[Critical] New vBulletin 5 SQL Injection

Discussion in 'vBulletin Discussions' started by ManagerJosh, Jul 17, 2014.

  1. ManagerJosh

    ManagerJosh Regular Member

    Joined:
    Sep 27, 2012
    Messages:
    96
    Likes Received:
    87
  2. ManagerJosh

    ManagerJosh Regular Member

    Joined:
    Sep 27, 2012
    Messages:
    96
    Likes Received:
    87
    Anyone want to bet this was used against vBulletin.com and was partly responsible for the data breach late last year? On a completely different, yet related note,Internet Brands don't know what they are doing. How the heck do you introduce a SQL injection these days into your code? It's like the biggest thing you're taught to avoid by OWASP.
     
  3. AWS

    AWS Administrator

    Joined:
    Feb 1, 2010
    Messages:
    1,616
    Likes Received:
    692
    Location:
    Joliet, IL U.S.A.
    First Name:
    Bob
    I think this is a new one. At least from the looks of the original report by the Russian group that found it.

    In all honesty when Scott left so did security. His forte was databases and secure code to access them.
     
  4. ManagerJosh

    ManagerJosh Regular Member

    Joined:
    Sep 27, 2012
    Messages:
    96
    Likes Received:
    87
    It's definitely new on the disclosures side of things, but for all we know someone found it long time ago and never made it public or sold it on the underground markets and used it personally.
     
  5. AWS

    AWS Administrator

    Joined:
    Feb 1, 2010
    Messages:
    1,616
    Likes Received:
    692
    Location:
    Joliet, IL U.S.A.
    First Name:
    Bob
    That is more than likely true. They need to do a security audit. Adding new code to old is never a good idea and if you do you should have an audit done.
     
    pixelek likes this.
  6. zappaDPJ

    zappaDPJ Regular Member

    Joined:
    May 27, 2013
    Messages:
    250
    Likes Received:
    165
    Location:
    London, England
    Is it my imagination or have there been rather a lot of patches issued recently to plug holes in vB5? It certainly does seem that a code review is in order.
     
  7. ManagerJosh

    ManagerJosh Regular Member

    Joined:
    Sep 27, 2012
    Messages:
    96
    Likes Received:
    87
    Code review? More like they need to actually first pay decently and hire programmers who know how to code securely.
     
    pixelek and AWS like this.
  8. zappaDPJ

    zappaDPJ Regular Member

    Joined:
    May 27, 2013
    Messages:
    250
    Likes Received:
    165
    Location:
    London, England
    I don't disagree, there's clearly an issue there.
     
  9. ManagerJosh

    ManagerJosh Regular Member

    Joined:
    Sep 27, 2012
    Messages:
    96
    Likes Received:
    87
    OR better yet...sell vBulletin and all its assets/members/etc. to XenForo :p
     
    pixelek likes this.
  10. s.molinari

    s.molinari Regular Member

    Joined:
    Nov 6, 2009
    Messages:
    774
    Likes Received:
    603
    Location:
    Käshofen
    Yeah, this latest security breach is just adding insult to injury.

    Scott
     
    pixelek and ManagerJosh like this.
  11. ManagerJosh

    ManagerJosh Regular Member

    Joined:
    Sep 27, 2012
    Messages:
    96
    Likes Received:
    87
    What's beyond that? I kinda felt the insults happened long ago when vBulletin 4 was released in the sorry state it was.
     
  12. s.molinari

    s.molinari Regular Member

    Joined:
    Nov 6, 2009
    Messages:
    774
    Likes Received:
    603
    Location:
    Käshofen
    Yeah. I am not sure the spiral downwards since the vB4 release will ever stop. It is just too obvious the love of the IB leadership is being put to use in other portions of the company and vB is being basically badly neglected, which over time, I suspect, will lead to its end. It is amazing to think about it, especially when vB was purchased from Jelsoft as a very strategic goal for IB overall, seeing 80% of their "verticals" for advertising are on vB forums.

    Scott
     
  13. GTB

    GTB Regular Member

    Joined:
    Jun 30, 2009
    Messages:
    1,791
    Likes Received:
    270
    It amazes me when you think how much they must have paid to purchase vBulletin. They must have thrown a lot of money down the drain since how things have gone, bet it's worth a fraction of what they paid for it from Jelsoft originally. If they ever sell and another company looks through sales records since IB owned it, what's it's now worth.

    But, and I've always thought this. I think Jelsoft was very clever when they sold vBulletin on. They knew things was changing at that time on web with social networking. Maybe they even saw a down-trend in sales and decided right time to get out and sell.
     
    ManagerJosh and ragtek like this.
  14. AWS

    AWS Administrator

    Joined:
    Feb 1, 2010
    Messages:
    1,616
    Likes Received:
    692
    Location:
    Joliet, IL U.S.A.
    First Name:
    Bob
    The patch broke the test site so I shut it off for now.
     
    pixelek, ManagerJosh and GTB like this.
  15. GTB

    GTB Regular Member

    Joined:
    Jun 30, 2009
    Messages:
    1,791
    Likes Received:
    270
    The patch broke the site? lol.
     
  16. Lee G

    Lee G Regular Member

    Joined:
    May 2, 2014
    Messages:
    165
    Likes Received:
    33
    Location:
    Costa Blanca Spain
    First Name:
    Lee
    Probably why mark aint updated his test site yet then :D

    I hope you did a jira (or what ever the silly thing is called) report :D
     
  17. GTB

    GTB Regular Member

    Joined:
    Jun 30, 2009
    Messages:
    1,791
    Likes Received:
    270
    Could it not be related to Bob running it on a Windows based server.
     
  18. AWS

    AWS Administrator

    Joined:
    Feb 1, 2010
    Messages:
    1,616
    Likes Received:
    692
    Location:
    Joliet, IL U.S.A.
    First Name:
    Bob
    No it's not that. I removed the patch and site works. It almost makes it look like they put a patch to shutdown vbulletin 5 until they find an actual fix.
     
  19. GTB

    GTB Regular Member

    Joined:
    Jun 30, 2009
    Messages:
    1,791
    Likes Received:
    270

    Don't know, seems odd that. Because they posted the patch and make no mention about it closing forums down once installed. Which I'm pretty sure they'd say if it did that as a warning of what the patch will do, effectively make your board unusable.

    http://www.vbulletin.com/forum/foru...r-vbulletin-5-0-4-5-0-5-5-1-0-5-1-1-and-5-1-2

     
  20. AWS

    AWS Administrator

    Joined:
    Feb 1, 2010
    Messages:
    1,616
    Likes Received:
    692
    Location:
    Joliet, IL U.S.A.
    First Name:
    Bob
    Well something is definitely wrong. I uploaded the patch again and turned the site on. This what you see which is a generic error which vbulletin has always had.

    Code:
    Critical Error
    
    We are currently experiencing technical difficulties. Please check back in 24 hours.
    The admincp works fine. Frontend is that error.
     

Share This Page