Announcement

Collapse
No announcement yet.

Serious administration status vulnerability?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Scott MacVicar
    replied
    As I always say take third party security announcements with a pinch of salt, if there had been a problem we'd have made a release already and notified everyone.

    Leave a comment:


  • Colin F
    replied
    Scott explains that here: http://www.vbulletin.com/forum/showp...7&postcount=18

    I've removed the link anyhow

    Leave a comment:


  • coolnikin
    replied
    Originally posted by Colin F
    There are no known vulnerabilites in vBulletin 3.5.4, but 3.5.3 had an XSS issue which may have allowed him to steal a cookie from you.
    Code:
     
    just came across this , *************************
     
    if mods/admins feel if its not save to have the link here they can move it.
    just wanted to know is there a vulnerability still with 3.5.4 as mentioned on that page.
    Last edited by Colin F; Sat 8th Apr '06, 5:05am. Reason: Removed link

    Leave a comment:


  • Colin F
    replied
    There are no known vulnerabilites in vBulletin 3.5.4, but 3.5.3 had an XSS issue which may have allowed him to steal a cookie from you.

    Leave a comment:


  • Merlock
    replied
    My first action after he was able to break through an IP ban was obviously htaccess blocking and password changing but I have absolutely no idea what he could have exploited to gain such privileges without a single sign of them and that somewhat troubles me as well considering the seriousness of such a vuln.

    Leave a comment:


  • Colin F
    replied
    First off, I'd htaccess protect your AdminCP and ModCP folders. Also, change the passwords on your server (FTP, MySQL, SSH, ...) as well as the passwords of all your staff.

    Leave a comment:


  • Merlock
    started a topic Serious administration status vulnerability?

    Serious administration status vulnerability?

    A few days ago I've noticed that a user, who had registered normally on the forum I'm administrating and wasn't given any privileges, has exploited some vulnerability in vB 3.5.3, which apparently gave him complete administration privilages over the entire forum and thus freedom of bans by both nickname and IP and is continuing the exploitation of this vuln even after the forum has been updated to 3.5.4.

    I've searched around many bug trackers and such but haven't found any mention of such a serious vulnerability in the latest version(s) of vBulletin.
    I know for sure that complete administration privilages are the case because he's even quoted the contents of the administration panel (the reason I had typed in for banning him) to me via PM and written several times in closed topics as well as the fact that the exploiter is avoiding all bans and restrictions while his status remains that of a regular user, thus all privileges are as they should be and his user group being still set to "Banned Users".

    Perhaps I missed some confirmation on such a serious issue?
Loading...
Working...
X