New Security Issue in VB?

I disagree Doc. I don't log in to my ACP unless I have something specific to do. I sometimes go weeks without seeing the main index page. When you edit a user from their public profile which is what I mostly do day to day you're taken directly to their ACP profile without seeing the index.

 

I suppose I find it a lot faster to log in to the ACP than to try to deal with vB.com running vB5.

Of course, the other method is to subscribe to Announcements at vBulletin.com - I think that's where I first heard of this - from an email notification.

 

I heard it here first as a matter of fact. It's standard practice for me to delete /install/ anyhow.

 

To be honest, I always wondered why it wasn't recommended practice.

 

I've been running forums (BBS) since the early 80's and it has always been "recommended practice". I think it's more a case of not reading the instructions or just don't care practice. Awe the blistering speed of a 300 baud heating up the phone lines. Now that was speed. Actually the only blistering speed then was the quickness of $1000.00 leaving your wallet.

 

That's not true for vBulletin. Their (official) recommended practice has always been to remove install.php. I habitually also removed upgrade.php but not the whole directory. I thought there might be a reason for not doing so, i.e., that one or more other files in the directory were needed by vBulletin.

 

What?

Not to be picky but I don't understand this contradiction. And I don't understand what it is you are disagreeing with in what I said. What isn't true? I've lost you there or something.

 

You had said that deleting the /install folder was always recommended practice.

With the current security vulnerability, vBulletin recommends deleting the entire /install folder. Previously, they only recommended/required deletion of the file install.php.

 

Ok I gotcha now LOL When I said deleting the /install folder was always recommended I wasn't specifically referring to vBull's instructions but more generally with any of the software I've run over the years this has always been recommended. In fact PHPBB has it set up that if this folder isn't removed or renamed only ACP is accessible and forum itself is inoperative (closed). Kinda cool because it forces the removal or renaming of the install folder.
Maybe more systems should not rely on users doing what they should and force the removal?
Like you I always remove or rename /install after an install.

 

Interesting.. The news made PC World.
http://www.pcworld.com/article/2047787/vbulletin-users-warned-of-potential-exploit.html

 

Thanks @Brandon
Interesting indeed. Of special note is that Luke would not specify what the "potential exploit" was or that a fix was in the works. He just says we should remove the /install which 2 reports suggest this isn't the problem at all.

While a well experienced community said “In summary, the root cause was a combination of a compromised individual account and the configuration settings in vBulletin, the Forums application software.” This has nothing to do with the /install folder which Luke is pointing the finger at. More on that can be found at Canonical Blog .

And Daniel Cid, chief security officer at Sucuri clearly states “Going back to our logs, we don't see any specific scans for /core/install, but we see constant discovery requests for /install,”

One persons remedy "Another solution would be to stop using Vbulletin and upgrade to a more modern software" which is what people here have been saying.

 

An added thought, so why is vB so closed mouthed about this yet Canonical was very detailed in what happened with them and the steps they took to fix it? They also apologized for the security breach and didn't make any effort to sweep it under the keyboard. Now that is dedication and respect to their users and the general public.

 

1. Why would you expect him to divulge information which would tell would-be hackers exactly how to exploit a security vulnerability? There are probably still hundreds of vBulletin forums out there that haven't bothered to delete the directory. Had Wayne said anything else, everyone would be up in arms complaining that he was putting even more people at risk.

2. What 2 reports suggest that this isn't the problem?

 

1. He's already done that hasn't he? He's "divulged information" that hackers can and could have gain access through /install" if not removed. So yeah he has told everyone, including hackers where and how to get in if they have the right tools.
2. I've linked the Canonical blog (report 1) above, and quoted from the 2nd report by Danial Cid of the security firm Sucuri.

In short the Canonical blog says “In summary, the root cause was a combination of a compromised individual account and the configuration settings in vBulletin, the Forums application software.” and chewing my cabbage twice, this breach is not related to /install incursion. And the security firm confirms this.

 

There are several ways of breaching vBulletin forums and most of them have nothing to do with either vBulletin or, as has been suggested repeatedly, vBSEO per se but rather poor forum and server security. I've rescued several forums hit by the redirect issue and typically what allows it to happen is

• crappy password management (weak passwords)
  
• inadequate server security
• file and directory permissions set incorrectly
• failure to remove permissions from former mods and admins after they leave
• etc.

This one was different. This was about critical customer information visible in one of the install files, as I understand it.

 

Which one was different? As I understand the Canonical statement they didn't have install files and this was confirmed by Sucuri. And from reports I've read from customers on the vB forum who claimed they had recent hacks none have attributed or confirmed their breaches being due to having install files present.

 

That's part of my point.

From the Canonical blog:

This was a direct result of lax security. Why do moderators need HTML permissions? ever? There's only one person on my forums who can use HTML anywhere and that's me. Had that forum been set up with security in mind, their vulnerability would not have existed.

Anywhere you get to set HTML as an option or allow a usergroup to post permissions, you are warned by vBulletin that this opens a security hole. Canonical opened a security hole. Someone took advantage of that. Lesson learned for them, I hope.

 

Did Canonical open the security hole or was it open by default by the software?

As you quoted from their report

Seems to me this is the software/developers fault for allowing this security hole to exist and you can't say it is the end consumers fault, hell they probably had or still have any clue this is a problem.

Anyway it's nice to see they finally released a security patch for vB5 (ONLY????) to fix an exploit found by their Quality Assurance team????.

And then the next day they release a public alpha 4.2.2. This is an impressive list of fixes. Where these also found by their Quality Assurance team???

Why are they releasing an alpha version to the public? Isn't it the Quality Assurance team responsible to testing for quality before any release? I understand this is a generally accepted practice in the open source community due to lack of qualified testers but vB/IB has a paid Quality Assurance team. Don't they????

 

Good grief, are you still here whinging about things you dont care about.

 

No it is not the software.

1. There are a few places where you can enable HTML if you want. In those places, you are warned that if you do so you are creating a security risk. Some forum owners choose to do that for convenience or for other reasons. They do that having been warned there is a risk. That is not software error, that is operator error. Any forum that does allow HTML should make sure that ONLY ADMINS can use it and that ONLY KNOWN AND TRUSTED MEMBERS ARE MADE ADMINS.

2. Canonical obviously had an untrustworthy member as a moderator and they allowed that moderator to have access to an error with HTML enabled. That is foolish and foolhardy and they paid the price. I cannot think of any reason why a moderator needs access to Announcements or Notices. Again, that is operator error, not software error...

Yes. And some licensed members like pretesting alpha and beta versions of software on a test board (not a live board), either because they enjoy alpha and beta testing (this is common for many software products, including big corporations like Microsoft), or because they are add-on coders or theme designers and want advanced warning of changes so they can adjust their products.

. For those people, vBulletin always makes those pre-release versions available to licensed members.