Another Security Exploit Patched in versions 3.5, 3.6, 3.7, 3.8, 4.X, 5.X of vBulletin

Discussion in 'vBulletin Discussions' started by ManagerJosh, Mar 13, 2014.

  1. ManagerJosh

    ManagerJosh Regular Member

    Joined:
    Sep 27, 2012
    Messages:
    96
    Likes Received:
    87
  2. Peace

    Peace Regular Member

    Joined:
    Jul 5, 2013
    Messages:
    100
    Likes Received:
    58
    The patch was certainly easy enough, but I'm curious as to what the exploit actually was?
     
  3. Autopilot

    Autopilot Regular Member

    Joined:
    Jul 27, 2013
    Messages:
    514
    Likes Received:
    334
    To quote Luke Wayne,
    One could conclude they don't want anyone to know what the details are UNTIL AFTER customers have gone through the trouble and cost of the update.
    Imagine, after all the years that 3 and 4 have been around they are still finding mysterious security holes in the code. ROFLMAO I think, the only secure action any admin can do is not to run the software.
    Conspiracy theorists might speculate this as a scare tactic to get people off the fence and upgrade.
     
    Big al and AWS like this.
  4. Autopilot

    Autopilot Regular Member

    Joined:
    Jul 27, 2013
    Messages:
    514
    Likes Received:
    334
  5. Autopilot

    Autopilot Regular Member

    Joined:
    Jul 27, 2013
    Messages:
    514
    Likes Received:
    334
    Quotes worth noting from the above OpenSuse article
    Recommendations for vB site admins
     
  6. Autopilot

    Autopilot Regular Member

    Joined:
    Jul 27, 2013
    Messages:
    514
    Likes Received:
    334
    Further sleuthing found a report by Luke Wayne made Jan 3, 2014 about a Yahoo issue
    YUI Security Issue found in uploader.swf
    Why where they still using a vulnerability reported back in Nov 2013 in a YUI Security Bulletin ???
    Time line - YUI reports the vulnerability in Nov 2013, vB doesn't report it until Jan 2014.
    Here he is explicit about the exploit and how to fix it and one could only speculate that is because this one isn't the fault of vB???
     
  7. BamaStangGuy

    BamaStangGuy Administrator

    Joined:
    Jun 23, 2009
    Messages:
    769
    Likes Received:
    549
    Location:
    Huntsville, AL
    It had to do with http://php.net/manual/en/function.unserialize.php and user generated content. The patch uses json_decode() instead.

     
    Autopilot likes this.
  8. BirdOPrey5

    BirdOPrey5 #Awesome

    Joined:
    Jul 16, 2011
    Messages:
    343
    Likes Received:
    105
    Location:
    New York
    First Name:
    Joe
    There is no indication (nor is it likely) this exploit was the cause of the Open Suse hack. Open Suse was running an old/unpatched version of VBSEO according to what I read.

    If it was the result wouldn't we have seen a bunch of high profile vBulletin sites hacked if it was widely known?
     
  9. Joeychgo

    Joeychgo Regular Member

    Joined:
    Nov 6, 2010
    Messages:
    409
    Likes Received:
    222
  10. Autopilot

    Autopilot Regular Member

    Joined:
    Jul 27, 2013
    Messages:
    514
    Likes Received:
    334
    You base this on what assumption?

    Irrelevant, it was reported as a vB vulnerability not an out dated VBSEO

    vB's vulnerability to hacks IS widely known. Except to vB and its devs apparently and who ever refused to acknowledge OpenSuse report of same.
     
  11. BirdOPrey5

    BirdOPrey5 #Awesome

    Joined:
    Jul 16, 2011
    Messages:
    343
    Likes Received:
    105
    Location:
    New York
    First Name:
    Joe
    Legal reasons- can we even republish the property of Yahoo, can the author of the fix even give us permission to redistribute their changes, it's too messy.
     
