[Critical] New vBulletin 5 SQL Injection

Discussion in 'vBulletin Discussions' started by ManagerJosh, Jul 17, 2014.

  1. AWS

    AWS Administrator

    Joined:
    Feb 1, 2010
    Messages:
    1,616
    Likes Received:
    692
    Location:
    Joliet, IL U.S.A.
    First Name:
    Bob
  2. s.molinari

    s.molinari Regular Member

    Joined:
    Nov 6, 2009
    Messages:
    774
    Likes Received:
    603
    Location:
    Käshofen
    Did you read Kevin Sours' reply? He is lead dev for vB5, but he talks like someone else is or had been making the design decisions. What is up with that?:cautious:

    OMG!:eek: He is finding this revelation at this late point in the game? Flags and logic, like showing errors, belong in the controller part of MVC in the first place, not in the view, which he seems to be inferring is an issue with vB5 now.*head shaking in disbelief*

    Is it just me, but when I read the word "refactor" in terms of vBulletin, the hair on the back of my neck go up and I get an ugly chill down my spine.:confused:

    Scott
     
  3. zappaDPJ

    zappaDPJ Regular Member

    Joined:
    May 27, 2013
    Messages:
    250
    Likes Received:
    165
    Location:
    London, England
    It's probably me being thick but I don't understand how the op in the vBulletin thread was able to resolve the problem if he's locked out of his forum in such a fashion.
     
  4. Arik

    Arik Regular Member

    Joined:
    Sep 17, 2013
    Messages:
    3
    Likes Received:
    4
    In vBulletin 5, the template is also a defacto page controller.

    The contententry template is one of the biggest offenders, with the following entry around line 249:

    Code:
    <vb:comment><!-- ------------- BEGIN TEMPLATE ------------- --></vb:comment>
     
  5. Lee G

    Lee G Regular Member

    Joined:
    May 2, 2014
    Messages:
    165
    Likes Received:
    33
    Location:
    Costa Blanca Spain
    First Name:
    Lee
    Bob had the same problem on the version he runs here
    Lets hope Bob can answer his own fix on the problem
     
  6. s.molinari

    s.molinari Regular Member

    Joined:
    Nov 6, 2009
    Messages:
    774
    Likes Received:
    603
    Location:
    Käshofen
    So vB5 is an MV system? LOL!:rolleyes::ROFL::whistle:

    Scott
     
  7. ManagerJosh

    ManagerJosh Regular Member

    Joined:
    Sep 27, 2012
    Messages:
    96
    Likes Received:
    87
    More like MC system... (model crud)
     
  8. AWS

    AWS Administrator

    Joined:
    Feb 1, 2010
    Messages:
    1,616
    Likes Received:
    692
    Location:
    Joliet, IL U.S.A.
    First Name:
    Bob
    While you can't access the frontend you can lo in to the admincp. Asinine that it doesn't work as it used to. Guess what worked for 10 years wasn't good enough.
     
    zappaDPJ likes this.
  9. Arik

    Arik Regular Member

    Joined:
    Sep 17, 2013
    Messages:
    3
    Likes Received:
    4
    No, there's a controller layer in there, too. Where else would the output be printed from? :whistle:
     
  10. ManagerJosh

    ManagerJosh Regular Member

    Joined:
    Sep 27, 2012
    Messages:
    96
    Likes Received:
    87
    eval ?
     
  11. s.molinari

    s.molinari Regular Member

    Joined:
    Nov 6, 2009
    Messages:
    774
    Likes Received:
    603
    Location:
    Käshofen
    I see what you did there.:woot:

    Tihihihi.....Dats a gud wun!:D

    Scott
     
  12. Lee G

    Lee G Regular Member

    Joined:
    May 2, 2014
    Messages:
    165
    Likes Received:
    33
    Location:
    Costa Blanca Spain
    First Name:
    Lee
  13. ManagerJosh

    ManagerJosh Regular Member

    Joined:
    Sep 27, 2012
    Messages:
    96
    Likes Received:
    87
  14. s.molinari

    s.molinari Regular Member

    Joined:
    Nov 6, 2009
    Messages:
    774
    Likes Received:
    603
    Location:
    Käshofen
    This is a clear sign of an issue with dev competency, either with the system design or with programming in general. It is not a good sign and something vB doesn't need at all. But, it all seems just par for the course. A shame really.

    Scott
     
  15. pixelek

    pixelek Regular Member

    Joined:
    Oct 9, 2013
    Messages:
    229
    Likes Received:
    85
    Location:
    Torun, Poland
    excuse me but I cannot believe what I read..... excuse my strong words, warn/ban me if you like but just cannot express it other way.....

    If I understand correctly there is a hole in vb5 code which allows SQL Injection attack to be performed..... how stupid one must be to produce code that allows that kind of activity? Where is testing team of IB?

    Two golden rules:

    1. Test your code in lab enviroment before introducing it on live-servers. The more tests performed, the better,
    2. Never ever add new code to an existing code on live-server. It will always lead to disaster. Make neccessary changes on server in lab enviroment and than (if ok) upload it to live-server.

    I cannot even think of uploading untested code to live-server. Its sometrhing professional programmer/coder should kniow just like people know not to touch hot things (instinct)..... Not to mention I'd be quickly out of job for uploading untested code to live-server.......but its not really that, its just that it cannot get to my mind even in the wildest dreams......

    Its just the thing that professional IT staff dont do......
     
  16. pixelek

    pixelek Regular Member

    Joined:
    Oct 9, 2013
    Messages:
    229
    Likes Received:
    85
    Location:
    Torun, Poland
    nice patch than......hihi
     
  17. ManagerJosh

    ManagerJosh Regular Member

    Joined:
    Sep 27, 2012
    Messages:
    96
    Likes Received:
    87
    It wasn't just a SQL injection. They also had a cross site request forgery (potential privilege escalation to an admin account) and another privilege escalation here (attachment.php where you can download any attachment, bypassing the permissions model)
     
  18. s.molinari

    s.molinari Regular Member

    Joined:
    Nov 6, 2009
    Messages:
    774
    Likes Received:
    603
    Location:
    Käshofen
    You'd be surprised, but IB does test the vB code. It's just that they obviously don't have the testing aimed at finding possible insecure code and they obviously have programmers with a lack of understanding or knowledge for secure PHP code. Now add a group of Romanians with some time on their hands and mix the three together and you have the issues you see arising now with vB5.

    Scott
     
    Last edited: Aug 4, 2014
    pixelek likes this.
  19. ManagerJosh

    ManagerJosh Regular Member

    Joined:
    Sep 27, 2012
    Messages:
    96
    Likes Received:
    87
    Could you explain their testing methodology Scott ?
     
  20. s.molinari

    s.molinari Regular Member

    Joined:
    Nov 6, 2009
    Messages:
    774
    Likes Received:
    603
    Location:
    Käshofen
    My statement is based on something Allen Lin said to me some time ago that they only do black box testing and no white box testing. That might have changed, but the security issues tell a different story and thus, I stand by my statement.

    Scott
     

Share This Page