Announcement

Collapse
No announcement yet.

vB 5x Exploit and patch.

Collapse
X
Collapse
First Prev Next Last
 
  • Filter
  • Time
  • Show
Clear All
new posts

    vB 5x Exploit and patch.

    vB 5x EXPLOIT and Module fix, v2.0.

    There exists in vBulletin a major exploit which if known and applied allows any unregistered user to access information about other users.

    While searching for a solution to the ever annoying issue of how to set Permissions on a Module so that unregistered users don't see the content when the programmer of the module didn't include an Edit Permissions option, I discovered a horrible exploit. I did some testing and find it exists as far back as 5.0.1 right up to 5.2x.

    Fortunately the exploit is conditional.
    Upon what, I am not telling.
    What I can say, is that the more forums you host, the greater the susceptibility of the exploit.
    Using a brute force generator on a very secure vB5.1.6 it took all of 3 minutes to obtain 10 user accounts.
    This exploit allows one to enter into an account, without registration, without login and regardless of Permissions or passwords.
    One is able to gather all information available within a users Profile, including personal information, photos, media, subscriptions, et c.

    This is a blatant fault of bad programming.
    Computers 101, Error Trap all your routines.
    The coders of vB have left out a lot of error trapping and as a result, exploits.

    Luckily the resolve is an easy one, though tedious.
    Better coders may find ways to improve upon this fix.

    Bare in mind that this all hinges on the fact ones Forum is not already open to the public and that it requires registration.

    Go into the AdminCP,

    Styles & Templates,

    Located your Style and edit the Template,

    Expand Profile Templates.

    You will need to modify 7 templates-

    profilefields, profile_about, profile_activity, profile_custom_edit, profile_following, profile_media and profile_textphotodetail



    The procedure is the same for all.

    Firstly, go to your AdminCP, UserGroups, User Groups Manager...
    look for the Unregistered Users entry, on the right, find the ID #
    This is almost always 1, but if not, adjust the code below.


    Secondly,

    At the top of each template as the very first line, add
    Code:
    <vb:if condition="!is_member_of($user, 1)">

    Then at the bottom of each template, add
    Code:
    </vb:if>

    Save, repeat.



    What this does is tells the forum code, if you are NOT registered and logged into the forum, DO NOT display this portion of code.
    This same process may be applied to Module Templates such as-

    widget_announcement, widget_birthday, widget_onlineusers

    All of which do not have Permission settings and each of which no one else needs to see unless they are a member.



    This code could be applied to a lot of templates.

    But not all. Do not apply it to ones that need to be accessible to unregistered person who want to register, such as the Content template or the CAPCHA.



    IMO All Styles need to be overhauled and recoded to include something similar to the patch.

    I'm not sure how these changes will affect upgrading.




    #2
    Did you inform vBulletin of the exploit so that they could release an official patch?
    Helpful? Donate. Thanks!
    Buy me a coffeePayPal QR Code
    Fast VPS Host for vBulletin:
    A2 Hosting & IONOS

    Comment


      #3
      Yes.
      It took them 7 months before they would even admit the exploit, and then only after their own site was attacked.
      They have not implemented any fix as of the latest release.
      Another thing that greatly annoys people. Release after release, even when fixes are available, and they still don't do it.

      Using a secure .htaccess file like the one I posted, password protecting your SQL server, and PHP patches to remove ANSI bomb exploits are all simple ways to protect ones forum.

      ANSI bomb exploits which I can no longer link to and will not repeat again.

      Comment


        #4
        Why would they not release a patch if they admitted the exploit? Based from the past exploits, they always do whenever there is a vulnerability in the software.
        Helpful? Donate. Thanks!
        Buy me a coffeePayPal QR Code
        Fast VPS Host for vBulletin:
        A2 Hosting & IONOS

        Comment


          #5
          Don't you think it only fair to the viewers here to know at least that I did respond to your question and provided the proof the exploit was submitted, logged, and ignored, and that the exploits have existed for years, along with the fixes, and vB in fact refuses to fix the exploits?
          A lot of information went into that reply just to have it deleted and make it look like I never responded
          You could have at least left a note that I had and that for reasons you feel of security, chose to remove the entire post.

          Comment


          • glennrocksvb
            glennrocksvb commented
            Editing a comment
            Your post contains information not suitable to this forum. I tried to edit your post but for some reason it was failing. So I decided to delete the post.

          #6
          Bit confused. Is this not an issue for public forums?

          Comment


            #7
            Originally posted by Calamity View Post
            Bit confused. Is this not an issue for public forums?
            It is a serious issue which is affecting thousands of forums.
            The problem though is that it is NOT just public forums as I proved.
            Even private forums are affected!
            The above patch will trap one exploit, but the issue is far wider spread.
            On my own test server I was able to get the user profiles of 10 members in under 1 minute, without being logged into the site!
            But Glen does not want this discussed on this forum and I will abide.

            Comment


              #8
              Originally posted by Felix2 View Post

              It is a serious issue which is affecting thousands of forums.
              The problem though is that it is NOT just public forums as I proved.
              Even private forums are affected!
              The above patch will trap one exploit, but the issue is far wider spread.
              On my own test server I was able to get the user profiles of 10 members in under 1 minute, without being logged into the site!
              But Glen does not want this discussed on this forum and I will abide.
              Alright. Thanks for clarifying. I've done the fixes that you posted. Thank you for providing those.

              I won't discuss this any further.

              Comment

              Users Viewing This Page

              Collapse

              There is 1 user viewing this forum topic.

              • Guest Guest

              Latest Posts

              Collapse

              Working...
              X
              Searching...Please wait.
              An unexpected error was returned: 'Your submission could not be processed because you have logged in since the previous page was loaded.

              Please push the back button and reload the previous window.'
              An unexpected error was returned: 'Your submission could not be processed because the token has expired.

              Please push the back button and reload the previous window.'
              An internal error has occurred and the module cannot be displayed.
              There are no results that meet this criteria.
              Search Result for "|||"