  12. BirdOPrey5

    BirdOPrey5 #Awesome

    Joined:
    Jul 16, 2011
    Messages:
    343
    Likes Received:
    105
    Location:
    New York
    First Name:
    Joe
    You're post is irrelevant, it was reported to be a VBSEO issue.

    You see what I did there?
     
  13. ManagerJosh

    ManagerJosh Regular Member

    Joined:
    Sep 27, 2012
    Messages:
    96
    Likes Received:
    87
    Who reported it as a vBSEO and how can one be certain it is a vBSEO issue and not a vBulletin issue?
     
  14. Autopilot

    Autopilot Regular Member

    Joined:
    Jul 27, 2013
    Messages:
    514
    Likes Received:
    334
    Yes I see, you twisted the facts (as usual) to deny vB was the reported problem and shifted the blame on VBSEO. So what else is new?
     
  15. Cerberus

    Cerberus Admin Talk Staff

    Joined:
    May 3, 2009
    Messages:
    1,031
    Likes Received:
    500
    I thought we went over this already. It was proven the OpenSuse was done via Vbulletin exploit not VBSEO. And its still out there in the wild. I have no idea why they are holding on to it, but they are planning who knows.
     
  16. eva2000

    eva2000 Regular Member

    Joined:
    May 22, 2012
    Messages:
    138
    Likes Received:
    107
    Location:
    Brisbane, Australia
    Unfortunately, there still seems to be confusion. OpenSUSE folks themselves reported the compromise came from vBSEO on their own forums http://forums.opensuse.org/showthread.php/494263-Web-interface-is-offline post dated Jan 7, 2014

     
  17. we_are_borg

    we_are_borg Regular Member

    Joined:
    May 8, 2013
    Messages:
    305
    Likes Received:
    168
    Location:
    Netherlands
    First Name:
    Jeroen
    I would read the qoute again

    For your information the answer is in the first line the vBSEO attack was the second attack, it was straight after the first attack. I know that i and others warned in another topic that there was still exploits open in the code after vBulletin said its vBSEO. There was talk that there where 4 confirmed exploits in vBulletin this was around December 2013. If its 4 and lets say there discovered then we have found 3 at the moment the first the swf second is what we have now and the other was the install folder.
     
  18. BirdOPrey5

    BirdOPrey5 #Awesome

    Joined:
    Jul 16, 2011
    Messages:
    343
    Likes Received:
    105
    Location:
    New York
    First Name:
    Joe
    how can you be certain it was a vBulletin issue?
     
  19. Autopilot

    Autopilot Regular Member

    Joined:
    Jul 27, 2013
    Messages:
    514
    Likes Received:
    334
    The confusion is on you as the report I linked to was Jan 9, 2014, 2 days AFTER the report you linked to and the latter one points the finger at vB not VBSEO.
    As I don't and never did use VBSEO their debacle is of no interest to me.
     
  20. eva2000

    eva2000 Regular Member

    Joined:
    May 22, 2012
    Messages:
    138
    Likes Received:
    107
    Location:
    Brisbane, Australia
    Well it could of been both from my own experience at that time.

    I cleaned up a number of vB forums (other clients not opensuse) which had been compromised by both the /install hack as well as previous vbseo exploits and some compromises (vbseo) were done by multiple hackers dating several months back before the /install hack was done.

    Some even were compromised via different site and apps on the same server i.e. compromised wordpress blog with hacker inserted adminer mysql app. It would query and insert malicious code into the databases on the server which one was vB database. So you'd end up cleaning vB instance multiple times and still get reinfected as the exploit wasn't actually from vB itself. Other times hackers would replicate the entire compromised vB file structure or wordpress file structure in a hidden public web accessible directory or multiple directories, so even if you had only uploaded clean copy of vB files but didn't nuke the existing directory and start fresh, the hacker could still get in.

    It was the motivation for my clean up guide to check the entire server instead of just vB instance at http://vbtechsupport.com/2355/
     
    Last edited: Mar 15, 2014

Share This Page