تحديث امني جديد للنسخه 4.0.2 PL 2 والنسخ السابقه By دعم في بي

**Sc®iPt** · 03-23-2010 02:36 AM

إستناداً للثغرة الأولى يبدو إنها خطره بما فيه الكفايه لكي يصدر لها ترقيع يحتاج لترقيه في جدول user

لذا اصدرنا الباتش فور صدوره من الشركة الأم

كما نتابع في دعم في بي هذه التحديثات الأمنيه بشكل مستمر ونتمنى من جميع الأعضاء الذين يستخدمون هذا البرنامج من المنتديات متابعة هذا القسم بشدة

هذا إقتباس من موقع الشركة وطريقة الترقيه وتوضيح لمن يستخدم إصدارات سابقه

The vBulletin development team has identified a potential issue with the strength of password encryption in vBulletin and we are implementing a patch to address this issue.

In certain rare cases, hackers can exploit a non-vBulletin vector (such as a bad plug-in) to access the vBulletin password database and attempt to decrypt administrator and user passwords.

In the cases we have investigated, if hackers are able to successfully exploit the password database, they focus on administrator usernames and passwords. Since many administrators work on multiple vBulletin sites, the hackers then search all vBulletin sites for a particular administrator username and attempt to log in with the corresponding password. They then access user tables and attempt to repeat the process across multiple vBulletin sites and cause widespread disruptions.

The patch changes the way password hashes are generated to prevent some methods of determining the password from the hash from working. Note that the new hashes are only generated when a password is changed. Therefore, we strongly advise changing all admin passwords immediately once the patch is applied. It is also strongly recommended that all users change their passwords as well.

To protect yourself from the vulnerability, you need to do the following:

If you are running VB 3.7.x, upgrade to version 3.7.7
If you are running VB 3.8.x upgrade to version 3.8.5
If you are running VB 4 version 4.0 or 4.0.1, upgrade to 4.0.2 PL 2

If you are running VB version 4.0.2 and 4.0.2 PL 1, the process is a little different.
1) Download the 4.0.2 PL 2 patch files.
2) Set your site to be offline.
3) Upload the patch files your vbulletin directory.
4) Run the url http://your.site.com/vBdirectory/ins...e_402_salt.php
5) Set your site to be online.

Note: If a user changes their password after the patch is uploaded, but before the upgrade_402_salt.php, then they will be unable to log in. The password will need to be reset after the upgrade_402_salt.php. Setting the site to be offline while the patch is applied will prevent users from changing their passwords during this interval.

The patch will not prevent all methods of obtaining the passwords from the hashes. Passwords that are weak or otherwise easily guessed can still be obtained. You should observe basic rules for password generation:

1) A minimum of 6 characters, with more being better
2) Use upper case, lower case, numbers, and punctuation characters in your password
3) Avoid words found in dictionaries, as these are often used to guess passwords

It is also strongly recommended that administrators who use the same username across multiple sites use different passwords for each site they log in to, because if the site you reuse a password on isn’t secure, the security of your site is still compromised.

The 4.0.2 PL 2, patch also fixes the XSS bug on the search pages. This bug does not exist in vBulletin 3.

ترجمة سريعه

من يستخدم إصدار 3.7 ننصحه بشدة للترقيه إلى 3.7.7

ومن يستخدم إصدار 3.8 ننصحة بشدة للترقيه 3.8.5

ومن يستخدم أي إصدار من الجيل الرابع 4.0.0 ننصحه بشدة الترقيه للإصدار الآخير او تركيب الترقيه المرفقه

vb_patch402 Patch By D3m-vb.net.zip

ومن ثم الذهاب إلى رابط الترقيه

http://your.site.com/vBdirectory/ins...e_402_salt.php

مع تحديد التوجه إلى عنوان الترقيه الخاص بالباتش كما هو موضح أعلاه

نتمنى لكم حمايه أكيده بدون اي مشاكل او متاعب ونحن في الخدمة لجميع الأعضاء

أطيب تحية
سكربـت