vB 5x EXPLOIT and Module fix, v2.0.
There exists in vBulletin a major exploit which if known and applied allows any unregistered user to access information about other users.
While searching for a solution to the ever annoying issue of how to set Permissions on a Module so that unregistered users don't see the content when the programmer of the module didn't include an Edit Permissions option, I discovered a horrible exploit. I did some testing and find it exists as far back as 5.0.1 right up to 5.2x.
Fortunately the exploit is conditional.
Upon what, I am not telling.
What I can say, is that the more forums you host, the greater the susceptibility of the exploit.
Using a brute force generator on a very secure vB5.1.6 it took all of 3 minutes to obtain 10 user accounts.
This exploit allows one to enter into an account, without registration, without login and regardless of Permissions or passwords.
One is able to gather all information available within a users Profile, including personal information, photos, media, subscriptions, et c.
This is a blatant fault of bad programming.
Computers 101, Error Trap all your routines.
The coders of vB have left out a lot of error trapping and as a result, exploits.
Luckily the resolve is an easy one, though tedious.
Better coders may find ways to improve upon this fix.
Bare in mind that this all hinges on the fact ones Forum is not already open to the public and that it requires registration.
Go into the AdminCP,
Styles & Templates,
Located your Style and edit the Template,
Expand Profile Templates.
You will need to modify 7 templates-
profilefields, profile_about, profile_activity, profile_custom_edit, profile_following, profile_media and profile_textphotodetail
The procedure is the same for all.
Firstly, go to your AdminCP, UserGroups, User Groups Manager...
look for the Unregistered Users entry, on the right, find the ID #
This is almost always 1, but if not, adjust the code below.
Secondly,
At the top of each template as the very first line, add
Then at the bottom of each template, add
Save, repeat.
What this does is tells the forum code, if you are NOT registered and logged into the forum, DO NOT display this portion of code.
This same process may be applied to Module Templates such as-
widget_announcement, widget_birthday, widget_onlineusers
All of which do not have Permission settings and each of which no one else needs to see unless they are a member.
This code could be applied to a lot of templates.
But not all. Do not apply it to ones that need to be accessible to unregistered person who want to register, such as the Content template or the CAPCHA.
IMO All Styles need to be overhauled and recoded to include something similar to the patch.
I'm not sure how these changes will affect upgrading.
There exists in vBulletin a major exploit which if known and applied allows any unregistered user to access information about other users.
While searching for a solution to the ever annoying issue of how to set Permissions on a Module so that unregistered users don't see the content when the programmer of the module didn't include an Edit Permissions option, I discovered a horrible exploit. I did some testing and find it exists as far back as 5.0.1 right up to 5.2x.
Fortunately the exploit is conditional.
Upon what, I am not telling.
What I can say, is that the more forums you host, the greater the susceptibility of the exploit.
Using a brute force generator on a very secure vB5.1.6 it took all of 3 minutes to obtain 10 user accounts.
This exploit allows one to enter into an account, without registration, without login and regardless of Permissions or passwords.
One is able to gather all information available within a users Profile, including personal information, photos, media, subscriptions, et c.
This is a blatant fault of bad programming.
Computers 101, Error Trap all your routines.
The coders of vB have left out a lot of error trapping and as a result, exploits.
Luckily the resolve is an easy one, though tedious.
Better coders may find ways to improve upon this fix.
Bare in mind that this all hinges on the fact ones Forum is not already open to the public and that it requires registration.
Go into the AdminCP,
Styles & Templates,
Located your Style and edit the Template,
Expand Profile Templates.
You will need to modify 7 templates-
profilefields, profile_about, profile_activity, profile_custom_edit, profile_following, profile_media and profile_textphotodetail
The procedure is the same for all.
Firstly, go to your AdminCP, UserGroups, User Groups Manager...
look for the Unregistered Users entry, on the right, find the ID #
This is almost always 1, but if not, adjust the code below.
Secondly,
At the top of each template as the very first line, add
Code:
<vb:if condition="!is_member_of($user, 1)">
Then at the bottom of each template, add
Code:
</vb:if>
Save, repeat.
What this does is tells the forum code, if you are NOT registered and logged into the forum, DO NOT display this portion of code.
This same process may be applied to Module Templates such as-
widget_announcement, widget_birthday, widget_onlineusers
All of which do not have Permission settings and each of which no one else needs to see unless they are a member.
This code could be applied to a lot of templates.
But not all. Do not apply it to ones that need to be accessible to unregistered person who want to register, such as the Content template or the CAPCHA.
IMO All Styles need to be overhauled and recoded to include something similar to the patch.
I'm not sure how these changes will affect upgrading.
Comment