homepage Welcome to WebmasterWorld Guest from 23.20.19.131
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Local / Foo
Forum Library, Charter, Moderators: incrediBILL & lawman

Foo Forum

    
Security flaw in vBulletin 3.8.6
Seb7




msg:4174908
 7:12 pm on Jul 22, 2010 (gmt 0)

[bbc.co.uk ]

...a specific version of the vBulletin software allows anyone to easily access the main administrator username and password for a site.
This would also allow hackers to access data, such as e-mail addresses, and edit the site at will.

 

rocknbil




msg:4174923
 7:36 pm on Jul 22, 2010 (gmt 0)

A clarification is in order, it can only "hack a site" if the entire site is a vBulletin forum. The vulnerability is only in the forum, not an entire site. Seems trivial, but many will see "site" and think otherwise.

slinky




msg:4175005
 9:22 pm on Jul 22, 2010 (gmt 0)

It seems like it's all over the news now...

rogerd




msg:4175549
 7:52 pm on Jul 23, 2010 (gmt 0)

A security patch was released on July 21, and can be downloaded by registered users:
[vbulletin.com...]

bill




msg:4175655
 2:51 am on Jul 24, 2010 (gmt 0)

I feel fortunate not to have upgraded yet from 3.8.5. That is a hideous vulnerability to leave open. I would have expected a bit more of a mea culpa from Internet Brands.

hugh




msg:4175775
 2:29 pm on Jul 24, 2010 (gmt 0)

Vbulletin development has been mess since Internet Brands bought Jelsoft (for more detail read the page about vbulletin on wikipedia). So personally I'm looking for a way out, whilst secretly hoping the the original team might start a new project, failing that i might consider vbulletin 5 if IB have a handle on it by then...

hugh




msg:4175947
 10:50 pm on Jul 24, 2010 (gmt 0)

[en.wikipedia.org ]

smallcompany




msg:4176060
 7:28 am on Jul 25, 2010 (gmt 0)

Are there better alternatives to vBulletin? I was about to buy it.

rocknbil




msg:4176185
 6:07 pm on Jul 25, 2010 (gmt 0)

If you buy VB, you'll be buying the new 4.+ versions, which don't have these vulnerabilities. I think. Hope. :-)

smallcompany




msg:4176261
 8:41 pm on Jul 25, 2010 (gmt 0)

Thanks.

Anyhow, is there anything as good as or better then vB? Anyone knows IP Board?

Or which free solution would be the best?

Thanks

hugh




msg:4176285
 9:39 pm on Jul 25, 2010 (gmt 0)

If you buy VB, you'll be buying the new 4.+ versions, which don't have these vulnerabilities. I think. Hope. :-)


Were you using version 3 previously? If so how do the two compare? I don't see any new functionality worth upgrading for yet that isn't available in a moddification and the performance requirements have increased...

Or which free solution would be the best?


PHPBB is the most popular free alternative...

rocknbil




msg:4176768
 5:35 pm on Jul 26, 2010 (gmt 0)

The customers I'm working with all still have older versions, and I'm applying their patches, reporting no problems so far. Some history here [webmasterworld.com] and here [webmasterworld.com] on why my clients haven't jumped to 4.+. Bottom line is that you can use "old versions" "forever" without licensing updates, but you get no support. Yet here's this patch <shrug>.

vordmeister




msg:4176845
 7:26 pm on Jul 26, 2010 (gmt 0)

A recent change in vB licensing arrangements and a good number of forums remaining on 3 series might mean that 3 series could remain supported for some time. I certainly hope so. I'm not moving useful forums to 4 series having tested it and kept an eye on it, but I'm not moving them elsewhere either as all my URLs will change.

Others must feel exactly the same as a mess up in a 3 series upgrades got a mention on the WebmasterWorld homepage. For the record it revealed database access credentials rather than passwords to the admin account. Leaves you open to more damage, but sensible server management (ie not allowing database access from remote machines) could have reduced risk. Not upgrading for a few days after an update is the best security measure - there are always patches.

hugh




msg:4177034
 2:17 am on Jul 27, 2010 (gmt 0)

Bottom line is that you can use "old versions" "forever" without licensing updates, but you get no support.


Given how good and thouroughly well tested vbulletin 3.8.4 and 3.8.5 are, buying a second hand copy is an option...

smallcompany




msg:4177068
 4:02 am on Jul 27, 2010 (gmt 0)

What's the problem with version 4 (if starting a new forum)?

rocknbil




msg:4177438
 6:22 pm on Jul 27, 2010 (gmt 0)

Cost. Per the threads above, felt as though we were - even as paying licensed customers - being throttled into buying an expensive upgrade in trying to execute due diligence by keeping versions up to date. For some applications, where the forums are just hobbyist or supplemental add ons, it would not be cost effective to invest in it (think it was about $400?)

vordmeister




msg:4177440
 6:23 pm on Jul 27, 2010 (gmt 0)

The initial worries about vB4 were the change in pricing structure and the rush to release that led to a lot of bugs. Those seem to be gradually being sorted.

Apparently styles in vB4 are difficult to modify, it is database intensive and slower than vB3 (though Shawn Hogan has published modifications to improve this), and it doesn't support IE6. vB3 has advantages over vB4 for many.

smallcompany




msg:4177452
 6:52 pm on Jul 27, 2010 (gmt 0)

Thanks.

Cost is not my worry as this would be for the site that makes money.

What worries me is:

- SEO friendliness
- security
- easiness of forum management
- making it part of existing static website (can be subdomain or subfolder, no complicated integration, just using existing domain and site)
- possibility of extending it into so people can run their blogs or similar (I see vB 4 has it in it's suite, and I see IP Board has forum and blog as separate packages)

I'm not attached to any, and I welcome other solutions as well. I don't care if it's $200 or $2,000.

I just care about getting a good platform.

Thanks

P.S.
Yes, I would hate to see me spending $500 and figuring some free open source would do it better. Uncertainty is what is stopping me.

rowan194




msg:4177575
 10:52 pm on Jul 27, 2010 (gmt 0)

I did a little hunting with Google and after a few minutes found details of the "hack." I thought it may have been some sort of PHP injection to force it to reveal an arbitrary variable, but it is surprisingly simple.

Thankfully my version doesn't seem to be affected; I tried both the "hack" method and checking the particular install file for certain strings.

My db server disallows remote logins anyway, the worst that could have happened is they would be able to see the (unique) user/pass for vbulletin...

hugh




msg:4211393
 5:40 am on Oct 5, 2010 (gmt 0)

Vbulletin development has been mess since Internet Brands bought Jelsoft (for more detail read the page about vbulletin on wikipedia). So personally I'm looking for a way out, whilst secretly hoping the the original team might start a new project, failing that i might consider vbulletin 5 if IB have a handle on it by then...


Seems a new project has been in the works after all...

[webmasterworld.com...]

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Local / Foo
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved