For vBulletin 3.x Boards: Weak Password Hash Decryption Patch

This is an untested (due to lack of documentation available) patch for board owners of the forum software vBulletin versions 3.7.6 and up, and vBulletin 3.8.x and up. Note please that I have not taken a look at the 4.0.x patch, so no clue if this works for 4.0.x board owners with now an expired license who can't upgrade.

Disclaimer: As this is untested, it's also not supported, we do what we can. vBulletin will not support this modification, so be smart: Upgrade via the normal path, and/or patch if possible. And for **** sake: BACKUP your database AND your files.

The wetalk.network grants distribution of these instructions, pending it was asked first, and that a link back to this thread is included for proper credits.

Original source: For vBulletin 3.x Boards: Weak Password Hash Decryption Patch - vbfans.com
Original announcement from vBulletin.com: Security Fix Releases 3.7.7 and 4.0.2 PL 2

Instructions:

Download: 37_38_security_patch_weak_passwords_hash_decryption.txt

There we go I hope that helps a few people patch a security issue with their 3.7 / 3.8 board that decide or can't upgrade and still care about security. But if you ask me, this does NOT fix the actual issue. If they can decrypt the hash, they need the salt, but it shouldn't matter if this is 3 or 30 characters long. They would then already have it. They just need a larger rainbow table to check against.

Special note for vBulletin 4 users who haven't patched or upgraded yet: At this point I would hold off, the define I read in the php file is set to 3 still. I suspect "another" fix to follow soon.

 

How is Floris involved? Thought this was downloadable from vb.com?

 

This is for people with expired licenses, vb.com didnt patch 3.8.5, only vb4.

 

Gotcha!

 

If 3.8.5 doesn't include the patch, then I wonder why they mentioned this:

Quite misleading, if you ask me. :shrug:

 

thats what I was gonna ask...in the nicest way...not trying to sound like a prick...I'm just a huge fan of vb and this sparks my interest.

 

looks like inet dropped the ball again
leave it up to the community to clean up after them
I'll just upgrade to 3.8.5.

 

Copy/paste fail, unintentional, I've attached the patch now.

Basically, there was a patch to vB3.8.4/5 which IB told no-one about, and expired owned license holders cannot access the patch, so Floris (owner of vbfans), has made his own patch free to all, it isn't the same one INET made, but it does the same job.

Edit; Floris has gone into greater detail on the companies forums; http://www.vbulletin.com/forum/show...-expiring...&p=1951245&viewfull=1#post1951245

 

Patched, thanks!

 

3.8.5 does include this change, and always has. They then ported it to other versions.

What they apparently didnt consider (or at least didnt mention) is what happens if you have 3.8.4, but no access to 3.8.5 (or indeed, if you have 3.7.6 and no access to 3.7.7 either).

 

That post of mine was in response to post #3: