New Security Issue in VB?

Discussion in 'vBulletin Discussions' started by Autopilot, Aug 24, 2013.

  1. Mark.B

    Mark.B Regular Member

    Joined:
    Jul 4, 2013
    Messages:
    253
    Likes Received:
    42
    I have him on ignore, the forum is a better place without it.
     
  2. Mark.B

    Mark.B Regular Member

    Joined:
    Jul 4, 2013
    Messages:
    253
    Likes Received:
    42
    Absolutely, and the input of such people is always hugely valued. They help to make a better product for everyone.
     
  3. Autopilot

    Autopilot Regular Member

    Joined:
    Jul 27, 2013
    Messages:
    514
    Likes Received:
    334
    @djbaxter What you say is true and irrefutable (I guess) but it does not address Canonicals claim "the Forums software, may be allowed to contain unfiltered HTML and do so by default." And this they claim is the reason for the incursion.
    And if the software were not at fault why release a security patch to fix an exploit that isn't the software's problem?

    So if I take what you are saying as gospel, I'm to conclude that there is and never was a problem with the software that caused or allowed to be caused the forum to be hacked and have its customer data downloaded? This security release then is just a placebo to lead people to feel more secure about using the software that doesn't have security problems? Hmmmm

    As for the alpha and beta testers you use Microsoft as an authority to back up your statement, well we all know about Microsoft don't we? LOL

    Usually in my experience when something needs testing, especially products that consumers pay for, the testing is done by qualified individuals who know what they are doing, looking for and reliably report their findings. What you're saying makes as much sense as the site foreman asking a plummer to inspect the electricians work and sign off on it.
    Alpha testing is done or should be if the consumer is to get quality products, done by a qualified alpha tester. Beta testing is done as above. Then when all seems to be working as designed and coded, a release candidate (RC) is given to consumers who wish to check it out with the recommendation testing be done on a closed site . Then after several or many RC's if all works out, then and only then should the product be released to the general public as Final Release. I've seen this time and time again in open source projects.

    I mean come on. That's like asking a proctologist to perform heart surgery because he's a qualified surgeon.
     
  4. Autopilot

    Autopilot Regular Member

    Joined:
    Jul 27, 2013
    Messages:
    514
    Likes Received:
    334
    Yeah right. And this is why peoples input is hugely ridiculed, ignored and ultimately get the people band, locked out or ignored. I call BS here.
     
  5. Autopilot

    Autopilot Regular Member

    Joined:
    Jul 27, 2013
    Messages:
    514
    Likes Received:
    334
    If you had me on ignore how did you know who he was talking about? Are you a lurking troll?? LMAO
     
  6. Autopilot

    Autopilot Regular Member

    Joined:
    Jul 27, 2013
    Messages:
    514
    Likes Received:
    334
    If you have nothing constructive to contribute, why are you whining about people whining about security issues?
    I don't always agree with the excuses or explanations others offer but at least they are constructive, productive contributions to the discussion. All you bring to this thread is the same BS you pull on VB. cyber bullying.
     
  7. djbaxter

    djbaxter Regular Member

    Joined:
    Jul 4, 2009
    Messages:
    261
    Likes Received:
    162
    Location:
    Ottawa ON Canada
    The ONLY place isn vBulletin that permits HTML by default is in Announcements or Notices. Those are intended as Admin privileges. As far as I know, by default all other usergroups cannot post announcements or notices. Why would a forum owner/admin give admin privileges to a non-admin? That is user error and in my opinion is reckless behavior.

    Anywhere else in vBulletin, HTML is off by default, so the forum admin must intentionally turn it on at which time s/he will see a warning advising that doing so is a security risk.

    What patch are you talking about? The ubuntu forum is using vBulletin 4.x. The only recent security patch I'm aware of is for 5.x - I'm not even surfe what that addresses - I don't use 5.x.

    That's correct.

    You seem to be confused. The security release was for a different version of vBulletin.

    Or, if you are referring to the advisory to delete the entire install directory, I don't know how or even if that is related to the ubuntu forums problem.

    What's your point?

    I have already explained why alpha and beta versions are released and to whom. I've already pointed out that many much larger corporations do this. I have no idea what point you think you're making here but it makes no sense to me.
     
