New Security Issue in VB?

Discussion in 'vBulletin Discussions' started by Autopilot, Aug 24, 2013.

  1. Autopilot

    Autopilot Regular Member

    Joined:
    Jul 27, 2013
    Messages:
    514
    Likes Received:
    334
    This was just posted on the VB board (yesterday?) and I guess the obvious question is can someone actually sign themselves up as admin?

    What would cause a hole like this if it's possible?

     
  2. thebrad

    thebrad Regular Member

    Joined:
    Jun 29, 2013
    Messages:
    172
    Likes Received:
    18
    Location:
    Liverpool
    There must be some hack he is using to make himself admin you can't just do that... seriously some pro hacker must of done this or its possible this guy could be lying i don't know though.
     
  3. Dan Hutter

    Dan Hutter aka Big Dan

    Joined:
    Jul 20, 2006
    Messages:
    1,412
    Likes Received:
    515
    Location:
    New York
    I'd look at sever security problems too. They could have changed their usergroup via mySQL.
     
  4. djbaxter

    djbaxter Regular Member

    Joined:
    Jul 4, 2009
    Messages:
    261
    Likes Received:
    162
    Location:
    Ottawa ON Canada
    What's the link to the vB.com thread?
     
  5. Autopilot

    Autopilot Regular Member

    Joined:
    Jul 27, 2013
    Messages:
    514
    Likes Received:
    334
  6. Paul M

    Paul M Dr Pepper Addict

    Joined:
    Jun 16, 2009
    Messages:
    449
    Likes Received:
    136
    Location:
    Nottingham, UK
    Sounds like they managed to run an SQL query.
    While I havent looked at the code recently, I dont think you could run the normal registration code without it storing the IP address.
     
    Brandon likes this.
  7. dandanch

    dandanch Regular Member

    Joined:
    Jul 12, 2013
    Messages:
    38
    Likes Received:
    18
    That same thing happen to my friends site on friday, not once but twice, so yes
    there is some kind of exploit..
     
  8. Paul M

    Paul M Dr Pepper Addict

    Joined:
    Jun 16, 2009
    Messages:
    449
    Likes Received:
    136
    Location:
    Nottingham, UK
    An exploit has been confirmed today, via the upgrader code. It affects 4.1, 4.2 & 5.0.

    The easy prevention is to delete the "install" folder once you have installed, its not needed for day to day running.
     
    dandanch and djbaxter like this.
  9. BamaStangGuy

    BamaStangGuy Administrator

    Joined:
    Jun 23, 2009
    Messages:
    769
    Likes Received:
    549
    Location:
    Huntsville, AL
    The hash for the customer id was in the HTML source and they have no idea why because no one knows what the [****][****][****][****] they are doing at that company anymore. I don't know how many more fails some of you need to get your hard work off of vBulletin and on to a software that actually gives a shit about working for you.
     
    Mike Edge likes this.
  10. KW802

    KW802 Regular Member

    Joined:
    May 29, 2009
    Messages:
    163
    Likes Received:
    102
    For the curious, here's the vB announcement thread...

    http://www.vbulletin.com/forum/foru...l-vbulletin-exploit-vbulletin-4-1-vbulletin-5

     
  11. dandanch

    dandanch Regular Member

    Joined:
    Jul 12, 2013
    Messages:
    38
    Likes Received:
    18
    @BamaStangGuy please my friend don't think because your on some other forum software your shit can't be hacked. It's just a matter of time before those [****][****][****][****][****][****][****] find some kind of exploit on the software your running.
     
    Superboy and djbaxter like this.
  12. Paul M

    Paul M Dr Pepper Addict

    Joined:
    Jun 16, 2009
    Messages:
    449
    Likes Received:
    136
    Location:
    Nottingham, UK
    Oh look, what a surprise, the same old moronic record played again, by the same old muppet. No surprise I guess since all you can do on a day to day basis is slag off IB and and its staff. Why dont you go and post in Freddies farewell post about how he no no clue what the [****][****][****][****] he was doing. Im sure he'll be pleased to hear from you, or better still just shut the [****][****][****][****] up.
     
