Announcement

**alfreema** · Mon 10 Aug '20, 1:33pm

Originally posted by NumNum View Post

My 5.6.1 site was hit and I cannot access either url. I have 444'd it.

For me, I had to remove index.html and replace it with a backup to get the site back to normal. I had to remove a couple more files in my vbulletin root directory based on timestamp too.

And at this time I cannot use 444 permissions, or it causes a different issue.

**Wayne Luke** · Mon 10 Aug '20, 1:45pm

This site operates in a read-only mode. The webserver does not have permissions to write to the general file system.

Okay. Another work around...

Put the site into debug mode.
Log into the AdminCP.
Go to Styles -> Style Manager.
Open the template list for the MASTER style.
Scroll to the bottom where it says Module Templates.
Highlight the widget_php module.
Click the Revert Button.
This will completely delete the template from your site and make the PHP Module inoperative.

**Joe Siegler** · Mon 10 Aug '20, 1:49pm

To be clear, this subject being discussed is this story? I came here looking for what to do about this, but want to make sure this is the same thing being discussed - don't want to start a new thread if this is the same thing. Thank you.

https://twitter.com/thedarktangent/s...13958332596224

https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/

**Wayne Luke** · Mon 10 Aug '20, 1:54pm

Turning off the PHP, Ad, HTML Rendering option will stop the issue. Your Ads will not work though.

**IWorx-Paul** · Mon 10 Aug '20, 1:57pm

Hi, is this the best place to be kept up to date about this issue? Our 5.6.2 forum was hit as well today. Is there a CVE number of track the issue yet?

**elektro-kot** · Mon 10 Aug '20, 2:00pm

Sorry, does the site shutdown (site off in admincp) option helps avoid this exploit problem?

**Joe Siegler** · Mon 10 Aug '20, 2:14pm

Originally posted by elektro-kot View Post

Sorry, does the site shutdown (site off in admincp) option helps avoid this exploit problem?

I would think not, but I'm no expert. I went further than just "the off switch", tho. Imoved the entire directory elsewhere and took the whole bloody thing offline. Left an "off" message in its place.

https://www.black-sabbath.com/vb/index.php

I might be overreacting, but once many years ago I did have a break-in and I don't want that again.

**Joe Siegler** · Mon 10 Aug '20, 2:19pm

Saw your comment Wayne. You refer to that as a "permanent fix", yet the text itself is labeled a "workaround".

I presume a proper fix will require a new version?

**NumNum** · Mon 10 Aug '20, 2:25pm

Originally posted by Wayne Luke View Post

This site operates in a read-only mode. The webserver does not have permissions to write to the general file system.

Okay. Another work around...

Put the site into debug mode.
Log into the AdminCP.
Go to Styles -> Style Manager.
Open the template list for the MASTER style.
Scroll to the bottom where it says Module Templates.
Highlight the widget_php module.
Click the Revert Button.
This will completely delete the template from your site and make the PHP Module inoperative.

What if you've lost access to admincp url, can this be accomplished with tools.php?

**NumNum** · Mon 10 Aug '20, 3:05pm

Originally posted by alfreema View Post

I spoke too soon. Chmod 444 on the vbulletin root directory causes an issue with .htaccess not being readable .

What issue did it cause and how did you resolve it? This might be some of my issue as well.

**Wayne Luke** · Mon 10 Aug '20, 3:06pm

Patches are available. https://forum.vbulletin.com/forum/vb...security-patch

**UKCobra** · Tue 11 Aug '20, 3:56am

My site was also impacted again before there was any communication from vBulletin. I was a 5.6.1 and now fully uptodate. Is there anyway to get a better and earlier notification system in place, even if you are working on a fix.
We were impacted 2 hours before the email confirming the fix came out.
Having been caught by the previous Zero Day issue, I would prefer to know that something is known and being worked upon, and advice to prevent any intrusion.
The email from vB was sent out at 23:56 (BST) and I was asleep. I woke to an email from my ISP who detected something I needed to investigate.
Thankyou for fixing this, how can we be better aware of these things ?
Mark

**Wayne Luke** · Tue 11 Aug '20, 7:34am

We can't notify all customers until Internet Brands top-level management and legal department sign off on it. That is often the most time consuming aspect of releasing a patch. Even the wording of announcements and the proposed fix have to be approved. Unfortunately, I do not foresee that changing in the future.

To be better aware, these forums are the best way. People often bring up issues here before we are made aware of them. Subscribing and getting email notifications if you don't visit daily can help.

**alfreema** · Tue 11 Aug '20, 8:37am

Wayne Luke ...

So I was on 5.6.2 and the 5.6.2 PL 1 patch doesn't contain an "upgrade" folder, so going here (per the instructions on upgrading) doesn't resolve: https://%yourdomain/%forumroot%/install/upgrade.php

That seems okay, since there are only two files in it, so I just manually replaced the two files in there. When I go to the Admin I see:

vBulletin 5.6.2 Latest version available: 5.6.2 Patch Level 1

I did not restart the server, because I wasn't thinking I needed to. I feel like I am "patched" but there is no way for vBulletin to know that since there is no upgrade process.

Does that seem right?

**holymannn** · Tue 11 Aug '20, 9:43pm

should I delete vb5.php and runtime.php?

Announcement

Known Exploit Warning Question

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Related Topics