Announcement

Collapse
No announcement yet.

Security HOLE!!!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security HOLE!!!

    We knew when we released this software to a bunch of high school kids that we'd find every hole in vBulletin (zbths.org).

    Here's the one that's distressing:

    If a perp knows that a PM is waiting for a user, he can get into their account without knowing that user's password, simply by entering in their username at the log-in screen, and leaving the password blank. The "you entered the wrong password" screen comes up, but so does the PM Popup that we set as the default for every user (instead of loading our GroupWise accounts with e-mail). All the perp has to do is click to view in a new window, and he's in to the user's account.

    Now, this seems to be a problem for about half of the accounts we tested - it doesn't happen to everybody, and there doesn't seem to be a pattern. A user in a user group is just like every other user in that user group. We don't have access masks set up.

    The potentially detrimental effect is a student or "community member" sending a PM to an administrator or to a faculty member, and getting all kinds of user information that is normally blocked from all except those two user groups. Even worse would be an individual - from anywhere in the world - getting lucky (a PM in a user's account) and getting access to all kinds of information about our students.

    We have over 760 students, faculty, parents and community members registered on our vBulletin, called Noiz (our town's name spelled backwards).

    Please investigate this problem - why only for some users?

    Sincerely,
    Galen Panger

    P.S. Students/Faculty accessing internet from Windows 98 machines on a Novell network. Internet Explorer 5.

    Our data is sketchy, but it seems that we have more success in logging in "illegally" if a user has used that computer before (and have logged out). For some users, no matter what happens, it is easy to log in. For others, it only happens once... strrrrange.

    Is there some modification you could make to get around this completely?
    Last edited by toejam789; Wed 24th Apr '02, 4:41pm.

  • #2
    1. what version of vB are you using ? vB 2.2.5 is the latest supported and secure release... any versions earlier have a security bugs which were fixed by 2.2.5
    2. can members do this with browse using cookies and/or sessions ?
    3. are students/members behind some kind of isp proxy ?
    :: Always Back Up Forum Database + Attachments BEFORE upgrading !
    :: Nginx SPDY SSL - World Flags Demo [video results]
    :: vBulletin hacked forums: Clean Up Guide for VPS/Dedicated hosting users [ vbulletin.com blog summary ]

    Comment


    • #3
      Our data is sketchy, but it seems that we have more success in logging in "illegally" if a user has used that computer before (and have logged out). For some users, no matter what happens, it is easy to log in. For others, it only happens once... strrrrange.

      Is there some modification you could make to get around this completely?
      looks like a cookie and proxy problem.. if the computers used to access the forums are shared you need all members to have in their options

      - auto login/remember login details set to NO
      - and no-cache settings in vB admin panel set to YES
      :: Always Back Up Forum Database + Attachments BEFORE upgrading !
      :: Nginx SPDY SSL - World Flags Demo [video results]
      :: vBulletin hacked forums: Clean Up Guide for VPS/Dedicated hosting users [ vbulletin.com blog summary ]

      Comment


      • #4
        info

        Originally posted by eva2000
        1. what version of vB are you using ? vB 2.2.5 is the latest supported and secure release... any versions earlier have a security bugs which were fixed by 2.2.5
        2. can members do this with browse using cookies and/or sessions ?
        3. are students/members behind some kind of isp proxy ?
        1. I'm using 2.2.5 - the latest version (I downloaded it hoping it would fix the problem)
        2. It seems that no matter what they choose - cookies/no cookies - it is still possible to get into their account
        3. Yes, students are behind our school's proxy server (for our T1)

        Comment


        • #5
          This is a simiilar scenario as that robinchee and I reported last november. It can probably be traced back to a faulty proxy-software (I still suffer the same at the local hospital over here).
          Toddler from Hell

          Comment


          • #6
            Re: info

            Originally posted by toejam789


            1. I'm using 2.2.5 - the latest version (I downloaded it hoping it would fix the problem)
            2. It seems that no matter what they choose - cookies/no cookies - it is still possible to get into their account
            3. Yes, students are behind our school's proxy server (for our T1)
            okay you need to do 2 things...

            1 a) you have to disallow the use of the remember login info/auto login check box in modifyoptions and registercoppa and registeradult templates. This can be done by default checking auto remember log in info to 'NO' and then commenting out the 'Yes' check box - this will mean members need to login each time they visit the forum

            1 b) you need to change all members currently in database to not remember login info, using phpmyadmin or from telnet/shell mysql client run this query on your database for vB
            Code:
            UPDATE user SET nosessionhash=0
            2. you need to enable NO-CACHE settings in vB admin panel -> vbulletin options -> httpd headers and output -> NO cache = YES
            :: Always Back Up Forum Database + Attachments BEFORE upgrading !
            :: Nginx SPDY SSL - World Flags Demo [video results]
            :: vBulletin hacked forums: Clean Up Guide for VPS/Dedicated hosting users [ vbulletin.com blog summary ]

            Comment


            • #7
              SQL command not for auto-login

              Thanks a lot for your help (sorry it took so long to get back to you!).

              I ran the command in phpMyAdmin, and this set all the users to "browse board with cookies = NO"

              Didn't you mean to disable "remember username and password"? Or what?

              I commented out the "remember username and password" part of the user options and registration forms.

              Also, cache is off already.


              Thanks a lot for your help,
              galen

              Comment


              • #8
                nevermind, I figured out how to do it myself

                Comment


                • #9
                  so my suggestion is working ?
                  :: Always Back Up Forum Database + Attachments BEFORE upgrading !
                  :: Nginx SPDY SSL - World Flags Demo [video results]
                  :: vBulletin hacked forums: Clean Up Guide for VPS/Dedicated hosting users [ vbulletin.com blog summary ]

                  Comment


                  • #10
                    Originally posted by toejam789
                    nevermind, I figured out how to do it myself
                    Hiya ,
                    Could you please say what you did? It looks like there was a question left over from your other post, three up ^^^. Thanks!

                    mishkan

                    Comment

                    widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                    Working...
                    X