A Critical security problem

**Zachery** · Thu 10 Jun '04, 8:08am

What if anything does that do?

have you installed any hacks? all that gives me is an invalid link and a link to contact the webmaster.

**Scott MacVicar** · Thu 10 Jun '04, 8:08am

You've failed to show any sort of security error by pointing to an internal vBulletin error page.

Are you sure the user has actually gained access and isn't just trying to convince you otherwise?

**Floris** · Thu 10 Jun '04, 9:04am

Ask the user to kindly write down a report and email it to [email protected] with a link to this thread. Then the developers can investigate.

**FatalBreeze** · Thu 10 Jun '04, 9:07am

Yes. that user actually hacked the system - he removed my friend his admin access. he was cool with me he didnt do it to do hram only to show me that there is a problem needed fixing.
and yes the link i gave you isnt the actuall hack (i think). that hacker explained to me that the security problem is there.
maybe they add something to the explorer line and exploit. but it is for real.
maybe you should contect the vB builders to check it out.

**Floris** · Thu 10 Jun '04, 9:09am

Are you sure this is not the recent IE bug that lets you click a link and then they get control over your email/system?

**Zachery** · Thu 10 Jun '04, 9:10am

Scott is one of the developers, you should might want to create a support ticket and have the team here check your admincp logs. If not server logs if you have access to them,

**Scott MacVicar** · Thu 10 Jun '04, 9:13am

Apache access logs are ideal.

I spent the past half hour reviewing forumdisplay but I've failed to see anything which could result in what you said happened. Do you have HTML turned on within your forum?

**FatalBreeze** · Thu 10 Jun '04, 12:10pm

It isnt only my forum. its every forum in israel that is used by vBulletin system.
and im not sure if it is something else might be.
all i know that he had gain full access to the board without even having admin access ( i know it because he isnt showed as an admin).

maybe i can give you an admin access in my forum and you'll see what is wrong because i know my forum isnt the only.

**Steve Machol** · Thu 10 Jun '04, 12:12pm

Unless you can provide more details there is nothing more we can do. There are lots of ways to gain this access that don't involve actual security holes in the software.

By the way, which version are you running?

**FatalBreeze** · Thu 10 Jun '04, 12:13pm

Im running 3.0.1

**FatalBreeze** · Thu 10 Jun '04, 12:48pm

Look he told me that if you write for example - http://www.vbulletin.com/forum/foru...222293891092831

and you put / \
somewhere specific in that line the decoder read the text between the / \ as a SQL command.

**Zachery** · Thu 10 Jun '04, 6:33pm

There should be no way to execute a sql query from the forumid area, unless you can give us a specific example or this person can

**Steve Machol** · Thu 10 Jun '04, 7:08pm

Your friend is not being truthful with you. He probably has another way in and is sending you on a wild goose chase. Thew bottom line is there is no security hole in vB that uses the method he is describing and there are no known security hgoles in vB 3.0.1.

Note, this assumes that you do not allow HTML in posts and sigs. If you do, then that alone will open up your forums to security risks.

A Critical security problem

A Critical security problem

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment