Thanks for letting me know of the exploit, but now vb.org have removed the mod altogether from vb.org, I have no idea what files I must remove off my server and what changes I can revert to already modified templates.

When removing a hack, is it not advisable to leave a list of the files and where they would normally be uploaded to as well as the instructions for install / uninstall?

Well you should really keep a history of changes theres actually a built in feature that allows you to I guess basicaly take a snap shot of the before.... Just a suggestion for future installs. And I still have the complete install files I'll up the read me just reverse your steps.




http://rapidshare.com/files/15151802/readme.txt.html

Sorry I do not usually use RapidFire I hate it but my normal host are doing upgrades to the software and server. I normally use http://www.mediafire.com

Well hope this helps you out.

Can you send me the read me or attach it to this thread for the install please if you don't mind. I do keep a history, in my installed hacks section on vb.org....

so whats wrong with vbbux its hackable or something? What other options are there besides icash??? For the latest version of VB?

Well you should really keep a history of changes theres actually a built in feature that allows you to I guess basicaly take a snap shot of the before.... Just a suggestion for future installs. And I still have the complete install files I'll up the read me just reverse your steps.




http://rapidshare.com/files/15151802/readme.txt.html

Sorry I do not usually use RapidFire I hate it but my normal host are doing upgrades to the software and server. I normally use http://www.mediafire.com

Well hope this helps you out.

That's much appreciated, thankyou. :up:

Can you let me know what files went where so they can all be removed? Thanks again.

mmm what kinda exploit detected there ?

been long time we r on vbux..
removing it will be a reason of huge qus from users

I think just disabling it will be enough.

Can you let me know what files went where so they can all be removed? Thanks again.
You can disable the modification & use it again when someone provide a fix :). Why you want to uninstall as that 'll remove every data?

Not worth the risk to be honest, and i've only in the last week installed it on the site. I used to run it on another but got fed up of the template changes, etc when a new vb came out, so to be honest i'd rather just get rid.

It's a good hack, just too many things to mess with when there's an update to the forums, etc....

Artificial_Alex reported an exploit which we investigated and confirmed - not only that but the investigations revealed other exploits in the code as well. As per our policy on such matters, the modification has been removed until such time as the holes are fixed.

I know why you don't want to reveal the exploits but could you post it in the private coder discussion so other coders can help fixing it?It is a great hack and I believe everybody wants it back as soon as possible

I agree, it would help if we knew the exploits so we could help fix or patch it.

Maybe in the future, these threads could be closed so that only the people who clicked install and the author can view it. This way, new people can't download it but people with it already installed can see about fixing it.

Unfortunately if you announce it i suppose you automatically open all customers who might not have had a chance to disable it, open to be exploited.

Not worth the risk to be honest, and i've only in the last week installed it on the site. I used to run it on another but got fed up of the template changes, etc when a new vb came out, so to be honest i'd rather just get rid.

It's a good hack, just too many things to mess with when there's an update to the forums, etc....

If members cant use the hack(sine it is disabled) then there would be no risk that I can think of.

Just update the templates manually. That is what i do when there is a new release. It doesnt usually require much effort.

So, is a good idea then when a hack is removed, at least the uninstall features for the mod are still listed? That way, people can remove a problem modification and the files from the server?

I know why you don't want to reveal the exploits but could you post it in the private coder discussion so other coders can help fixing itSorry but no, we will not reveal details of the exploits.

Sorry but no, we will not reveal details of the exploits.

But the staff is fixing it right?I think Brad fixed the shoutbox as it is widely used.

But the staff is fixing it right?I think Brad fixed the shoutbox as it is widely used.

No...the protocol says the staff may fix if it time is granted. With the shout box, it was just fortunate that it was fixed by a staff member.

Unfortunately they did a bad job with it, making more bugs.. making Zero Tolerance stop releasing on vBulletin.org

They ?

We've already been down this road in another thread, it doesn't need another discussion here, please stick to the current topic.

Sorry.. But another thread? May i have linkage.. i can't see.. im not stirring things up, im just wandering as i know him quite well (Scot)

And that sucks... although i have never used it, its a shame.. such a good mod to go to waste

So wait I dont understand if I keep using vbbux will my site get hacked?

Top X stats also fixed by one of vb staff......

why not vbux ?
this too pop mod...for vb

FYI .. The Developer has returned and is looking into this issue. See the Premium Forum for updates.

FYI .. The Developer has returned and is looking into this issue. See the Premium Forum for updates.

Is there been a fix announced?

No but someone has posted a "possible" fix.

So has anyone got any information on what files need to be removed from my server?

cmx returned ?

woha good news indeed

lets watch premium forum

So has anyone got any information on what files need to be removed from my server?

They all start with vbPlaza in the name. Check Admincp,includes,modcp,plugins,vbplaza(obviously huh:p ) and vbplaza.php in the forum root.

If you look in the premium support section there is already a partial(non confirmed by CMX) fix. So I would wait. If the plug in is disabled or deleted users cant use the plaza anyways so i dont see why it it so necessary to delete the scripts. Also if you delete the plug in this would erase all the database tables concerning vbplaza disabling the plaza as well.

Top X stats also fixed by one of vb staff......

why not vbux ?
this too pop mod...for vbThe staff are not here to fix broken/exploited modifications, occasionally one may do so if they have the time (or use the mod themselves) but that's all. Fixing is the responsibility of the author.

Well I hope this gets fixed as this was the main reason I choose vb in the first place. I need this points system or something like it but not as simple as icash I may have to move eh..

