- Joined
- Jun 28, 2015
- Messages
- 121
Two Critical 0-Day Remote Exploits for vBulletin Forum Disclosed Publicly (Version 5)
- Thread starter H-DB
- Start date
-
- Tags
- security vbulletin 5
- Moderator
- #2
- Joined
- Aug 26, 2010
- Messages
- 8,450
- Joined
- Nov 3, 2013
- Messages
- 186
What the heck?
"The vulnerabilities affect version 5 of the vBulletin forum software and are currently unpatched. Beyond Security claims, it tried to contact vBulletin since November 21, 2017, but received no response from the company."
"The vulnerabilities affect version 5 of the vBulletin forum software and are currently unpatched. Beyond Security claims, it tried to contact vBulletin since November 21, 2017, but received no response from the company."
So it’s been known for over a week and they are only fixing it “soon”?
If I left exploits in our mods for that long, I’d be roasted over an open fire, and rightly so.
- Moderator
- #5
- Joined
- Aug 26, 2010
- Messages
- 8,450
That's what vBulletin support are claiming but the OP linked report states:
The vulnerabilities affect version 5 of the vBulletin forum software and are currently unpatched. Beyond Security claims, it tried to contact vBulletin since November 21, 2017, but received no response from the company.
True, but in this case I see no reason to believe the original report over vB Support as I do not know anything about the person or persons behind Beyond Security. Benefit of the doubt and all that
So I chose to write my post in the most favourable light for IB, which is still pretty bad.
- Moderator
- #7
- Joined
- May 28, 2007
- Messages
- 4,268
I remember a similar thing happened with previous major security exploits. vb only patched after publication of zero day. IIRC it was in 2015 when a wave of forums got hacked. This was one reason why I left vbulletin. I really didn't feel comfortable that vbulletin had my back. On the contrary.
- Joined
- Mar 24, 2010
- Messages
- 240
Damn I just heard about this. I wanted to roast vBulletin again. I see they're still idiots and don't care about customers. Let's hope IB gets sued by outraged vB customers.
BirdOPrey5 you still work at vB? can a fix be expected before Christmas? or the muppets in charge awaiting the site to be hacked for the millionth time? or are they just rolling in cash while not caring still?
BirdOPrey5 you still work at vB? can a fix be expected before Christmas? or the muppets in charge awaiting the site to be hacked for the millionth time? or are they just rolling in cash while not caring still?
- Joined
- Jul 3, 2017
- Messages
- 1,245
This was announced yesterday at vBorg:
Security Patch Released for vBulletin 5.3.2, 5.3.3, and 5.3.4
Security Patch Released for vBulletin 5.3.2, 5.3.3, and 5.3.4
- Moderator
- #10
- Joined
- Jun 26, 2006
- Messages
- 4,077
I see all the usual nonsense in this thread.
Unless you know how VB processes work then you have no basis to make comments like "they're still idiots and don't care about customers"
Anyone can claim they tried to make contact, I could open my window and shout out of it at vB support and claim "I tried to make contact".
Once an exploit has actually been reported, it requires time to investigate it, replicate it, decide how to fix it (without breaking anything else, or introducing more issues) then it has to be tested, it has to be back ported to at least 3 previous versions, tested on them as well, and then all the work to actually package it up and release it.
Anyone who thinks this is a five minute job is utterly clueless.
(and no, I dont have any particular love for IB anymore, I just cannot abide people making uninformed, attacking, comments).
Unless you know how VB processes work then you have no basis to make comments like "they're still idiots and don't care about customers"
Anyone can claim they tried to make contact, I could open my window and shout out of it at vB support and claim "I tried to make contact".
Once an exploit has actually been reported, it requires time to investigate it, replicate it, decide how to fix it (without breaking anything else, or introducing more issues) then it has to be tested, it has to be back ported to at least 3 previous versions, tested on them as well, and then all the work to actually package it up and release it.
Anyone who thinks this is a five minute job is utterly clueless.
(and no, I dont have any particular love for IB anymore, I just cannot abide people making uninformed, attacking, comments).
