Security update

Status
Not open for further replies.

bobster1982

Club Member
Aug 9, 2007
4,024
1,197
Grimsby
First off sorry for going up and down like a yoyo tonight. I have had to install a security patch. Please read the following notes from the software supplier below and take note of the part in bold.

Bob



The vBulletin development team has identified a potential issue with the strength of password encryption in vBulletin and we are implementing a patch to address this issue.

In certain rare cases, hackers can exploit a non-vBulletin vector (such as a bad plug-in) to access the vBulletin password database and attempt to decrypt administrator and user passwords.

In the cases we have investigated, if hackers are able to successfully exploit the password database, they focus on administrator usernames and passwords. Since many administrators work on multiple vBulletin sites, the hackers then search all vBulletin sites for a particular administrator username and attempt to log in with the corresponding password. They then access user tables and attempt to repeat the process across multiple vBulletin sites and cause widespread disruptions.

The patch changes the way password hashes are generated to prevent some methods of determining the password from the hash from working.

Note that the new hashes are only generated when a password is changed.

Therefore, we strongly advise changing all admin passwords immediately once the patch is applied. It is also strongly recommended that all users change their passwords as well.
 
Status
Not open for further replies.