Last week I posted in another thread, and later also sent a PM to Bill, about the possibility that this forum might be running an insecure version of vBulletin and that a patch release has been released (as early as 4 sep.). However, so far I have seen no reaction, no response from Bill to my PM or that the version label in forum footer has changed. Unfortunately, in lack of valid response I fear this forum has been taken over some how. Please prove me wrong!
There is the vBulletin announcement, as as you see the flaw allows accounts to be compromised and hence with enough privileges could do things like deleting threads or implementing a new set of 'policies' to 'review' aka censure posts.
Quote:
vBulletin 3.7.3 PL1 and 3.6.11 PL1 Released
vBulletin 3.7.3 PL1 / vBulletin 3.6.11 PL1
A report was published recently pointing to potential flaws within the random number generator in PHP applications who use a weak seed and then go on to disclose any of the random numbers generated. This flaw could allow random numbers within vBulletin to be predicted and under the correct circumstances allow an attacker to obtain access to a user's account. To resolve this issue, it is necessary to release patch level versions of vBulletin 3.7.3 and 3.6.11.
This original flaw was discovered by Stefan Esser and its application within vBulletin by Tom Harwood.
The upgrade process is the same as previous patch level releases - simply download the patch from the Members Area, extract the files and upload to your webserver, overwriting the existing files. There is no upgrade script required.
As with all security-based releases, we recommend that all customers upgrade as soon as possible in order to prevent any potential damage resulting from the flaw being exploited.
|