Indeed. It's a good reason to always keep your vb3 up to date, version-wise (to get these kinds of fixes). Though installed hacks and mods that don't have CSRF built in are giant security holes.

Two mods I'd love to see, but haven't found here are:

1) Allow trusted users (e.g. by user group) to post HTML in forums. Right now, you can turn on HTML in one or more forums, but globally for all users.
2) Fix the HTML posting so it strips out script tags and other potentially malicious things (img with src=something.php?args - get rid of ?args)

vBulletin already allows for this, inside vBulletin Options.

I guess the same would go with this code then? Looks like an

I found that in a PNG file on one of my clients accounts, along with a .zip file and a full directory of helpdesk software, along with a new database for that program.

Anything that looks like that generally isn't good. ;)

Yuppp... I found that in a PNG file on two of my clients sites. Their sites have been running well over a year now for no problem, but as soon as I changed hosts it hit the fan. One of the programs installed a helpdesk on their account, even had access to mysql.

What does that code do, pretty much the same as above? Access a file in tmp to great un rooted access?

Dumped that host likes its hot.

The code above doesn't do anything. It's just "test" script.

Well somehow that image and that helpdesk was installed on the same day.. That site was open for at least a year - 2 weeks after I moved to a new host is when my vb forum got hacked and my clients site were hacked..

No security at all apparently..

How do you secure the tmp dir ? chown it?

Simple answer - use a different temp dir than the default /tmp one, chown / chmod that one and make sure anything active (PHP, SSI) isn't active there.
Related to the VPS issue and the "It's up to you" statement - that's only partially right. VPS run inside a virtual environment and if the hoster doesn't care about security updates it's possible - hard but possible - to break out from a VPS on the real server and from there, well, you can do everything.
Back to the "tmp dir" - set in php.ini a tempdir, outside the webroot of course and ensure your Webserver doesn't serve that directory.
And related to this base64 - I highly recommend reading some manuals about a "secure as possible" PHP setup. Just because it's set in the default php.ini, it doesn't mean it's good to be kept ;)

Chown it as a different user other than root?