Welcome to WebmasterWorld Guest from 23.22.220.37

Forum Moderators: incrediBILL & lawman

Message Too Old, No Replies

Security flaw in vBulletin 3.8.6

     
7:12 pm on Jul 22, 2010 (gmt 0)

Preferred Member

5+ Year Member

joined:Nov 20, 2007
posts:585
votes: 0


[bbc.co.uk ]

...a specific version of the vBulletin software allows anyone to easily access the main administrator username and password for a site.
This would also allow hackers to access data, such as e-mail addresses, and edit the site at will.
7:36 pm on July 22, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 28, 2004
posts:7999
votes: 0


A clarification is in order, it can only "hack a site" if the entire site is a vBulletin forum. The vulnerability is only in the forum, not an entire site. Seems trivial, but many will see "site" and think otherwise.
9:22 pm on July 22, 2010 (gmt 0)

New User

5+ Year Member

joined:Apr 30, 2009
posts:12
votes: 0


It seems like it's all over the news now...
7:52 pm on July 23, 2010 (gmt 0)

Administrator

WebmasterWorld Administrator rogerd is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 2, 2000
posts:9685
votes: 0


A security patch was released on July 21, and can be downloaded by registered users:
[vbulletin.com...]
2:51 am on July 24, 2010 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:Oct 12, 2000
posts:14480
votes: 49


I feel fortunate not to have upgraded yet from 3.8.5. That is a hideous vulnerability to leave open. I would have expected a bit more of a mea culpa from Internet Brands.
2:29 pm on July 24, 2010 (gmt 0)

Junior Member

5+ Year Member

joined:Jan 10, 2007
posts:145
votes: 0


Vbulletin development has been mess since Internet Brands bought Jelsoft (for more detail read the page about vbulletin on wikipedia). So personally I'm looking for a way out, whilst secretly hoping the the original team might start a new project, failing that i might consider vbulletin 5 if IB have a handle on it by then...
10:50 pm on July 24, 2010 (gmt 0)

Junior Member

5+ Year Member

joined:Jan 10, 2007
posts:145
votes: 0

7:28 am on July 25, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:June 2, 2006
posts:2112
votes: 2


Are there better alternatives to vBulletin? I was about to buy it.
6:07 pm on July 25, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 28, 2004
posts:7999
votes: 0


If you buy VB, you'll be buying the new 4.+ versions, which don't have these vulnerabilities. I think. Hope. :-)
8:41 pm on July 25, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:June 2, 2006
posts:2112
votes: 2


Thanks.

Anyhow, is there anything as good as or better then vB? Anyone knows IP Board?

Or which free solution would be the best?

Thanks
9:39 pm on July 25, 2010 (gmt 0)

Junior Member

5+ Year Member

joined:Jan 10, 2007
posts:145
votes: 0


If you buy VB, you'll be buying the new 4.+ versions, which don't have these vulnerabilities. I think. Hope. :-)


Were you using version 3 previously? If so how do the two compare? I don't see any new functionality worth upgrading for yet that isn't available in a moddification and the performance requirements have increased...

Or which free solution would be the best?


PHPBB is the most popular free alternative...
5:35 pm on July 26, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 28, 2004
posts:7999
votes: 0


The customers I'm working with all still have older versions, and I'm applying their patches, reporting no problems so far. Some history here [webmasterworld.com] and here [webmasterworld.com] on why my clients haven't jumped to 4.+. Bottom line is that you can use "old versions" "forever" without licensing updates, but you get no support. Yet here's this patch <shrug>.
7:26 pm on July 26, 2010 (gmt 0)

Preferred Member

10+ Year Member Top Contributors Of The Month

joined:Mar 12, 2004
posts:481
votes: 12


A recent change in vB licensing arrangements and a good number of forums remaining on 3 series might mean that 3 series could remain supported for some time. I certainly hope so. I'm not moving useful forums to 4 series having tested it and kept an eye on it, but I'm not moving them elsewhere either as all my URLs will change.

Others must feel exactly the same as a mess up in a 3 series upgrades got a mention on the WebmasterWorld homepage. For the record it revealed database access credentials rather than passwords to the admin account. Leaves you open to more damage, but sensible server management (ie not allowing database access from remote machines) could have reduced risk. Not upgrading for a few days after an update is the best security measure - there are always patches.
2:17 am on July 27, 2010 (gmt 0)

Junior Member

5+ Year Member

joined:Jan 10, 2007
posts:145
votes: 0


Bottom line is that you can use "old versions" "forever" without licensing updates, but you get no support.


Given how good and thouroughly well tested vbulletin 3.8.4 and 3.8.5 are, buying a second hand copy is an option...
4:02 am on July 27, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:June 2, 2006
posts:2112
votes: 2


What's the problem with version 4 (if starting a new forum)?
6:22 pm on July 27, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 28, 2004
posts:7999
votes: 0


Cost. Per the threads above, felt as though we were - even as paying licensed customers - being throttled into buying an expensive upgrade in trying to execute due diligence by keeping versions up to date. For some applications, where the forums are just hobbyist or supplemental add ons, it would not be cost effective to invest in it (think it was about $400?)
6:23 pm on July 27, 2010 (gmt 0)

Preferred Member

10+ Year Member Top Contributors Of The Month

joined:Mar 12, 2004
posts:481
votes: 12


The initial worries about vB4 were the change in pricing structure and the rush to release that led to a lot of bugs. Those seem to be gradually being sorted.

Apparently styles in vB4 are difficult to modify, it is database intensive and slower than vB3 (though Shawn Hogan has published modifications to improve this), and it doesn't support IE6. vB3 has advantages over vB4 for many.
6:52 pm on July 27, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:June 2, 2006
posts:2112
votes: 2


Thanks.

Cost is not my worry as this would be for the site that makes money.

What worries me is:

- SEO friendliness
- security
- easiness of forum management
- making it part of existing static website (can be subdomain or subfolder, no complicated integration, just using existing domain and site)
- possibility of extending it into so people can run their blogs or similar (I see vB 4 has it in it's suite, and I see IP Board has forum and blog as separate packages)

I'm not attached to any, and I welcome other solutions as well. I don't care if it's $200 or $2,000.

I just care about getting a good platform.

Thanks

P.S.
Yes, I would hate to see me spending $500 and figuring some free open source would do it better. Uncertainty is what is stopping me.
10:52 pm on July 27, 2010 (gmt 0)

New User

5+ Year Member

joined:June 30, 2010
posts:36
votes: 0


I did a little hunting with Google and after a few minutes found details of the "hack." I thought it may have been some sort of PHP injection to force it to reveal an arbitrary variable, but it is surprisingly simple.

Thankfully my version doesn't seem to be affected; I tried both the "hack" method and checking the particular install file for certain strings.

My db server disallows remote logins anyway, the worst that could have happened is they would be able to see the (unique) user/pass for vbulletin...
5:40 am on Oct 5, 2010 (gmt 0)

Junior Member

5+ Year Member

joined:Jan 10, 2007
posts:145
votes: 0


Vbulletin development has been mess since Internet Brands bought Jelsoft (for more detail read the page about vbulletin on wikipedia). So personally I'm looking for a way out, whilst secretly hoping the the original team might start a new project, failing that i might consider vbulletin 5 if IB have a handle on it by then...


Seems a new project has been in the works after all...

[webmasterworld.com...]