vbulletin 4 profile customization exploit?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Loco.M
    Senior Member
    • Mar 2005
    • 4319
    • 3.5.x

    [Forum] vbulletin 4 profile customization exploit?

    Is there any info on this?

    Code:
    If you have a vBulletin 4.x forum, turn off profile customization immediately! (Security Advisory) #vbulletin (wait for the patch) #intern0t

    I saw this last night, I asked for info and their response was..
    Code:
    Yes, an advisory will be disclosed within the next 24 hours since Jelsoft isn't taking it serious.



    So my question is, should we disable profile customization until a patch is released?
    I did anyway for our regular groups, not mods or smods just to be sure.
    -- Web Developer for hire
    ---Online Marketing Tools and Articles
  • reefland
    Senior Member
    • Sep 2000
    • 1131

    #2
    I have disabled mine as well until I hear further.
    sigpic
    Nation of Blue - Kentucky Wildcats Sports


    Some CMS Goodness: Add Avatar to Article

    Comment

    • Ace
      Senior Member
      • Apr 2004
      • 4051
      • 4.2.X

      #3
      Unless it's Twitter lagging... back to the point where Jelsoft would have been the group to be concerned about it..
      My Live vB5 Site - NZEating.com
      vBulletin Hosting | vBulletin Services - Need hosting for your vB? Need it installed? Something else? Let me take that hassle off your hands.

      Comment

      • rootsxrocks
        Senior Member
        • Aug 2009
        • 833
        • 4.2.X

        #4
        Just great ! I was just promoting the return of custom profiles ! If this is an Issue I would like to know ASAP !
        Designing Your Forum Around The Members Lifestyle becoming A Valuable Asset To The Community With VB Before Trying To Make A Buck.

        Comment

        • IB Adrian
          Former Senior Operations Manager
          • Jul 2008
          • 1688
          • 3.6.x

          #5
          We are investigating it - and should have an answer first thing tomorrow.
          Our understanding at this point in time is that it may only affect the user profile page itself - not the actual site, and isn't a serious concern.
          Adrian
          Adrian

          Comment

          • Loco.M
            Senior Member
            • Mar 2005
            • 4319
            • 3.5.x

            #6
            Originally posted by IB Adrian
            We are investigating it - and should have an answer first thing tomorrow.
            Our understanding at this point in time is that it may only affect the user profile page itself - not the actual site, and isn't a serious concern.
            Adrian
            thank you for confirming
            -- Web Developer for hire
            ---Online Marketing Tools and Articles

            Comment

            • rootsxrocks
              Senior Member
              • Aug 2009
              • 833
              • 4.2.X

              #7
              I did customize my profile , only to return later and find it was reverted to the default, I assumed I somehow hit the button I hope it was not that someone outside the forum was able to modify it.
              Designing Your Forum Around The Members Lifestyle becoming A Valuable Asset To The Community With VB Before Trying To Make A Buck.

              Comment

              • Kevin Sours
                Lead Developer
                • Apr 2008
                • 601
                • 5.5.x

                #8
                There is an exploit within the profile editor code, however that code is only loaded for the user who owns the profile. The result is that you can only be affected by the exploit if you are logged in as the same user who entered the exploit code. Anybody else how views the profile page will not have permissions to edit the profile and will load the profile editor code and so won't get the malicious code. The result is that the risk for this issue is extremely low.
                Kevin

                Comment

                • Loco.M
                  Senior Member
                  • Mar 2005
                  • 4319
                  • 3.5.x

                  #9
                  when can we expect a patch?
                  -- Web Developer for hire
                  ---Online Marketing Tools and Articles

                  Comment

                  • IB Adrian
                    Former Senior Operations Manager
                    • Jul 2008
                    • 1688
                    • 3.6.x

                    #10
                    Given the nature of this issue, in that as an end user you can only exploit it for your profile, and the exploit only is displayed for you, we have downgraded its priority are going to release it as part of our next release, which we should have available next week.
                    Adrian
                    Adrian

                    Comment

                    • Ace
                      Senior Member
                      • Apr 2004
                      • 4051
                      • 4.2.X

                      #11
                      Given that already-"exploited" profiles don't get fixed by the patch, is there a query or other command that can be run to reset the variables?
                      My Live vB5 Site - NZEating.com
                      vBulletin Hosting | vBulletin Services - Need hosting for your vB? Need it installed? Something else? Let me take that hassle off your hands.

                      Comment

                      • Kevin Sours
                        Lead Developer
                        • Apr 2008
                        • 601
                        • 5.5.x

                        #12
                        Originally posted by Ace
                        Given that already-"exploited" profiles don't get fixed by the patch, is there a query or other command that can be run to reset the variables?
                        Can you PM me with a description of what you are seeing and how you got there? I'd like to understand the situation better before I try to answer questions.
                        Kevin

                        Comment

                        • Cody Tubbs
                          New Member
                          • Sep 2010
                          • 3

                          #13
                          This bug doesn't "exploit" other user custom profiles.

                          XSS is an exploitation vector that relies on users to view the page that is infected with the stored XSS code. It can be used to gather your session information, cookies, or keylog if enough space is allowed in the buffer the XSS is stored in, to store enough malicious JS code.
                          In this case, someone can only store the XSS code on their own profile, not an arbitrary users custom profile, so if the question is "is my profile safe", yes, this bug does not allow arbitrary XSS on any profile, only the attackers profile. This does not mean the attacker can't obfuscate a link to his own profile via tinyurl, etc and start throwing that url all over the forum to trick people into viewing his page, in-turn gathering everyones sessions/cookies and taking control of their sessions. He says someone was contacted on the 11th, does anyone know who?

                          Comment

                          • Cody Tubbs
                            New Member
                            • Sep 2010
                            • 3

                            #14
                            Furthermore, the demonstration the fellow used for this XSS bug was accompanied by a rendering bug in windows from 2004. If you haven't patched your windows installation since 2004 you have bigger problems.
                            I may add though that true 0day for windows could have been used in replacement of microsoft bug ID ms07 017.

                            Comment

                            • Loco.M
                              Senior Member
                              • Mar 2005
                              • 4319
                              • 3.5.x

                              #15
                              I see a 2nd patch has been issued, think we can get this locked down?
                              -- Web Developer for hire
                              ---Online Marketing Tools and Articles

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              😀
                              😂
                              🥰
                              😘
                              🤢
                              😎
                              😞
                              😡
                              👍
                              👎