No announcement yet.

Spam backdoor in blog.php

  • Filter
  • Time
  • Show
Clear All
new posts

  • Spam backdoor in blog.php

    We found some spam originating from the server that runs our VB 3.8.
    On inspection, the spam was from a request to blog.php.

    This is the snippet of interest:

    if (!$vbulletin->options['enableemail'])

    This says that there is to be some enableemail configuration that is to be respected by blog.php and if that email configuration is turned off, just print a message stating that the email feature has been disabled.

    But, it doesn't work as such. We have emailing turned off in vb control panel and we confirmed that we could indeed send email via the blog software recreating the spam we originally detected.

    This was the rewrite to fix placed above the snippet above.


    Is this ignoring of enableemail configuration fixed in 4.* ? If not, can it be looked into?


  • #2
    I'm also trying to track down spam that has purportedly been sent from my vBulletin software; can vBulletin confirm whether the above indeed is a loophole that may enable a spammer to rely spam through vBulletin? I ask this because I've exhausted all other possibilities. Our forum runs vBulletin Blog 2.0.1 Patch Level 1.

    - JavaScript Kit | CSS Drive | |


    • #3
      Tom, what version of the Blog are you using?

      George, please upgrade your Blog as 2.0.4 is the latest.
      Vote for:

      - *Admin Settable Paid Subscription Reminder Timeframe*
      *PM - Add ability to reply to originator only*
      - Add Admin ability to auto-subscribe users to specific channel(s)
      - "Quick Route" Interface...


      widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.