In the wake of PHP vulnerabilities, and recent attacks by the Santy Worm, vBulletin have quickly released version 3.0.5 of their popular forum software.
Referring to this as a "critical" update, it is intended to replace all versions up to 3.0.4, which is reported to contain a serious security vulnerability.
PHPBB, a free open-source forum software, was recently targeted by a worm that used search engines to track down phpbb forums, before injecting malicious code into unpatched versions.
JELSOFT SECURITY BULLETIN
http://www.vbulletin.com/
January 7th, 2005
This email contains important security-related information.
Please read it carefully.
* vBulletin 3.0.4 / 3.0.5 Released
* Important Warning About Sensitive Data
* Security Issues in PHP 4.3.9, 5.0.2 & Older
* Your License Information
* Contact Us
------------ VBULLETIN 3.0.4 / 3.0.5 RELEASED ------------
The discovery of a serious security vulnerability in
versions of vBulletin 3 up to and including 3.0.4 has
necessitated the immediate release of a version to plug
the hole. This is a CRITICAL update, and we urge all
customers running affected software to upgrade vBulletin
with the utmost urgency.
vBulletin 3.0.5 includes all the updates recently released
as part of vBulletin 3.0.4, including a long list of fixes
for minor annoyances and bugs found since version 3.0.3.
vBulletin 3.0.5 is available for immediate download from
the vBulletin Members' Area.
http://www.vbulletin.com/members/
If you are unable to upgrade immediately, you should at
least download the patched version of includes/init.php
from the release announcement thread and replace your
existing version with it.
Please read the announcement for upgrade and installation
instructions, as well as the list of bugs fixed and other
changes:
http://www.vbulletin.com/forum/showthread.php?t=125480
--------- IMPORTANT WARNING ABOUT SENSITIVE DATA ---------
Due to the nature of the vulnerability discovered in
vBulletin 3, and as part of our ongoing effort to maximize
security, we must assume that one or all of the vBulletin
servers may have been compromised.
Therefore, we would STRONGLY RECOMMEND that any customers
who may have submitted sensitive data; such as vBulletin
admin control panel or server login details, to Jelsoft
staff in the past should take steps to alter these details,
so that any information that may have been accessed by an
unauthorized party could not be used.
We would like to reassure our customers that Jelsoft keeps
NO RECORD of credit card numbers used in transactions,
making it impossible for these details to be discovered or
abused.
Additionally, steps have been taken and are ongoing to
ensure that any potentially leaked data does not contain
sensitive data.
------ SECURITY ISSUES IN PHP 4.3.9, 5.0.2 & OLDER -------
The PHP development team recently released PHP 4.3.10 and
5.0.3 in order to patch serious security issues in previous
versions.
With the emergence of malicious code such as the
Santy/NeverEverNoSanity worms, which are responsible for
defacing and damaging a large number of sites, we join with
the PHP team in advising all customers running PHP versions
older than 4.3.10 or 5.0.3 to upgrade as soon as possible
to one of the patched versions.