  8. Autopilot

    Autopilot Regular Member

    Joined:
    Jul 27, 2013
    Messages:
    514
    Likes Received:
    334
    I think you are confused. The Potential vBulletin Exploit (vBulletin 4.1+, vBulletin 5+)

    My point being exactly that. You were using Microsoft as an authority to buck up your point which only clouds the original point.

    Again you are using other authorities to justify your conclusions. Conclusions based on "well these people do it, therefore it is right" is bad logic.
     
  9. djbaxter

    djbaxter Regular Member

    Joined:
    Jul 4, 2009
    Messages:
    261
    Likes Received:
    162
    Location:
    Ottawa ON Canada
    Did you not previously state that the ubuntu forums issue was NOT an example of this exploit, was unrelated to it?

    As for the rest of your post, you're being ridiculous and I'm not going to play that dumb game with you.
     
  10. djbaxter

    djbaxter Regular Member

    Joined:
    Jul 4, 2009
    Messages:
    261
    Likes Received:
    162
    Location:
    Ottawa ON Canada
    You said earlier:

    So which is it? Was the ubuntu forums issue caused by the install files or not? Make up your mind.
     
  11. Brandon

    Brandon Regular Member

    Joined:
    Jun 1, 2009
    Messages:
    6,602
    Likes Received:
    1,707
    Location:
    Topeka, Kansas
    First Name:
    Brandon
    Last edited: Sep 8, 2013
    Autopilot likes this.
  12. Autopilot

    Autopilot Regular Member

    Joined:
    Jul 27, 2013
    Messages:
    514
    Likes Received:
    334
    @djbaxter With all due respect I now know why you are having trouble grasping what I've said and are getting confused. Not something I can help you with as it is hard for you or anyone to take snippets of a thread, jumble them in a pot, stir it up and make sense of it all. Perhaps the link Brandon provided will help you focus on the issue, and don't be so narrow minded about it, I don't know. You say you don't want to play a dumb game with me, well as far as I'm concerned it is you who are playing games, twisting statements, appealing to authority, and using bad logic to make connections that don't exist, asking questions you already know the answer to then disputing it.

    @Brandon just another piece of information to confirm it's more wide spread than the complaints on the vB forum, those in the open and those hidden from public view would leave us to believe.
     
  13. Brandon

    Brandon Regular Member

    Joined:
    Jun 1, 2009
    Messages:
    6,602
    Likes Received:
    1,707
    Location:
    Topeka, Kansas
    First Name:
    Brandon
    My favorite comment @Autopilot from that story.

     
    Mikey and Autopilot like this.
  14. djbaxter

    djbaxter Regular Member

    Joined:
    Jul 4, 2009
    Messages:
    261
    Likes Received:
    162
    Location:
    Ottawa ON Canada
  15. Brandon

    Brandon Regular Member

    Joined:
    Jun 1, 2009
    Messages:
    6,602
    Likes Received:
    1,707
    Location:
    Topeka, Kansas
    First Name:
    Brandon
    Looks like it, the attacker had made 2 new admin account on the forum as well.
     
  16. dandanch

    dandanch Regular Member

    Joined:
    Jul 12, 2013
    Messages:
    38
    Likes Received:
    18
    So brandon if I'm understand you correctly the deleting of the install folder did not stop the exploit.
     
  17. djbaxter

    djbaxter Regular Member

    Joined:
    Jul 4, 2009
    Messages:
    261
    Likes Received:
    162
    Location:
    Ottawa ON Canada
    No. He's saying that forum still had the install folder in place.
     
    Last edited: Sep 8, 2013
    Brandon likes this.
  18. Brandon

    Brandon Regular Member

    Joined:
    Jun 1, 2009
    Messages:
    6,602
    Likes Received:
    1,707
    Location:
    Topeka, Kansas
    First Name:
    Brandon
    I didn't say that.
     
  19. Autopilot

    Autopilot Regular Member

    Joined:
    Jul 27, 2013
    Messages:
    514
    Likes Received:
    334
    @Brandon It looks like from that link you posted they are saying the attacks were targeting vB /install folders.
     
  20. djbaxter

    djbaxter Regular Member

    Joined:
    Jul 4, 2009
    Messages:
    261
    Likes Received:
    162
    Location:
    Ottawa ON Canada
    Ya think?
     

Share This Page