No announcement yet.

security bug report Unassigned/Unconfirmed for >1 week (vb3/vb4)

  • Filter
  • Time
  • Show
Clear All
new posts

  • security bug report Unassigned/Unconfirmed for >1 week (vb3/vb4)

    I reported this problem 1 year ago on forum
    Recently, because of this problem too many real admin passwords (not just hashes) leaked after faq.php incident (via phpmyadmin)
    I reported this problem again on previous week on bug tracker, and it is still Unassigned/Unconfirmed for more then 7 days.

    Problem in short: anyone with database read access (hoster, forum admins, admins of other websites on shared hosting, or hackers, like in case of faq.php incidents) will be able to decode easily very high percent of real passwords (not just hashes), because password protecting hashing feature not doing its work

  • #2
    This is pretty serious if I hear you saying it. Never thought about it though...

    I hope the team sees this pretty soon.


    • #3
      How can a security bug like this be missed?


      • #4
        It's not a bug. It's not a vulnerability. It's a situation. How do you "bug report" a situation?

        I do not know a completely impervious encryption or hashing system for passwords.

        The "solution" I see to this is to tell every vb3.8 site admin to post an announcement on their forums suggesting that users change their passwords because there is a 1/9586342964538643 chance that someone could put in enough effort to crack their password.

        I do understand the issues that most users use the same password on every site, from forums to banking accounts.

        Once access to your MySQL database has been acquired, you're pretty much screwed. This has been this way for 10 years now. I remember when passwords in vBulletin went from plaintext to hashed (around vB 2.2).


        • #5
          The salt was increased from 3 characters to 30 characters in 3.7.7, 3.8.5, 4.0.2 and all subsequent versions as per this announcement:

          Also brute force attacks are easily thwarted by enabling the strikes system.
          Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
          Change CKEditor Colors to Match Style (for 4.1.4 and above)

          Steve Machol Photography

          Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


          • #6
            I use the strikes system on only my staff usergroups. But many of them hate it lol. But it is indeed a useful feature in this event.
            Selling my BigBoard Threads: 193 502, Posts: 1 540 045, Members: 718 566 It is listed here


            • #7
              This is not a security issue imo.


              • #8
                This is not some dire situation like you make it out to be.


                • #9
                  And bug scrubbers are seeing bugs for 4.x only, not 3.x.

                  vBulletin QA - vBulletin Support French - Lead Project Tools developer

                  Next release? Soon(tm)


                  widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.