VB 5.x Critical Security Patch #2

R0binHood

Habitué
Joined
Nov 23, 2011
Messages
1,322
I love how they hide the discussion about it in the licence holders only forum so the public can't read into it.

What does it patch?
 

BirdOPrey5

#Awesome
Joined
Aug 14, 2008
Messages
4,217
It patches the software.

And honestly, if you're not a license holder, what do you have to discuss about it? Nothing I can think of.
 

\o/

an oddity
Joined
Apr 30, 2018
Messages
191
Maybe the patch also affects nulled forums.
 

R0binHood

Habitué
Joined
Nov 23, 2011
Messages
1,322
It patches the software.
Yes, but what aspect or issue does it patch?

It patches the software.

And honestly, if you're not a license holder, what do you have to discuss about it? Nothing I can think of.
It just seems a bit weird that they hide the details of it in a hidden forum. With XF at least they publish what the security fix addresses and they don't try hide any discussion about it away. Potential customers might want to understand what the severity of the patch is, how it's being communicated and what the reaction of the existing customer community is around the patch.
 

Kevin

Oooh, something shiny!
Joined
Jul 13, 2004
Messages
3,402
I love how they hide the discussion about it in the licence holders only forum so the public can't read into it.

What does it patch?
There isn't much being discussed about it but based on the description of it in the public announcement and item #14 of Wayne's response here I'd surmise that the new patch is related to the prior exploit [perhaps discovered while looking into patch #1].

Giving vB the benefit of doubt, it looks like patch #2 is a proactive release.
 

mysiteguy

Devotee
Joined
Feb 20, 2007
Messages
2,992
It patches the software.

And honestly, if you're not a license holder, what do you have to discuss about it? Nothing I can think of.
Honestly, they simply don't like the optics and bad publicity, but that kind of thinking actually works against them. Putting the details in a non-public forum is not going to shield it in the least from any hacker seeking this information.
 

ManagerJosh

Adherent
Joined
Oct 24, 2004
Messages
331
Honestly, they simply don't like the optics and bad publicity, but that kind of thinking actually works against them. Putting the details in a non-public forum is not going to shield it in the least from any hacker seeking this information.
The sad thing is that the damage has been done, especially when it hits various tech media outlets. It looks far worse that you didn't acknowledge the problem, and engage customers to help them out.

In this day and age of numerous security incidents and data breaches, transparency is expected - and even more so when you're in the limelight.
 

LeadCrow

Apocalypse Admin
Joined
Jun 29, 2008
Messages
6,469
Are there even enough self-hosted vb5 sites open for this to be a serious concern?
If the majority run on vbCloud they've been patched with no need for further intervention, and anyone on record could simply be notified through the admincp or a newsletter.
 

ManagerJosh

Adherent
Joined
Oct 24, 2004
Messages
331
Are there even enough self-hosted vb5 sites open for this to be a serious concern?
If the majority run on vbCloud they've been patched with no need for further intervention, and anyone on record could simply be notified through the admincp or a newsletter.
If we assume DigitalPoint's cookie search has been done correctly:

https://tools.digitalpoint.com/cookie-search

Most people are still using vBulletin 4.2.x, followed by vBulletin 3.8.x.
 

MagicalAzareal

Magical Developer
Joined
Apr 25, 2019
Messages
513
Are there even enough self-hosted vb5 sites open for this to be a serious concern?
If the majority run on vbCloud they've been patched with no need for further intervention, and anyone on record could simply be notified through the admincp or a newsletter.
I've seen a vB5 site running in production before, I believe it was a community for a YTber with a number of subscribers.
 

gerder

Neophyte
Joined
Jul 10, 2017
Messages
1
Well, I got a vb5 at that time, hackers take over, a patch was released about 30 hours after it was no more 0 day exploit.
Got 1 vb 5 at a server, not much activity just got that old license, let it stay, so to say a dead forum with 1-2 posts a day.

So at the end of the day, hackers/crackers/exploiters take over the server, with 100 domains, this hole got exploited in several different ways, whatever the hacker got in his pockets got uploaded, means every hack is different.
After the culprit was known, I removed the script, needed to go manually in hundreds of folders, only to see the next day I missed things here and there. It's solved now, but it was a 30h-in-the row-task checking around the clock for this and that, uploaded files. modified stuff, blah. scanning WordPress, fixing custom things, just to re-check some hours later, "it's there again".

It's fixed now, and I can understand the intentions of these things, to make a cent here and there, who will cost peoples endless hours to fix it.

But with this incident, I would never ever touch any VB product, even if I'm aware it can happen to other forum software, this one got handled badly.
 
Top