Go Back   vb.org Archive > News and Announcements > News and Announcements > Official vB.com Announcements
FAQ Community Calendar Today's Posts Search

Closed Thread
 
Thread Tools Display Modes
  #1  
Old 03-22-2010, 05:10 PM
vB.Org System vB.Org System is offline
Senior Member
 
Join Date: Aug 2007
Posts: 386
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Security Fix Releases 3.7.7 and 4.0.2 PL 2

The vBulletin development team has identified a potential issue with the strength of password encryption in vBulletin and we are implementing a patch to address this issue.

In certain rare cases, hackers can exploit a non-vBulletin vector (such as a bad plug-in) to access the vBulletin password database and attempt to decrypt administrator and user passwords.

In the cases we have investigated, if hackers are able to successfully exploit the password database, they focus on administrator usernames and passwords. Since many administrators work on multiple vBulletin sites, the hackers then search all vBulletin sites for a particular administrator username and attempt to log in with the corresponding password. They then access user tables and attempt to repeat the process across multiple vBulletin sites and cause widespread disruptions.

The patch changes the way password hashes are generated to prevent some methods of determining the password from the hash from working. Note that the new hashes are only generated when a password is changed. Therefore, we strongly advise changing all admin passwords immediately once the patch is applied. It is also strongly recommended that all users change their passwords as well.

To protect yourself from the vulnerability, you need to do the following:

If you are running VB 3.7.x, upgrade to version 3.7.7
If you are running VB 3.8.x upgrade to version 3.8.5
If you are running VB 4 version 4.0 or 4.0.1, upgrade to 4.0.2 PL 2

If you are running VB version 4.0.2 and 4.0.2 PL 1, the process is a little different.
1) Download the 4.0.2 PL 2 patch files.
2) Set your site to be offline.
3) Upload the patch files your vbulletin directory.
4) Run the url http://your.site.com/vBdirectory/ins...e_402_salt.php
5) Set your site to be online.

Note: If a user changes their password after the patch is uploaded, but before the upgrade_402_salt.php, then they will be unable to log in. The password will need to be reset after the upgrade_402_salt.php. Setting the site to be offline while the patch is applied will prevent users from changing their passwords during this interval.

The patch will not prevent all methods of obtaining the passwords from the hashes. Passwords that are weak or otherwise easily guessed can still be obtained. You should observe basic rules for password generation:

1) A minimum of 6 characters, with more being better
2) Use upper case, lower case, numbers, and punctuation characters in your password
3) Avoid words found in dictionaries, as these are often used to guess passwords

It is also strongly recommended that administrators who use the same username across multiple sites use different passwords for each site they log in to, because if the site you reuse a password on isn?t secure, the security of your site is still compromised.


The 4.0.2 PL 2, patch also fixes the XSS bug on the search pages. This bug does not exist in vBulletin 3.



Kevin


More...
Closed Thread


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 08:24 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.03515 seconds
  • Memory Usage 2,162KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete