Tweet
Security HOLE!!!
We knew when we released this software to a bunch of high school kids that we'd find every hole in vBulletin (zbths.org). 
Here's the one that's distressing:
If a perp knows that a PM is waiting for a user, he can get into their account without knowing that user's password, simply by entering in their username at the log-in screen, and leaving the password blank. The "you entered the wrong password" screen comes up, but so does the PM Popup that we set as the default for every user (instead of loading our GroupWise accounts with e-mail). All the perp has to do is click to view in a new window, and he's in to the user's account.
Now, this seems to be a problem for about half of the accounts we tested - it doesn't happen to everybody, and there doesn't seem to be a pattern. A user in a user group is just like every other user in that user group. We don't have access masks set up.
The potentially detrimental effect is a student or "community member" sending a PM to an administrator or to a faculty member, and getting all kinds of user information that is normally blocked from all except those two user groups. Even worse would be an individual - from anywhere in the world - getting lucky (a PM in a user's account) and getting access to all kinds of information about our students.
We have over 760 students, faculty, parents and community members registered on our vBulletin, called Noiz (our town's name spelled backwards).
Please investigate this problem - why only for some users?
Sincerely,
Galen Panger
P.S. Students/Faculty accessing internet from Windows 98 machines on a Novell network. Internet Explorer 5.
Our data is sketchy, but it seems that we have more success in logging in "illegally" if a user has used that computer before (and have logged out). For some users, no matter what happens, it is easy to log in. For others, it only happens once... strrrrange.
Is there some modification you could make to get around this completely?
Here's the one that's distressing:
If a perp knows that a PM is waiting for a user, he can get into their account without knowing that user's password, simply by entering in their username at the log-in screen, and leaving the password blank. The "you entered the wrong password" screen comes up, but so does the PM Popup that we set as the default for every user (instead of loading our GroupWise accounts with e-mail). All the perp has to do is click to view in a new window, and he's in to the user's account.
Now, this seems to be a problem for about half of the accounts we tested - it doesn't happen to everybody, and there doesn't seem to be a pattern. A user in a user group is just like every other user in that user group. We don't have access masks set up.
The potentially detrimental effect is a student or "community member" sending a PM to an administrator or to a faculty member, and getting all kinds of user information that is normally blocked from all except those two user groups. Even worse would be an individual - from anywhere in the world - getting lucky (a PM in a user's account) and getting access to all kinds of information about our students.
We have over 760 students, faculty, parents and community members registered on our vBulletin, called Noiz (our town's name spelled backwards).
Please investigate this problem - why only for some users?
Sincerely,
Galen Panger
P.S. Students/Faculty accessing internet from Windows 98 machines on a Novell network. Internet Explorer 5.
Our data is sketchy, but it seems that we have more success in logging in "illegally" if a user has used that computer before (and have logged out). For some users, no matter what happens, it is easy to log in. For others, it only happens once... strrrrange.
Is there some modification you could make to get around this completely?
Comment