vbulletin vulnerability allows hackers to find and brute force accounts

  • Thread starter
  • Admin
  • #1

Alfa1

Administrator
Joined
May 28, 2007
Messages
3,931
As vbulletin does not support IPv6 its possible for hackers to query the verify username function for millions of possible usernames and find out what accounts exist on your system. Then they can just bypass the maximum login attempts and brute force those accounts.

I have just encountered a large attack on my big board.

See:
https://theadminzone.com/threads/us-out-of-ipv4-numbers-now-vb-still-incompatible.136539/
http://www.vbulletin.com/forum/foru...blems-and-troubleshooting/4316965-found-a-bug


vbulletin may add this to their tracker (or you may do this for them) so that you can vote for it to be fixed within a few years.

I warned them about IPv6 becoming a problem about 5 years ago. It's still not fixed.
Anyone still using vulnerabulletin this should consider if this is likely to be the last major problem caused by the use of outdated software.
 
Joined
May 4, 2006
Messages
362
Love the reply which interpret as...

Yeah you might have found a bug, but we the support team are too lazy to enter it into the bug tracker so do it yourself. This bug will be ignored until then.

Great support!
 

WD

Enthusiast
Joined
Mar 24, 2010
Messages
243
These vBulletin hacks are becoming a bloody joke. I have been researching all these data breaches for the past 2 years or so and it's getting worse.

The interesting thing about my research was vBulletin was one of the most hacked forum scripts next to IPB.

What I find alarming is half these websites have no idea they have been hacked.

Not to alarm you but here's a tiny list from the past two years.

blackhatworld - 700,000+ users info leaked.
nextgenupdate - 1 million+ users info leaked.
d3scene - 400,000+ users leaked.
destructoid - Unknown amount of users compromised as destructoid just closed the forum down and made a new one.. Running vBulletin :eek:
forum.ovh - 170,000+ users leaked.
majorgeeks - 260,000+ users leaked.
ps3hax - 370,000+ users leaked.
psx-scene - 1 million+ users leaked.

And the last, I didn't want to post but vBulletin.org was hacked in 2014 with over 500,000 users having information exposed. (Unrelated to the 2013 breach.)

Yet all the sites above have not informed users.. At some point vBulletin will have to do something or they'll go down.
 

BirdOPrey5

#Awesome
Joined
Aug 14, 2008
Messages
4,217
The interesting thing about my research was vBulletin was one of the most hacked forum scripts next to IPB.
The most popular for script is also (close to) the most hacked? Seems logical to me... Far more Windows machine hacked than Macs... because Macs have better security? No, because they have poor market share.
 

WD

Enthusiast
Joined
Mar 24, 2010
Messages
243
The most popular for script is also (close to) the most hacked? Seems logical to me... Far more Windows machine hacked than Macs... because Macs have better security? No, because they have poor market share.
Agree, This wasn't a dig at vBulletin also, I just feel that more can be done then is currently. Many issues will cost mooney to fix but in the long run it'll save the vBulletin brand.

As for the Windows/Mac comparision I agree. Though Macs have had issues worse such as a virus that could make the battery's explode. (Thankfully fixed lol.)

techfan VB (or rather IB) already gone down the drain in the kitchen.
It has sadly, It was once a great script and I miss the day's I spent hours making vB site's. I just wish IB would inject some much needed funding and to stop being such tight ~cough~.
 

Jake

Developer
Joined
Jan 19, 2013
Messages
1,058
The most popular for also (close to) the most hacked? Seems logical to me... Far more Windows machine hacked than Macs... because Macs have better security? No, because they have poor market share.
You're justifying them not fixing an issue that has been pointed out for years....
 

BirdOPrey5

#Awesome
Joined
Aug 14, 2008
Messages
4,217
THe brute force issue is marked as fixed in VB5, it was supposedly fixed when VB5 was still in Alpha- http://tracker.vbulletin.com/browse/VBV-367

However there has been no recent discussion on the issue for VB3 and VB4, at this point I'm not sure it will ever be addressed officially for VB3 or VB4.
 

Tracy Perry

Opinionated asshat
Joined
May 25, 2013
Messages
4,991
However there has been no recent discussion on the issue for VB3 and VB4, at this point I'm not sure it will ever be addressed officially for VB3 or VB4.
Can you still officially download from the vB site 3/4 series? If so, then why don't they fix the security issues or discontinue distribution of it if it is marked EOL?
 

VICE

tool
Joined
Jun 8, 2013
Messages
2,735
Because they don't see it as a issue till 2022
Seems like you love to repeat this statement a lot.
Just recently I saw OVH throwing around IP blocks for free.
Perhaps there's a validity behind their thinking.
By the time IPv6 is nesessary, vB4 would have been obsolete.
 

ozzy47

Tazmanian Veteran
Joined
Oct 18, 2013
Messages
9,007
Once again you are wrong.

It has been a ongoing issue. It was reported in 2011, marked as critical, and was never fixed.

Obviously it is a serious issue, by allowing brute force attacks.
 
Top