Announcement

Collapse
No announcement yet.

A Critical security problem

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • A Critical security problem

    there is a highly critical security problem that can help a hacker to take over your vb board.
    I only know it is somehow connected to the file forumdisplay.php and that it's problem of high numbers of forum for eample
    http://www.vbulletin.com/forum/forum...22293891092831

    I dont know the actual problem so i repported it. some1 broke to my system luckily he didnt do anything just warned me.

    hope youll do something quickly.

  • #2
    What if anything does that do?

    have you installed any hacks? all that gives me is an invalid link and a link to contact the webmaster.

    Comment


    • #3
      You've failed to show any sort of security error by pointing to an internal vBulletin error page.

      Are you sure the user has actually gained access and isn't just trying to convince you otherwise?
      Scott MacVicar

      My Blog | Twitter

      Comment


      • #4
        Ask the user to kindly write down a report and email it to [email protected] with a link to this thread. Then the developers can investigate.

        Comment


        • #5
          Yes. that user actually hacked the system - he removed my friend his admin access. he was cool with me he didnt do it to do hram only to show me that there is a problem needed fixing.
          and yes the link i gave you isnt the actuall hack (i think). that hacker explained to me that the security problem is there.
          maybe they add something to the explorer line and exploit. but it is for real.
          maybe you should contect the vB builders to check it out.

          Comment


          • #6
            Are you sure this is not the recent IE bug that lets you click a link and then they get control over your email/system?

            Comment


            • #7
              Scott is one of the developers, you should might want to create a support ticket and have the team here check your admincp logs. If not server logs if you have access to them,

              Comment


              • #8
                Apache access logs are ideal.

                I spent the past half hour reviewing forumdisplay but I've failed to see anything which could result in what you said happened. Do you have HTML turned on within your forum?
                Scott MacVicar

                My Blog | Twitter

                Comment


                • #9
                  It isnt only my forum. its every forum in israel that is used by vBulletin system.
                  and im not sure if it is something else might be.
                  all i know that he had gain full access to the board without even having admin access ( i know it because he isnt showed as an admin).

                  maybe i can give you an admin access in my forum and you'll see what is wrong because i know my forum isnt the only.

                  Comment


                  • #10
                    Unless you can provide more details there is nothing more we can do. There are lots of ways to gain this access that don't involve actual security holes in the software.

                    By the way, which version are you running?
                    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                    Change CKEditor Colors to Match Style (for 4.1.4 and above)

                    Steve Machol Photography


                    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                    Comment


                    • #11
                      Im running 3.0.1

                      Comment


                      • #12
                        Look he told me that if you write for example - http://www.vbulletin.com/forum/foru...222293891092831

                        and you put / \
                        somewhere specific in that line the decoder read the text between the / \ as a SQL command.

                        Comment


                        • #13
                          There should be no way to execute a sql query from the forumid area, unless you can give us a specific example or this person can

                          Comment


                          • #14
                            Your friend is not being truthful with you. He probably has another way in and is sending you on a wild goose chase. Thew bottom line is there is no security hole in vB that uses the method he is describing and there are no known security hgoles in vB 3.0.1.

                            Note, this assumes that you do not allow HTML in posts and sigs. If you do, then that alone will open up your forums to security risks.
                            Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                            Change CKEditor Colors to Match Style (for 4.1.4 and above)

                            Steve Machol Photography


                            Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                            Comment

                            Loading...
                            Working...
                            X