vBulletin easily hacked

Evastar

Inactive User
Joined
May 19, 2010
Messages
4,992
Reaction score
51
Location
que sera sera
A serious flaw in software widely used to power online discussion sites could allow hackers to harvest reams of personal data, the BBC has learned.

The flaw in a specific version of the vBulletin software allows anyone to easily access the main administrator username and password for a site.

This would also allow hackers to access data, such as e-mail addresses, and edit the site at will.

The owner of the program - Internet Brands - released a fix on 21 July.

However, at time of writing, many sites remain vulnerable.

The BBC was alerted to the problem by Stuart Wright of audio visual reviews site AV forums, which uses the software for its discussion boards, before the patch was released.

"It is very worrying that they are releasing a product which has such a horrendous flaw," Mr Wright told BBC News.

"I'm really not happy - we rely on this software for our business."

AV Forums has around 300,000 members. It was not using the version with the flaw.

Internet Brands has not responded to requests for comment on the problem.

vBulletin is software that is used to power the vast majority of internet forums and discussion boards on the web.

It was originally developed by Jelsoft and vBulletin Solutions, but was sold to Internet Brands in 2007.

The flaw affects version 3.8.6 of the software, which was released on 13 July.

"If the provider of the software says there is a issue with it, they have flagged it up to the entire internet” Graham Cluley

The simple hack, which the BBC has confirmed, allows even unskilled people to access many websites.

With a few key strokes the person can obtain the administrator's username and password for the website.

This can be used to log in to the site and modify and delete elements at will.

David Ross, founder of Hexus.net, a technology news and reviews website, said the flaw was a "potential nightmare".

"It could allow someone to access all of the user accounts for the site," he said.

This would be useful to a hacker, he said, because it was "good quality information" that had already been verified.

Hexus.net, which has 75,000 registered users, updated their site as soon as they were made aware of the flaw.

Internet Brands announced a patch for the problem at 1900 BST on 21 July on its website.

It also sent e-mails to its customers and sent out a message that appeared on the main control panels of individual customers' software.

However, hours before the official announcement, third party firms that provide services to vBulletin were already warning of a problem.

"It has come to our attention that a vulnerability on vBulletin 3.8.6 has been discovered," read one from vBSEO.

"The exploit allows a malicious user to retrieve a forum's database credentials."

It then offered advice on how to fix the problem.

Kier Darby, the former lead developer of vBulletin also issued an alert via Twitter.

However, nearly 24 hours later, many websites are still vulnerable.

Graham Cluley of security firm Sophos said that this could be because firms were testing the new patch.

"If this is a piece of software running on your company website then it is good practice to test it before it goes live to make sure you're not introducing more problems," he told BBC News.

However, he said, firms should plug the flaw as soon as possible.

"If the provider of the software says there is a issue with it, they have flagged it up to the entire internet," he said.

"That means that criminal will be looking at it to see if there is there anything they can exploit."




BBC News - Firm scrambles to patch vBulletin software flaw
 

Mick

Administrator
Staff member
Administrator
Premium Member
Joined
Jan 19, 1999
Messages
32,064
Reaction score
8,697
Do not worry I never upgrade to the latest versions for at least a month.

We are not on 3.8.6 I knew about the FAQ hack about a week ago and decided to remove the FAQ.php script just incase.

Regards
Mickie D
 

witchy

Banned for good!
Joined
Jul 20, 2005
Messages
18,282
Reaction score
332
Do not worry I never upgrade to the latest versions for at least a month.

We are not on 3.8.6 I knew about the FAQ hack about a week ago and decided to remove the FAQ.php script just incase.

Mickie, is that why we are not allowed to edit our own avatars etc anymore?

Can they be a security risk?
 

Mick

Administrator
Staff member
Administrator
Premium Member
Joined
Jan 19, 1999
Messages
32,064
Reaction score
8,697
That is the main reason mate to be honest.

Most xploits start with a file being uploaded as a image they normally call it php.gif or something like this... once these scripts are executed they can put a file in the tmp dirs of the linux machines and open up the site with FTP like scripts.

They then go on to put codes in the login scripts, and put some kind of code that will log logins to files in the tmp dir etc.

Do not get me wrong if someone wants in and they are good enough there is no layer of security that will stop them, hence why sites like NASA, ministry of defence... etc get hacked.

I know a few sites that have been hacked due to uploads from avatars.

Regards
Mickie
 

edcase

Inactive User
Joined
May 2, 2005
Messages
1,161
Reaction score
18
Mickie, is that why we are not allowed to edit our own avatars etc anymore?

Can they be a security risk?

I would guess so. I dont know if there is any direct exploit you could trigger, though anything you can upload to server has some risk associated with it.


oops mickey beat me to it -I shouldn't take so long typing lol
 

jamesyboyjim

Inactive User
Joined
Jan 2, 2008
Messages
5,235
Reaction score
1,452
Location
CWS =
Do not worry I never upgrade to the latest versions for at least a month.

We are not on 3.8.6 I knew about the FAQ hack about a week ago and decided to remove the FAQ.php script just incase.

Regards
Mickie D

thanx for keeping us all safe mickie!

I'd be gutted if this site was hacked and ruined.

c'mon everybody! group hug! :banana:
 

edcase

Inactive User
Joined
May 2, 2005
Messages
1,161
Reaction score
18
1. Find out who is admin

2. PM admin asking for password

3. Wait for reply ;)

I think the admin would have to be pretty drunk :Cheers:

Should be easy enough to implement here though! :drunk:
 

Dazza

Inactive User
Joined
Sep 16, 2007
Messages
2,838
Reaction score
66
That seems a better reason than the "was changed so we could monitor it, far to many members where abusing it" utter bullshit previous excuse we were previously given lol

Exactly. Shame the mods when asked, couldn't give such a reasoned reply, instead of the short shift we were given.

Hey ho, it's done with now.
 

davidh

<font color="RED">Administrator</font>
VIP Member
Joined
Aug 9, 2001
Messages
14,954
Reaction score
121
Location
LIVERPOOL
Exactly. Shame the mods when asked, couldn't give such a reasoned reply, instead of the short shift we were given.

Hey ho, it's done with now.
why do we need to tell every member about what goes on
all members should be worried about is ,is the forum running ok
are we safe

answer to both is yes
 

oneman

VIP Member
VIP Member
Joined
Aug 23, 2007
Messages
7,504
Reaction score
1,283
Location
Essex
why do we need to tell every member about what goes on
all members should be worried about is ,is the forum running ok
are we safe

answer to both is yes

I understand that all the mods and admins put a shit load of time and effort into running the board for free but it was a pointless mis-direction. I think i was a simple enough question about a function that disappeared. I am sure 100% that the board users would have had not had an issue if you said it was security related.
 

Dazza

Inactive User
Joined
Sep 16, 2007
Messages
2,838
Reaction score
66
I understand that all the mods and admins put a shit load of time and effort into running the board for free but it was a pointless mis-direction. I think i was a simple enough question about a function that disappeared. I am sure 100% that the board users would have had not had an issue if you said it was security related.

Is the right answer.

:Clap:
 

Dazza

Inactive User
Joined
Sep 16, 2007
Messages
2,838
Reaction score
66
TBH, half time I tell the users at work its a security issue if we restrict them in some way.

Yeah, and it's accepted, because people would rather think they are safe, than know they're being treated like idiots. No matter what the truth of the matter. ;)
 
TEST
Top