Two Critical 0-Day Remote Exploits for vBulletin Forum Disclosed Publicly (Version 5)

Alpha1

Administrator
Joined
May 28, 2007
Messages
3,992
What actual issue are they causing you ?
Malicious users on your site should be identified and blocked IMO. Even if they are currently not effective at causing harm. And unsuccessful methods can still cause damage in terms of bandwidth and server resources.
 

Paul M

Limeade Addict
Joined
Jun 26, 2006
Messages
3,924
Well you are entitled to that opinion of course.

I dont see the need to spend much of my time on such things, bandwidth is not an issue.
None have ever caused me an issue with server resources - in fact, spiders cause me more issues.
 
Last edited:

I A 1

Enthusiast
Joined
Jun 7, 2015
Messages
134
What actual issue are they causing you ?

You can never stop attempted attacks, unless you block everyones access, which would be rather pointless.

At the end of they day, they are not actually getting anywhere, just loading a few useless pages.
You should consider if spending all this time and effort in trying to block them is really worth all the effort.
You are right, I was just worried about any unpatched vulnerability. See the type of url they are trying to load, posted above https://theadminzone.com/threads/tw...losed-publicly-version-5.146394/#post-1109767
It does look like sql injection attempts.

My database was leaked once in the past using Forum Runner exploit which I had forgotten to patch. Now I do not want to repeat the same mistake.
 

we_are_borg

Administrator
Joined
Jan 25, 2011
Messages
5,484
Well you are entitled to that opinion of course.

I dont see the need to spend much of my time on such things, bandwidth is not an issue.
None have ever caused me an issue with server resources - in fact, spiders cause me more issues.
You never let potentiaal hackers go rampart in your setup, the more access you give them the more they can learn. Its like saying here you have all info you want i dare you to try it.
 

highlander29

Enthusiast
Joined
Nov 3, 2013
Messages
184
My site is under attack almost any day of the year, so here are my suggestions based upon my experience with vbulletin:
Asides from LeadCrow 's excellent suggestion to add cloudfare, consider to install these addons:
vb bad behavior to automatically block bad users and bots. It saved my ass many times.
vbsecurity so that you can add many levels of protection (2FA) and get alerted about anything suspect.

Also block IP ranges at server level.

LiteSpeed Web Server may be an idea as it offers a good set of security settings to automatically ban suspect users. I always was very happy with it when running vbulletin.

And ofcourse add directory passwords through .htaccess for anything that needs to be secured. Especially admincp and modcp
At first I was alarmed. It looks like this just affects VBulletin 5

https://www.cvedetails.com/cve/CVE-2015-7808/

The fact that it's already been added to Metasploit isn't good.
 

highlander29

Enthusiast
Joined
Nov 3, 2013
Messages
184
My site is under attack almost any day of the year, so here are my suggestions based upon my experience with vbulletin:
Asides from LeadCrow 's excellent suggestion to add cloudfare, consider to install these addons:
vb bad behavior to automatically block bad users and bots. It saved my ass many times.
vbsecurity so that you can add many levels of protection (2FA) and get alerted about anything suspect.

Also block IP ranges at server level.

LiteSpeed Web Server may be an idea as it offers a good set of security settings to automatically ban suspect users. I always was very happy with it when running vbulletin.

And ofcourse add directory passwords through .htaccess for anything that needs to be secured. Especially admincp and modcp
Totally agree with you on a lot of these things. For anyone who is paying attention - yes, our sites are under attack every day. Everything from illegal resource access requrests, password spraying, site scrapers, SQL injection, cross site scripting, attacks on plugins with vulnerabilities, etc.

MFA on privileged accounts. VBSecurity adds a lot of logging and access control options. Application Firewall is a good idea (Incapsula may be better than cloudfare). File integrity monitoring is a good idea, especially for critical files. Antispam measures. Frequent patching and updates.

I haven't run into this before. http://bad-behavior.ioerror.us/about/. Looks really interesting.
 

Paul M

Limeade Addict
Joined
Jun 26, 2006
Messages
3,924
At first I was alarmed. It looks like this just affects VBulletin 5

https://www.cvedetails.com/cve/CVE-2015-7808/
That's something from two years ago, not the current reported exploit.

However, both the recently reported exploits also affect vBulletin 5 [only], so will have limited impact (due to the very low uptake of v5).

They will have patched their cloud sites while releasing the patch to the public.
 
Last edited:

highlander29

Enthusiast
Joined
Nov 3, 2013
Messages
184
That's something from two years ago, not the current reported exploit.

However, both the recently reported exploits also affect vBulletin 5 [only], so will have limited impact (due to the very low uptake of v5).

They will have patched their cloud sites while releasing the patch to the public.
Oh yeah look at that. Why did he post something from 2015?
 

Alpha1

Administrator
Joined
May 28, 2007
Messages
3,992
To illustrate that the response to vulnerability reports or rather the lack thereof was the same as in 2015. At least according to the published time line.

3 of Internet Brands their sites are major competitors of mine. Like thousands of others they purchased all 3 on the cheap at the time of the vb4 debacle. If a site like mine would have gone down due to hacking then Internet Brands directly benefits. And with IB owning thousands of sites earning probably well over 100 million, they do benefit from problems their competitors have.

There is no way to prove a relation between any of this, but I do find it suspicious and for me it has been a factor in leaving vbulletin.
 

Paul M

Limeade Addict
Joined
Jun 26, 2006
Messages
3,924
Nothing like a good dose of paranoia. :cautious:
Your sites were not running vB5, so how would they have been hacked by a vB5 exploit ?

