Announcement

Collapse
No announcement yet.

forum permission blunder makes the news

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • forum permission blunder makes the news

    A news item over at The Register about Tiscali, a UK ISP getting into trouble when their moderators forum became visible to the general public. The Register stated that a "Mr Karl Davis" took offense to comments made about him behind closed doors which hads made it into the open, and wanted an appology for the moderators remarks.

    So I had to find out what forum software they use, and low and behold.. you guessed it, vB. Davis got his appology and Tiscali have blamed it on a security breech of vBulletin. This has been fixed they say by upgrading to 2.2.6.
    HP DL-380 G6, 2x E5520, 28GB RAM, 4x300GB SAS, VMWare ESXi
    -
    Unreal Tournament : Assault forums - irc://irc.utassault.net:6667 -

  • #2
    Interesting, I am not aware of any such bug that exists or was fixed in 2.2.6.

    Comment


    • #3
      Originally posted by freddie
      Interesting, I am not aware of any such bug that exists or was fixed in 2.2.6.
      I think someone messed up and is just trying to blame it on VB so they don't get fired!

      That would make more sense probably...
      We're Here Forums!
      [email protected]

      Comment


      • #4
        Originally posted by werehere
        I think someone messed up and is just trying to blame it on VB so they don't get fired!
        Would it be adding insult to injury if Jelsoft sued that ISP for slander/libel? Doesn't look like they could prove it was a security breech but rather user error...
        OPEN TECH SUPPORT
        "Tech is our middle name!"

        Comment


        • #5
          I think you guys better address this issue, or even I might think it was vB that was at fault.
          Well, there it is.
          - Keeper of the Grove

          Comment


          • #6
            I thought it was a cover up by Tiscali as well, saying that software has security issues seems to be a common scape goat now-a-days.
            HP DL-380 G6, 2x E5520, 28GB RAM, 4x300GB SAS, VMWare ESXi
            -
            Unreal Tournament : Assault forums - irc://irc.utassault.net:6667 -

            Comment


            • #7
              John has already emailed Tiscali. We are waiting for a response.

              Comment


              • #8
                Yeh yeh, it's always somebody else's fault.

                Comment


                • #9
                  Originally posted by Kier
                  John has already emailed Tiscali. We are waiting for a response.
                  So I guess he just sends mail, and never responds right????

                  Comment


                  • #10
                    Originally posted by The Prohacker
                    So I guess he just sends mail, and never responds right????
                    You wouldn't believe the amount of mail I get through my @vbulletin.com account...

                    Comment


                    • #11
                      Try me. How many per day?

                      Comment


                      • #12
                        Utter Nonsense

                        As a vBulletin user and Tiscali subscriber I was fairly angry at the report in the Register and then within the apology in the Tiscali forums.

                        So I set off to find out 2 things, 1. Who it was that got in and 2. How they did it.

                        The upshot of all this is that a member wondered if a Tiscali moderator was away on holiday and clicked his profile button to see the date/time of his last post. When he did this he states that the last post was in a private mods forum. When he clicked the link he got in and read a few of the posts.

                        So I asked what version of vBulletin Tiscali had running at the time, 2.0.3 I was told. I then asked the guy who got in to come over to a test forum I had set up with 2.0.3 and see what developed.

                        The test forum was 2.0.3, with 4 forums one a private forum. We populated the forums with around 50 posts, several in the private forum by myself. I then made one of my regular moderators a mod on this test forum, asked him to post in all 4 forums but to make sure his last post was in the private forum.

                        For over 4 hours four of us (including the guy who got into Tiscali's private forum) tried to gain access, I even posted the direct URL of the private forum, still no one could get in. We changed several of the admin options but a guest or member could not view this forum. I then made the private forum visible so folks could view the date/time of the posts in the private forum and confirm that 2.0.3 was and still is secure to this type of abuse.

                        The conclusion is that Tiscali has hacked (and a few days prior to the breach had problems with) the log in to their forums. Members login using their user ID and password that they have for their dialup access. There are several other hacks to the basic forums, mods for example do not have a PM button under each post they make etc. If you try to add a sig to your posts (allowed and working) you are told you need a unique email address (WTF) I am a member for Gawd sake.

                        The two guys responsible for the hack have now left Tiscali, as has the community manager.


                        Wonder what Tiscali has told John??
                        Last edited by centris; Sun 18 Aug '02, 10:08am.

                        Comment


                        • #13
                          Yup. I go to forums and the admin is always complaining that vBulletin sucks. When it was hacked because one of the admins hadn't changed his password since when passwords were stored as plaintext, and the hacker hacked into the admin cp, of course then he blamed vB before he figured out what had happened. "vBulletin sucks and was hacked again"

                          Comment

                          widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                          Working...
                          X