    Superboy, djbaxter and GTB like this.
  13. BamaStangGuy

    BamaStangGuy Administrator

    Joined:
    Jun 23, 2009
    Messages:
    769
    Likes Received:
    549
    Location:
    Huntsville, AL
    Thanks for the reply. Until your company acknowledges the complete and utter incompetence that you and the rest of the staff there have shown I'll continue to point it out where I see fit. It's good to know you are finally getting frustrated though. I don't blame you. It must be tough as [****][****][****][****] to work for vBulletin these days.

    Try not to take it out on the license holders that pay your salary though. I still have my fair share of vBulletin licenses and still have to deal with your company in the process of moving on to better software.

    P.S. Adding me to your ignore list will help the "shut the [****][****][****][****] up" part of your statement. You might be impressed by how well it works compared to vBulletin. :)
     
    Last edited: Aug 27, 2013
    Code Monkey, Big al and Autopilot like this.
  14. BamaStangGuy

    BamaStangGuy Administrator

    Joined:
    Jun 23, 2009
    Messages:
    769
    Likes Received:
    549
    Location:
    Huntsville, AL
    I am under no delusions. It is a different story, however, when the security exploits are found in software where the company has shown complete disregard for customer satisfaction in every aspect of their business.
     
  15. Alfa1

    Alfa1 Regular Member

    Joined:
    Jul 24, 2009
    Messages:
    303
    Likes Received:
    196
    Are you the new Xtreme marketing guy at vbulletin now?
     
  16. CM30

    CM30 Regular Member

    Joined:
    Jul 1, 2012
    Messages:
    901
    Likes Received:
    500
    Just... wow. That's an extremely unprofessional way to be talking to customers on another website, and it's something that makes me real glad I switched from vBulletin when I did.
     
    Code Monkey and Big al like this.
  17. GTB

    GTB Regular Member

    Joined:
    Jun 30, 2009
    Messages:
    1,791
    Likes Received:
    270
    Well said. There's another MUPPET above this post as well, that Super Mario clown..
     
  18. Paul M

    Paul M Dr Pepper Addict

    Joined:
    Jun 16, 2009
    Messages:
    449
    Likes Received:
    136
    Location:
    Nottingham, UK
    I'm a member of this forum as a Forum Administrator, my forum has no customers.
    If you switched away from vbulletin then why are you even in a vBulletin discussion forum.
     
    djbaxter likes this.
  19. BamaStangGuy

    BamaStangGuy Administrator

    Joined:
    Jun 23, 2009
    Messages:
    769
    Likes Received:
    549
    Location:
    Huntsville, AL
    You represent vBulletin especially when you come in vBulletin threads about vBulletin exploits and provide insight into vBulletin issues from a vBulletin employees view point.

    When you want to lose your shit and tell me to [****][****][****][****] off, shut the [****][****][****][****] up or whatever your heart desires, your vBulletin staff title just doesn't disappear.

    I actually like you. That might shock you but I admire what you have done for vBulletin.org and have used many of your plugins. However, you are the worst when it comes to interacting with people and so many people have pointed it out. You might not give a [****][****][****][****] but don't be surprised when you get push back over and over again over it.

    If you don't like what I say about your company then ignore me. If you don't like me pointing out how god [****][****][****][****]ing awful your company is then ignore me.

    Please, ignore me and ignore the growing number of people that despise how your company has ruined a great thing and shit on their customers.

    Ignore it. Take Bob Brisco's lead and just never try to interact with customers. Enjoy getting the paycheck and stop being a douche to customers because you are tired of reading how much they hate the company you work for. Ignore me. Please.
     
    Last edited: Aug 27, 2013
    Big al and Autopilot like this.
  20. djbaxter

    djbaxter Regular Member

    Joined:
    Jul 4, 2009
    Messages:
    261
    Likes Received:
    162
    Location:
    Ottawa ON Canada
    Let's try to get this thread back on topic...

     
    Brandon and Eric Lyon like this.

Share This Page