(oh, and I also know full well that no such thoughts go into the patch process, I was part of it for six years).
 

ManagerJosh

Adherent
Joined
Oct 24, 2004
Messages
334
Internet Brands couldn't do security even if you gave them a "how do do cybersecurity for dummies" book and a few billion hours of pro-bono professional services
 

highlander29

Enthusiast
Joined
Nov 3, 2013
Messages
184
Internet Brands couldn't do security even if you gave them a "how do do cybersecurity for dummies" book and a few billion hours of pro-bono professional services
I came across this list in the National Vulnerability Database.

There do seem to be a fair number of vulnerabilities that have existed or occurred in VBulletin throughout the years but looking through the list, most of them are 2014 and earlier. Some of the items on the list are for plugins and not associated with Internet Brands. IB bought Jelsoft in 2007 (hard to believe it was that long ago). The number of vulnerabilities when it was owned by Jelsoft actually seems to be much higher and it looks like IB purchased a product with a lot of vulnerabilities. Out of 5 pages of vulnerabilities, it looks like 3 1/2 of them are for 2008 and before which means that Jelsoft was much worse at this than IB.

Anyway, being objective here, I'm not so sure they do a terrible job with this based on the evidence from that perspective. They also notify customers which is helpful.
 
Last edited:

ManagerJosh

Adherent
Joined
Oct 24, 2004
Messages
334
I came across this list in the National Vulnerability Database.

There do seem to be a fair number of vulnerabilities that have existed or occurred in VBulletin throughout the years but looking through the list, most of them are 2014 and earlier. Some of the items on the list are for plugins and not associated with Internet Brands. IB bought Jelsoft in 2007 (hard to believe it was that long ago). The number of vulnerabilities when it was owned by Jelsoft actually seems to be much higher and it looks like IB purchased a product with a lot of vulnerabilities. Out of 5 pages of vulnerabilities, it looks like 3 1/2 of them are for 2008 and before which means that Jelsoft was much worse at this than IB.

Anyway, being objective here, I'm not so sure they do a terrible job with this based on the evidence from that perspective. They also notify customers which is helpful.
Quantity isn't the only thing one needs to look at. The quality too. Just because there is three and a half pages of previous disclosures says something, but it isn't an indicator of the quality of code written. One must also look at what the disclosures were for - that is also an indicator - whether it be SQL injections, XSS, etc. They are all not equal.

For example, on looking at the NVD database, I see on the first page two critically rated CVEs. There were no critically rated CVEs during Jelsoft's time.
 

highlander29

Enthusiast
Joined
Nov 3, 2013
Messages
184
Quantity isn't the only thing one needs to look at. The quality too. Just because there is three and a half pages of previous disclosures says something, but it isn't an indicator of the quality of code written. One must also look at what the disclosures were for - that is also an indicator - whether it be SQL injections, XSS, etc. They are all not equal.

For example, on looking at the NVD database, I see on the first page two critically rated CVEs. There were no critically rated CVEs during Jelsoft's time.
Ok well let's look at that. There were 22 High rated vulnerabilities between 2003 and 2007. Between 2008 and now there have been 11. Half the number of high rated vulnerabilities in twice the amount of time and a lot of those were early on. One of those 11 was a critical. The other critical was for Tapatalk which is a third party add-on.

Interestingly, I decided to search the database for Xenforo and got 0 vulnerabilities identified. That might provide some evidence they are doing a better job than IB.
 

zappaDPJ

Administrator
Joined
Aug 26, 2010
Messages
7,320
In my view vBulletin has a fairly poor record when it comes to the number of vulnerabilities found in their software especially when you include their customer database and I'd say their disclosure record there is generally appalling. However product vulnerabilities are usually patched within a reasonable time frame so it's not all bad.
 

we_are_borg

Administrator
Joined
Jan 25, 2011
Messages
5,484
In my view vBulletin has a fairly poor record when it comes to the number of vulnerabilities found in their software especially when you include their customer database and I'd say their disclosure record there is generally appalling. However product vulnerabilities are usually patched within a reasonable time frame so it's not all bad.
Mistakes can always happen but its how they act that matters. Like you say nothing wrong with the time frame of fixes but when it comes to full disclosure thats another matter if customer data is envolved. But this is not only at Internet Brand the case but by many companies especially when they’re from the US.
 

Paul M

Limeade Addict
Joined
Jun 26, 2006
Messages
3,924
Interestingly, I decided to search the database for Xenforo and got 0 vulnerabilities identified. That might provide some evidence they are doing a better job than IB.
I dont know why your database search found zero records, I am pretty sure XF have done releases to patch security issues.
The same people who wrote most of the vB code [upto 2008] went on to write XF, so they would learned a lot from those early problems.

The reality of hacking vB5 is that even if you can, your target site count really is quite small.
Xenforo has now taken over from vBulletin [popularity wise] so its likely that hackers will pay more attention to it.
 

LeadCrow

Apocalypse Admin
Joined
Jun 29, 2008
Messages
6,575
dont know why your database search found zero records, I am pretty sure XF have done releases to patch security issues.
XF passively gains the security fixes of the libraries and frameworks it's built on top of.

A proper search would scan the update history of those 3rdparty components rather possibly misleading about the script's security record compared to its indivodual components'.
 

highlander29

Enthusiast
Joined
Nov 3, 2013
Messages
184
Xenforo has now taken over from vBulletin [popularity wise] so its likely that hackers will pay more attention to it.
I'm sure that's true. I still like VBulletin 4. It's a great piece of software. Just wish there was a better upgrade path.
 
Top