- Joined
- Jun 8, 2013
- Messages
- 2,735
This has been on my mind since the first time I read this thread. It's amazing that even after two million years has passed, some people are still hating IB so much that their hatred completely impairs their reasoning. It's not surprising also that most of these remnant haters happens to be third party developers whilst the actual former customers had moved on a long time a go.
But what does "tried to contact" actually mean here? Was it a responsible disclosure? Was there any monetary demand? What caused the "no response" from IB? These are the questions that interest me the most instead of the typical IB bashing circle-jerk.
Last edited:
- Moderator
- #12
- Joined
- May 28, 2007
- Messages
- 4,268
This was the published time line of the 0 day exploit in 2015:
https://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/
https://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/
Viewing Who's Online today I noticed several guests trying to access something like the following:
Was that related to this exploit? I am running vB4.
Code:
https://www.domain.com/index.php?id=1%27%7C%7C%28SELECT%20%27ayRR%27%20WHERE%209663%3D9663%20OR%20EXP%28%7E%28SELECT%20%2A%20FROM%20%28SELECT%20CONCAT%280x7171627a71%2C%28SELECT%20%28ELT%281334%3D1334%2C1%29%29%29%2C0x71627a6a71%2C0x78%29%29x%29%29%29%7C%7C%27Was that related to this exploit? I am running vB4.
- Joined
- Jan 26, 2004
- Messages
- 3,571
Not likely - often times, people will issue bots that make basic attempts at blind SQL Injections, so that is what you're likely seeing. I would look into the IP Address of the user and ban them at the server level, if they seem suspicious.
- Joined
- Feb 25, 2013
- Messages
- 4,898
Question & Answer for registration.
- Joined
- Jun 29, 2008
- Messages
- 6,818
You could start with your webhost's web firewall, since it will be a supported solution (like Imunify360).
Cloudflare can block a lot of malicious traffic and mitigate the performance loss from bots visiting or DDOSing your site. It's a handy first defense.
They don't register.
I am on self managed VPS, so I am all on my own. I am not using cloudflare either.
So far I have tried using iptables with the following rule but it seems this doesn't block them out.
Code:
iptables -I INPUT -p tcp --dport 443 -m string --to 170 --algo bm --string 'GET /index.php/?id=1' -j DROPTried adding another rule for port 80 with no luck. I got this from the tutorial here: https://blog.nintechnet.com/how-to-...s-dfind-and-other-web-vulnerability-scanners/
Any security expert here who can help?
- Moderator
- #19
- Joined
- May 28, 2007
- Messages
- 4,268
My site is under attack almost any day of the year, so here are my suggestions based upon my experience with vbulletin:
Asides from LeadCrow 's excellent suggestion to add cloudfare, consider to install these addons:
vb bad behavior to automatically block bad users and bots. It saved my ass many times.
vbsecurity so that you can add many levels of protection (2FA) and get alerted about anything suspect.
Also block IP ranges at server level.
LiteSpeed Web Server may be an idea as it offers a good set of security settings to automatically ban suspect users. I always was very happy with it when running vbulletin.
And ofcourse add directory passwords through .htaccess for anything that needs to be secured. Especially admincp and modcp
Asides from LeadCrow 's excellent suggestion to add cloudfare, consider to install these addons:
vb bad behavior to automatically block bad users and bots. It saved my ass many times.
vbsecurity so that you can add many levels of protection (2FA) and get alerted about anything suspect.
Also block IP ranges at server level.
LiteSpeed Web Server may be an idea as it offers a good set of security settings to automatically ban suspect users. I always was very happy with it when running vbulletin.
And ofcourse add directory passwords through .htaccess for anything that needs to be secured. Especially admincp and modcp
- Moderator
- #20
- Joined
- Jun 26, 2006
- Messages
- 4,077
What actual issue are they causing you ?
You can never stop attempted attacks, unless you block everyones access, which would be rather pointless.
At the end of they day, they are not actually getting anywhere, just loading a few useless pages.
You should consider if spending all this time and effort in trying to block them is really worth all the effort.
You can never stop attempted attacks, unless you block everyones access, which would be rather pointless.
At the end of they day, they are not actually getting anywhere, just loading a few useless pages.
You should consider if spending all this time and effort in trying to block them is really worth all the effort.