New Security Issue in VB?

I have him on ignore, the forum is a better place without it.

 

Absolutely, and the input of such people is always hugely valued. They help to make a better product for everyone.

 

@djbaxter What you say is true and irrefutable (I guess) but it does not address Canonicals claim "the Forums software, may be allowed to contain unfiltered HTML and do so by default." And this they claim is the reason for the incursion.
And if the software were not at fault why release a security patch to fix an exploit that isn't the software's problem?

So if I take what you are saying as gospel, I'm to conclude that there is and never was a problem with the software that caused or allowed to be caused the forum to be hacked and have its customer data downloaded? This security release then is just a placebo to lead people to feel more secure about using the software that doesn't have security problems? Hmmmm

As for the alpha and beta testers you use Microsoft as an authority to back up your statement, well we all know about Microsoft don't we? LOL

Usually in my experience when something needs testing, especially products that consumers pay for, the testing is done by qualified individuals who know what they are doing, looking for and reliably report their findings. What you're saying makes as much sense as the site foreman asking a plummer to inspect the electricians work and sign off on it.
Alpha testing is done or should be if the consumer is to get quality products, done by a qualified alpha tester. Beta testing is done as above. Then when all seems to be working as designed and coded, a release candidate (RC) is given to consumers who wish to check it out with the recommendation testing be done on a closed site . Then after several or many RC's if all works out, then and only then should the product be released to the general public as Final Release. I've seen this time and time again in open source projects.

I mean come on. That's like asking a proctologist to perform heart surgery because he's a qualified surgeon.

 

Yeah right. And this is why peoples input is hugely ridiculed, ignored and ultimately get the people band, locked out or ignored. I call BS here.

 

If you had me on ignore how did you know who he was talking about? Are you a lurking troll?? LMAO

 

If you have nothing constructive to contribute, why are you whining about people whining about security issues?
I don't always agree with the excuses or explanations others offer but at least they are constructive, productive contributions to the discussion. All you bring to this thread is the same BS you pull on VB. cyber bullying.

 

The ONLY place isn vBulletin that permits HTML by default is in Announcements or Notices. Those are intended as Admin privileges. As far as I know, by default all other usergroups cannot post announcements or notices. Why would a forum owner/admin give admin privileges to a non-admin? That is user error and in my opinion is reckless behavior.

Anywhere else in vBulletin, HTML is off by default, so the forum admin must intentionally turn it on at which time s/he will see a warning advising that doing so is a security risk.

What patch are you talking about? The ubuntu forum is using vBulletin 4.x. The only recent security patch I'm aware of is for 5.x - I'm not even surfe what that addresses - I don't use 5.x.

That's correct.

You seem to be confused. The security release was for a different version of vBulletin.

Or, if you are referring to the advisory to delete the entire install directory, I don't know how or even if that is related to the ubuntu forums problem.

What's your point?

I have already explained why alpha and beta versions are released and to whom. I've already pointed out that many much larger corporations do this. I have no idea what point you think you're making here but it makes no sense to me.

 

I think you are confused. The Potential vBulletin Exploit (vBulletin 4.1+, vBulletin 5+)

My point being exactly that. You were using Microsoft as an authority to buck up your point which only clouds the original point.

Again you are using other authorities to justify your conclusions. Conclusions based on "well these people do it, therefore it is right" is bad logic.

 

Did you not previously state that the ubuntu forums issue was NOT an example of this exploit, was unrelated to it?

As for the rest of your post, you're being ridiculous and I'm not going to play that dumb game with you.

 

You said earlier:

So which is it? Was the ubuntu forums issue caused by the install files or not? Make up your mind.

 

I just had a new vBulletin client contact me for this exploit, this is what their home page looked like.
http://thehackernews.com/2013/09/major-vbulletin-based-websites-are.html

Thanks vBulletin for the money this Sunday afternoon.

 

@djbaxter With all due respect I now know why you are having trouble grasping what I've said and are getting confused. Not something I can help you with as it is hard for you or anyone to take snippets of a thread, jumble them in a pot, stir it up and make sense of it all. Perhaps the link Brandon provided will help you focus on the issue, and don't be so narrow minded about it, I don't know. You say you don't want to play a dumb game with me, well as far as I'm concerned it is you who are playing games, twisting statements, appealing to authority, and using bad logic to make connections that don't exist, asking questions you already know the answer to then disputing it.

@Brandon just another piece of information to confirm it's more wide spread than the complaints on the vB forum, those in the open and those hidden from public view would leave us to believe.

 

My favorite comment @Autopilot from that story.

 

Was this a result of the install folder being in place?

 

Looks like it, the attacker had made 2 new admin account on the forum as well.

 

So brandon if I'm understand you correctly the deleting of the install folder did not stop the exploit.

 

No. He's saying that forum still had the install folder in place.

 

I didn't say that.

 

@Brandon It looks like from that link you posted they are saying the attacks were targeting vB /install folders.

 

Ya think?