Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2014.0090
vBulletin has released a security patch to address a vulnerability in
versions 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.0, 5.1.1, and 5.1.2.
28 July 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: vBulletin
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Cross-site Request Forgery -- Remote with User Interaction
Resolution: Patch/Upgrade
Member content until: Wednesday, August 27 2014
OVERVIEW
vBulletin has released a security patch to address a vulnerability
in versions 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.0, 5.1.1,
and 5.1.2.
IMPACT
The vendor has provided the following details regarding these
vulnerabilities:
"The patch resolves a potential Cross-Site Forgery Request in the
authorization system." [1]
MITIGATION
The vendor has stated that these issues have been corrected in
versions 5.1.2 PL2, 5.1.1 PL2, 5.1.0 PL3, 5.0.5 PL4, 5.0.4 PL5,
5.0.3 PL4, 5.0.2 PL5, 5.0.1 PL4 and 5.0.0 PL4. [1]
REFERENCES
[1] Security Patch Release for vBulletin 5 Connect, Versions 5.0.0
through 5.1.2
http://www.vbulletin.org/forum/showthread.php?p=2507866#post2507866
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU9XLPxLndAQH1ShLAQLAjQ/+M8X1WaducLnKoqd5abmU9mEnymbh5aLn
HJHn58kW+iXdyhWrp+Bxn+0cYoktU4ScG9RsL5/fQq/FS92YAoWZ4aMybprgDq2l
KXV7MJwE56yiqyrFVBnxvZt+7aNR7wG1XTKJQCa64ORgPKz7MAiH94DcKTK9CpIC
KoW/FE8dOHlwscU1jZsrUDlr2r7Z8X45yK9pn42oGqh26tk/+Meb29OijoW5Ms5R
J7r2TriJp4pxj0xdJDXVIjnxMBRaomToGjGvR2IYYAUObzegCxxpHhQGa8aaouIM
Hqy/RRY5SGc09gZnCJ4VEZy3e3/YVfJFp5P4RUYgxHWXEW0t1TE+NC8Ol3uBzxnd
j6wBAJQAXr7GeQI6F4IX6UFgpQGxkQh3n8wPhJgX1oT0qwa0tO0sU92HIB1tJGkz
fCNERyKOmCbt/7E+zLfeyy01PUo8qzCb8Q5HDxMmqG2S5WYelwLSkaEF/REHVDbr
7aMIpvk9t9gSYW1M8nH+Dr61Rm2Dhv08Rj7jRFrFFZiHLappQWwK8JLWqUSkaF4C
CwZtfQ58O/c7gbxcFPdJw6dKZX2RJlc56WnEUqlO2fVQwItMr8jCVmpqsbGVqPIX
ze4PfiHGUwvxqeyxBvMwXCBjIib8EUrDOEILIuyxAEGvoL0k19Z5rFoXpBYaXMO8
g4N9qObY8/8=
=zkJi
-----END PGP SIGNATURE-----