Welcome to WebmasterWorld Guest from 50.19.135.67

Forum Moderators: incrediBILL & lawman

Message Too Old, No Replies

Security flaw in vBulletin 3.8.6

     

Seb7

7:12 pm on Jul 22, 2010 (gmt 0)

5+ Year Member



[bbc.co.uk ]

...a specific version of the vBulletin software allows anyone to easily access the main administrator username and password for a site.
This would also allow hackers to access data, such as e-mail addresses, and edit the site at will.

rocknbil

7:36 pm on Jul 22, 2010 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member



A clarification is in order, it can only "hack a site" if the entire site is a vBulletin forum. The vulnerability is only in the forum, not an entire site. Seems trivial, but many will see "site" and think otherwise.

slinky

9:22 pm on Jul 22, 2010 (gmt 0)

5+ Year Member



It seems like it's all over the news now...

rogerd

7:52 pm on Jul 23, 2010 (gmt 0)

WebmasterWorld Administrator rogerd is a WebmasterWorld Top Contributor of All Time 10+ Year Member



A security patch was released on July 21, and can be downloaded by registered users:
[vbulletin.com...]

bill

2:51 am on Jul 24, 2010 (gmt 0)

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month



I feel fortunate not to have upgraded yet from 3.8.5. That is a hideous vulnerability to leave open. I would have expected a bit more of a mea culpa from Internet Brands.

hugh

2:29 pm on Jul 24, 2010 (gmt 0)

5+ Year Member



Vbulletin development has been mess since Internet Brands bought Jelsoft (for more detail read the page about vbulletin on wikipedia). So personally I'm looking for a way out, whilst secretly hoping the the original team might start a new project, failing that i might consider vbulletin 5 if IB have a handle on it by then...

hugh

10:50 pm on Jul 24, 2010 (gmt 0)

smallcompany

7:28 am on Jul 25, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



Are there better alternatives to vBulletin? I was about to buy it.

rocknbil

6:07 pm on Jul 25, 2010 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member



If you buy VB, you'll be buying the new 4.+ versions, which don't have these vulnerabilities. I think. Hope. :-)

smallcompany

8:41 pm on Jul 25, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



Thanks.

Anyhow, is there anything as good as or better then vB? Anyone knows IP Board?

Or which free solution would be the best?

Thanks

hugh

9:39 pm on Jul 25, 2010 (gmt 0)

5+ Year Member



If you buy VB, you'll be buying the new 4.+ versions, which don't have these vulnerabilities. I think. Hope. :-)


Were you using version 3 previously? If so how do the two compare? I don't see any new functionality worth upgrading for yet that isn't available in a moddification and the performance requirements have increased...

Or which free solution would be the best?


PHPBB is the most popular free alternative...

rocknbil

5:35 pm on Jul 26, 2010 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member



The customers I'm working with all still have older versions, and I'm applying their patches, reporting no problems so far. Some history here [webmasterworld.com] and here [webmasterworld.com] on why my clients haven't jumped to 4.+. Bottom line is that you can use "old versions" "forever" without licensing updates, but you get no support. Yet here's this patch <shrug>.

vordmeister

7:26 pm on Jul 26, 2010 (gmt 0)

10+ Year Member Top Contributors Of The Month



A recent change in vB licensing arrangements and a good number of forums remaining on 3 series might mean that 3 series could remain supported for some time. I certainly hope so. I'm not moving useful forums to 4 series having tested it and kept an eye on it, but I'm not moving them elsewhere either as all my URLs will change.

Others must feel exactly the same as a mess up in a 3 series upgrades got a mention on the WebmasterWorld homepage. For the record it revealed database access credentials rather than passwords to the admin account. Leaves you open to more damage, but sensible server management (ie not allowing database access from remote machines) could have reduced risk. Not upgrading for a few days after an update is the best security measure - there are always patches.

hugh

2:17 am on Jul 27, 2010 (gmt 0)

5+ Year Member



Bottom line is that you can use "old versions" "forever" without licensing updates, but you get no support.


Given how good and thouroughly well tested vbulletin 3.8.4 and 3.8.5 are, buying a second hand copy is an option...

smallcompany

4:02 am on Jul 27, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



What's the problem with version 4 (if starting a new forum)?

rocknbil

6:22 pm on Jul 27, 2010 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Cost. Per the threads above, felt as though we were - even as paying licensed customers - being throttled into buying an expensive upgrade in trying to execute due diligence by keeping versions up to date. For some applications, where the forums are just hobbyist or supplemental add ons, it would not be cost effective to invest in it (think it was about $400?)

vordmeister

6:23 pm on Jul 27, 2010 (gmt 0)

10+ Year Member Top Contributors Of The Month



The initial worries about vB4 were the change in pricing structure and the rush to release that led to a lot of bugs. Those seem to be gradually being sorted.

Apparently styles in vB4 are difficult to modify, it is database intensive and slower than vB3 (though Shawn Hogan has published modifications to improve this), and it doesn't support IE6. vB3 has advantages over vB4 for many.

smallcompany

6:52 pm on Jul 27, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



Thanks.

Cost is not my worry as this would be for the site that makes money.

What worries me is:

- SEO friendliness
- security
- easiness of forum management
- making it part of existing static website (can be subdomain or subfolder, no complicated integration, just using existing domain and site)
- possibility of extending it into so people can run their blogs or similar (I see vB 4 has it in it's suite, and I see IP Board has forum and blog as separate packages)

I'm not attached to any, and I welcome other solutions as well. I don't care if it's $200 or $2,000.

I just care about getting a good platform.

Thanks

P.S.
Yes, I would hate to see me spending $500 and figuring some free open source would do it better. Uncertainty is what is stopping me.

rowan194

10:52 pm on Jul 27, 2010 (gmt 0)

5+ Year Member



I did a little hunting with Google and after a few minutes found details of the "hack." I thought it may have been some sort of PHP injection to force it to reveal an arbitrary variable, but it is surprisingly simple.

Thankfully my version doesn't seem to be affected; I tried both the "hack" method and checking the particular install file for certain strings.

My db server disallows remote logins anyway, the worst that could have happened is they would be able to see the (unique) user/pass for vbulletin...

hugh

5:40 am on Oct 5, 2010 (gmt 0)

5+ Year Member



Vbulletin development has been mess since Internet Brands bought Jelsoft (for more detail read the page about vbulletin on wikipedia). So personally I'm looking for a way out, whilst secretly hoping the the original team might start a new project, failing that i might consider vbulletin 5 if IB have a handle on it by then...


Seems a new project has been in the works after all...

[webmasterworld.com...]
 

Featured Threads

Hot Threads This Week

Hot Threads This Month