Announcement

Collapse
No announcement yet.

vbulletin 4 profile customization exploit?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] vbulletin 4 profile customization exploit?

    Is there any info on this?

    Code:
    If you have a vBulletin 4.x forum, turn off profile customization immediately! (Security Advisory) #vbulletin (wait for the patch) #intern0t

    I saw this last night, I asked for info and their response was..
    Code:
    Yes, an advisory will be disclosed within the next 24 hours since Jelsoft isn't taking it serious.



    So my question is, should we disable profile customization until a patch is released?
    I did anyway for our regular groups, not mods or smods just to be sure.
    -- Web Developer for hire
    ---Online Marketing Tools and Articles

  • #2
    I have disabled mine as well until I hear further.
    sigpic
    Nation of Blue - Kentucky Wildcats Sports


    Some CMS Goodness: Add Avatar to Article

    Comment


    • #3
      Unless it's Twitter lagging... back to the point where Jelsoft would have been the group to be concerned about it..
      My Live vB5 Site - NZEating.com
      vBulletin Hosting | vBulletin Services - Need hosting for your vB? Need it installed? Something else? Let me take that hassle off your hands.

      Comment


      • #4
        Just great ! I was just promoting the return of custom profiles ! If this is an Issue I would like to know ASAP !
        Designing Your Forum Around The Members Lifestyle becoming A Valuable Asset To The Community With VB Before Trying To Make A Buck.

        Comment


        • #5
          We are investigating it - and should have an answer first thing tomorrow.
          Our understanding at this point in time is that it may only affect the user profile page itself - not the actual site, and isn't a serious concern.
          Adrian
          Adrian

          Comment


          • #6
            Originally posted by IB Adrian View Post
            We are investigating it - and should have an answer first thing tomorrow.
            Our understanding at this point in time is that it may only affect the user profile page itself - not the actual site, and isn't a serious concern.
            Adrian
            thank you for confirming
            -- Web Developer for hire
            ---Online Marketing Tools and Articles

            Comment


            • #7
              I did customize my profile , only to return later and find it was reverted to the default, I assumed I somehow hit the button I hope it was not that someone outside the forum was able to modify it.
              Designing Your Forum Around The Members Lifestyle becoming A Valuable Asset To The Community With VB Before Trying To Make A Buck.

              Comment


              • #8
                There is an exploit within the profile editor code, however that code is only loaded for the user who owns the profile. The result is that you can only be affected by the exploit if you are logged in as the same user who entered the exploit code. Anybody else how views the profile page will not have permissions to edit the profile and will load the profile editor code and so won't get the malicious code. The result is that the risk for this issue is extremely low.
                Kevin

                Comment


                • #9
                  when can we expect a patch?
                  -- Web Developer for hire
                  ---Online Marketing Tools and Articles

                  Comment


                  • #10
                    Given the nature of this issue, in that as an end user you can only exploit it for your profile, and the exploit only is displayed for you, we have downgraded its priority are going to release it as part of our next release, which we should have available next week.
                    Adrian
                    Adrian

                    Comment


                    • #11
                      Given that already-"exploited" profiles don't get fixed by the patch, is there a query or other command that can be run to reset the variables?
                      My Live vB5 Site - NZEating.com
                      vBulletin Hosting | vBulletin Services - Need hosting for your vB? Need it installed? Something else? Let me take that hassle off your hands.

                      Comment


                      • #12
                        Originally posted by Ace View Post
                        Given that already-"exploited" profiles don't get fixed by the patch, is there a query or other command that can be run to reset the variables?
                        Can you PM me with a description of what you are seeing and how you got there? I'd like to understand the situation better before I try to answer questions.
                        Kevin

                        Comment


                        • #13
                          This bug doesn't "exploit" other user custom profiles.

                          XSS is an exploitation vector that relies on users to view the page that is infected with the stored XSS code. It can be used to gather your session information, cookies, or keylog if enough space is allowed in the buffer the XSS is stored in, to store enough malicious JS code.
                          In this case, someone can only store the XSS code on their own profile, not an arbitrary users custom profile, so if the question is "is my profile safe", yes, this bug does not allow arbitrary XSS on any profile, only the attackers profile. This does not mean the attacker can't obfuscate a link to his own profile via tinyurl, etc and start throwing that url all over the forum to trick people into viewing his page, in-turn gathering everyones sessions/cookies and taking control of their sessions. He says someone was contacted on the 11th, does anyone know who?

                          Comment


                          • #14
                            Furthermore, the demonstration the fellow used for this XSS bug was accompanied by a rendering bug in windows from 2004. If you haven't patched your windows installation since 2004 you have bigger problems.
                            I may add though that true 0day for windows could have been used in replacement of microsoft bug ID ms07 017.

                            Comment


                            • #15
                              I see a 2nd patch has been issued, think we can get this locked down?
                              -- Web Developer for hire
                              ---Online Marketing Tools and Articles

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X