vBulletin security alert.

Darksat said: "Just found this. [QUOTE]JELSOFT SECURITY BULLETINhttp://www.vbulletin.com/ January 7th, 2005 This email contains important security-related information.Please read it carefully. * vBulletin 3.0.4 / 3.0.5 Released* Important Warning About Sensitive Data* Security Issues in PHP 4.3.9, 5.0.2 & Older* Your License Information* Contact Us------------ VBULLETIN 3.0.4 / 3.0.5 RELEASED ------------ The discovery of a serious security vulnerability in versions of vBulletin 3 up to and including 3.0.4 has necessitated the immediate release of a version to plug the hole. This is a CRITICAL update, and we urge all customers running affected software to upgrade vBulletin with the utmost urgency.vBulletin 3.0.5 includes all the updates recently released as part of vBulletin 3.0.4, including a long list of fixes for minor annoyances and bugs found since version 3.0.3.vBulletin 3.0.5 is available for immediate download from the vBulletin Members' Area. [url]http://www.vbulletin.com/members/[/url] If you are unable to upgrade immediately, you should at least download the patched version of includes/init.php from the release announcement thread and replace your existing version with it.Please read the announcement for upgrade and installation instructions, as well as the list of bugs fixed and other changes:[url]http://www.vbulletin.com/forum/showthread.php?t=125480[/url] --------- IMPORTANT WARNING ABOUT SENSITIVE DATA --------- Due to the nature of the vulnerability discovered in vBulletin 3, and as part of our ongoing effort to maximize security, we must assume that one or all of the vBulletin servers may have been compromised.Therefore, we would STRONGLY RECOMMEND that any customers who may have submitted sensitive data; such as vBulletin admin control panel or server login details, to Jelsoft staff in the past should take steps to alter these details,so that any information that may have been accessed by an unauthorized party could not be used. We would like to reassure our customers that Jelsoft keeps NO RECORD of credit card numbers used in transactions, making it impossible for these details to be discovered or abused.Additionally, steps have been taken and are ongoing to ensure that any potentially leaked data does not contain sensitive data. ------ SECURITY ISSUES IN PHP 4.3.9, 5.0.2 & OLDER ------- The PHP development team recently released PHP 4.3.10 and 5.0.3 in order to patch serious security issues in previousversions.With the emergence of malicious code such as the Santy/NeverEverNoSanity worms, which are responsible for defacing and damaging a large number of sites, we join withthe PHP team in advising all customers running PHP versionsolder than 4.3.10 or 5.0.3 to upgrade as soon as possible to one of the patched versions. ---------------- YOUR LICENSE INFORMATION ---------------- You can use this information to log into the members area and download vBulletin 3.0.5: Customer Number: XXXX (LOL, I ain't leaving this here) If you have misplaced your customer password, you canrequest that it be re-sent to your registered emailaddress using the following form:[url]http://www.vbulletin.com/members/lostpw.php[/url] You can use this information to log into the members area:[url]http://www.vbulletin.com/members/[/url] -------------------- CONTACT US -------------------------- Got a vBulletin technical query? Contact support:[url]http://www.vbulletin.com/support/[/url] For all other queries, please visit this page:[url]http://www.vbulletin.com/contact.php[/url] ---------------------------------------------------------- This periodic email newsletter is delivered to all currentvBulletin customers, and contains information about newsoftware versions and Jelsoft.com/vBulletin.com web sitefeatures and content. If you have any questions orcomments about this mailing, please contact us.This email sent to: XXXXXXXXXXXXXXXXXXXXXXXXXX Copyright (c) 2000-2005, Jelsoft Enterprises Limited [/QUOTE]"

Darren said: "Yep, it's a full-time job staying on top of these patches. First thing for everyone is to get PHP upgrade to 4.3.10 and turn off register_globals. I think register_globals has been off by default for a few years now."