible.
Customers running 3.7.x should upgrade to 3.7.0 RC4.
Customers running 3.6.9 or earlier should upgrade to 3.6.10.
To all those who have been expecting to download vBulletin 3.7.0 ‘Gold’ this week, we are sorry. We hope that the fact that we would rather delay a major, pre-announced release than put out software with known vulnerabilities illustrates our commitment to security.
If testing of this release candidate goes well, we will once again be looking at a stable release next week.
PHP and MySQL Recommendations
We recommend that vBulletin 3.7 is run on PHP 5.2.5 with APC (or a similar opcode cache) and MySQL 5.0.51 for best performance and stability.
Feed for this Entry Trackback Address The permalink
One Response to “vBulletin 3.7.0 Release Candidate 4”
Chris T Says:
April 23rd, 2008 at 10:00 pm
Except a few quick edits, that was a fast upgrade. The vb team is making the upgrade script better and better this time it can handle the auto update for the CSRF (cross-site request forgery) vulnerability for all custom templates.
It took me only a few minutes, to add the new security check to vbsed too. What does it actually do ?
It checks if POST request is done, and it checks for a hidden input that they added in every form which has a unique value for each user, so if you are not yourself there is pretty much no way to bypass this check. Unless of course if you are a lazy admin who likes to forget his cookies in some net cafe. In that case do yourself a favor and close your site, today.
vBulletin had a security check for POST request from 3dparty domains, but it wasn’t secure enough, god bless php Global variables.
Recent Comments