Announcement

Collapse
No announcement yet.

vbportal?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #61
    Originally posted by Scott MacVicar View Post
    We are signed up to all the lists you are signed up to, plus a little infiltration into "hacking" groups to keep tabs on whats going on. We investigate every single claim against vBulletin as well as those for other pieces of software that might affect us.

    The last 4-5 vBulletin "exploits" have been in 3rd party code, non vBulletin related or completely made up.

    This includes:
    Being able to "steal" cookies from another site just by linking.
    SQL Injection to a clearly sanatised field.
    Being able to insert HTML into the template system :O

    and so forth...

    I've looked at the vB Portal code and recommended some changes for them to implement, mainly around the use of user provided data into include / require statements. We only do this is one occasion in vBulletin (payment_gateway.php) but you are forced to use whats in the database and not the user output.

    If you think you've found something that we've not addressed then post it in the bug tracker and we'll get it looked at.
    Did you see the video when someone logged in to here using an XSS vulnerability in your site? Was done last week.
    Dean Clatworthy - Web Developer/Designer

    Comment


    • #62
      Has anyone tried the 2 suggestions by liquidweb already on their server? I asked my host about it, he told me he could do it but that it might cause problems to other sites on the server.

      Comment


      • #63
        Originally posted by globalinsites View Post
        Has anyone tried the 2 suggestions by liquidweb already on their server? I asked my host about it, he told me he could do it but that it might cause problems to other sites on the server.
        I have had both hardening suggestions applied to my server. I run a variety of scripts including vbulletin on my sites and have seen no negative impact to any of them...although that warning was given by the Liquid Web tech to me as well.
        RazorThemes ~ Cutting Edge Designs

        Comment


        • #64
          Originally posted by smackLAN View Post
          I have had both hardening suggestions applied to my server. I run a variety of scripts including vbulletin on my sites and have seen no negative impact to any of them...although that warning was given by the Liquid Web tech to me as well.
          Okay thanks. In case it does turn out to cause problems then I suppose that in the worst case it would be reversable by just changing back those settings, right?

          The possible problems would only occur on php sites I suppose?

          Comment


          • #65
            Originally posted by Dean C View Post
            Did you see the video when someone logged in to here using an XSS vulnerability in your site? Was done last week.
            It was a bit more than a week ago actually.
            The problem was not in vBulletin though, but in our order script.
            Best Regards
            Colin Frei

            Please don't contact me per PM.

            Comment


            • #66
              Originally posted by Colin F View Post
              It was a bit more than a week ago actually.
              The problem was not in vBulletin though, but in our order script.
              Yes I saw. Glad to see you're aware of these things.
              Dean Clatworthy - Web Developer/Designer

              Comment


              • #67
                Quick Question

                I only received one email abou this, and it wasn't the one everyone else seems to have gotten. So does that mean they didn't get everyone and everything they claim they have?

                I got one from gmail dot com, eveyone else seems to be saying they got one from vbportal.com / phpportal.com website.
                Last edited by JhereG; Mon 31st Jul '06, 1:14pm.

                Comment


                • #68
                  Me, too. I got only the e_mail from gmail.
                  Vportal team still do not find out the way hacker hack their site and they still close their site. I think we, vbportal users, should turn off our site.
                  Last edited by lovevn; Thu 27th Jul '06, 5:24pm.

                  Comment


                  • #69
                    Originally posted by lovevn View Post
                    Me, too. I got only the e_mail from gmail.
                    Vportal team still do not find out the way hacker their site and they still close their site. I think we, vbportal users, should turn off out site.
                    One word for that post. lol.

                    Comment


                    • #70
                      Originally posted by lovevn View Post
                      Me, too. I got only the e_mail from gmail.
                      Vportal team still do not find out the way hacker hack their site and they still close their site. I think we, vbportal users, should turn off our site.
                      - You may want to disable the portal and use a redirect to your forums and other parts of the site untill patched. There is lots of great suff in the vBportal. There should be a fix down the line soon.

                      Originally posted by NashTax View Post
                      One word for that post. lol.
                      No need to laugh . He / She is translating from Japanese to English very well. I understand.
                      Last edited by Zachariah B; Thu 27th Jul '06, 6:13pm.
                      http://www.szone.us | http://www.gzhq.net
                      Twitter | Facebook | My:Hacks @ vBulletin.org
                      Member of Kiwanis Club of Chatsworth

                      Comment


                      • #71
                        Originally posted by Dean C View Post
                        Did you see the video when someone logged in to here using an XSS vulnerability in your site? Was done last week.
                        The problem with the support system was fixed six weeks ago.

                        Comment


                        • #72
                          Hah, nothing gets passed Jelsoft.

                          Comment


                          • #73
                            Originally posted by JhereG View Post
                            I only received one email abou this, and it wasn't the one everyone else seems to have gotten. So does that mean they didn't get everyone and everything they claim they have?

                            I got one from vbportal at gmail dot com, eveyone else seems to be saying they got one from vbportal.com / phpportal.com website.
                            Same here. The only email I got was the one from gmail and not the original one people claim. What could this mean?

                            Comment


                            • #74
                              I too only got the one from gmail. I'm a bit confused though. Was the one from gmail a fake or actually from phpportals?

                              Don


                              Comment


                              • #75
                                Originally posted by dknelson99 View Post
                                I too only got the one from gmail. I'm a bit confused though. Was the one from gmail a fake or actually from phpportals?

                                Don
                                The one from gmail didn't look fake to me.. Besides, with the phpportals site being hacked they were probable not able to e-mail the registered members through the forum script. They probable had exported a mailinglist from vbulletin at some point and used that with external e-mail software to notify the registered members. Just guessing.

                                I see the site is up again, so that's great. I didn't see any announcement yet about a fix or instructions etc. but I'm sure it's being worked on.

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...
                                X