Gabriel Harper's Blog

More fun in the Webmaster world of updates. Jelsoft today announced vBulletin 3.6.10, including various backported bugfixes from 3.7.0 but primarily to fix a cross-site request forgery (CSRF) in vBulletin 3.6.9.

According to Jelsoft “The vulnerability potentially allows an administrator to be lured to a third party site that could submit a form on their behalf and without their knowledge, with the potential to damage the forum of which the targeted person is an administrator. Actions performed within the Admin Control Panel are NOT vulnerable to this attack vector and are unaffected by the CSRF vulnerability. ”

The number of changes in files and templates makes a full update required to fix the CSRF, and Jelsoft strongly urges all users running versions of vBulletin prior to 3.6.10 to upgrade immediately.

This entry was posted on Thursday, April 24th, 2008 at 12:27 pm and is filed under Servers & Security, Software & Scripts. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.