All we can do is hope to see a fix soon :)

%

anyone have any word on this??

so whats wrong with vbbux its hackable or something? What other options are there besides icash??? For the latest version of VB?


O YES!.. this is a confirmation from OUR SITE!.
some user PMD me of a donation they sent and it said nice site!

then I noticed the site was in shambles and turned off!
so i UPLOADED the day befores database back up and removed vbplaza completly!.

yea i had a problem as well i got a bunch of points donated from a user saying alert cookie and after that memebere reported popus in the vb plaza with a bunch of numbers in it so i removed it as well

Wow this sucks alot!!! can the staff at least tell the coder the problems with the mod/plugin? I totally understand its not good to release it to the public but telling the actually coder of the mod isnt effecting anyone and if it does it will be a benefit for all of us..

The author is obviously informed of the exploit, it would be a bit hard asking them to fix it if they weren't.

no one should be mad at staff, staff here dose a good job, they arent even required to tell the creators antyhing. it should be the creators responbility to check on his or her product, but thanks to the great staff here they go the extra mile.

as far as problems go i would like to thank the staff for removing this as it has stopped problems form occuring and may have just saved my site and youre who knows.

so in my conclusion thanks staf for removing and be responisble people to inform us and also people the staff has alot on their hands so dont expect them to fix other peoples mods and or hacks

No one got mad to staffs..

they arent even required to tell the creators antyhing.
but what does ur word mean? If the dont inform to the author ,then they need not to inform to the user too.

Both is same.

If the hacker is not looking to exploit others, he/she would have gone to the authors site and messed it up with the exploit:up:

If a few coders were informed of this exploit then there is a high chance (99%) that it would have been fixed by now. It's a pitty a great mod has seized to exist because of a few exploits.

How do you know it is just a "few" exploits?

Sorry but if the original coder can not handle it himself, he is always free to contact others coders for assistence. This is not our task.

PS Now that it is about a "big" modification this suddenly is proposed. When (with all respect) a minor modification goes this way, then nobody is offering this. For us each modification is the same, big or small, and we will not act differently.

Since this is a popular mod. I do not see the big deal of vBulliten taking over and fixing the darn bug, how long does it take? at most a few hrs reverse engineer. If the exact bug is known , only a few minute to fix. If I had this mod installed on my forum I would fix it and release it for others to enjoy.

Since this is a popular mod. I do not see the big deal of vBulliten taking over and fixing the darn bug, how long does it take? at most a few hrs reverse engineer. If the exact bug is known , only a few minute to fix. If I had this mod installed on my forum I would fix it and release it for others to enjoy.

How do you know its A bug and not MANY bugs? How long do you think it took to code something of this size? Also, this is not vBulletin's mod to fix, they didn't create it. Would you like to fix something you didn't create that was this size? Things take time. Be patient, it will get fixed.

Unbelievable....I lost alot of database, I'm wondering if this plays a factor.:confused:

Since this is a popular mod. I do not see the big deal of vBulliten taking over and fixing the darn bug, how long does it take? at most a few hrs reverse engineer. If the exact bug is known , only a few minute to fix. If I had this mod installed on my forum I would fix it and release it for others to enjoy.


Cause it's not vBulletins work. If they did it, then essentially i can take over any mod and use it all as my own :)

I do not see the big deal of vBulliten taking over and fixing the darn bug.

It's the same anywhere.

EX:
Microsoft Corporation will not take over a 3rd party installed program and fix it because of security breach it causes in their parent program. It's not only time, energy and cost, but the responsibility taken when something is re-coded and redistributed. Oh ya there is also intellectual property rights and copyright.

~ from clients that need support afer a patch:
" You made a patch and my system does not work "
" I need support for something your company released "



I am sure a patch can be released to fix the problems, but that is up to the original creator.

VBulliten.org needs to sent out an email to ALL members of this problem to prevent people from losing years of data accumulated due to no emergency data backup. :up:

VBulliten.org needs to sent out an email to ALL members of this problem to prevent people from losing years of data accumulated due to no emergency data backup. :up:

All members?
What if they don't use vBplaza :|

Originally Posted by Tommy12345 View Post
I do not see the big deal of vBulliten taking over and fixing the darn bug.

I am a little bewildered as to the members assuming the staff have
the responsibility to fix issues such as this. Ok so they helped with
the vbshout but that was probably an easy fix or the member of staff
needed the said hack and looked into..

Dont get me wrong, i too have/had this hack on my board, therefore i
would love to see it in action again, as would my members, but ya cant
expect the staff to jump, i spose it was the tone more than anything
that gripped my pooh, bugging the staff like this would most certainly
dissuade them in the future should they think about fixing a hack......

Is it gonna get fixed? we will just have to wait and see, I hope so....

btw an email did go out to the members that had the hack installed
(clicked installed) I got one myself and i appreciated the fast response!!

I don't hold anyone responsible. My entire site was destroyed but shite happens. It's an unfortunate thing and lessons are learned behind it. It could have been worse because I didn't delete anything and was able to rebuild my site quickly thanks to my buddy Willy so I'm thankful to have the foresight not to delete any of the images and skinz that I uploaded. I usually check this site often and I was surprised someone didn't alert to the problem sooner or maybe they did and I missed it. The hack was, next to the Arcade, the most popular thing on my board and it's missed and hopefully CMX will come back (and I'd be willing to break him off a donation) and get it back up and running...

Here's what I want to know and maybe Zeropage can answer. Can I still run the Ibproarcade without the vbux/vplaza?

VBulliten.org needs to sent out an email to ALL members of this problem to prevent people from losing years of data accumulated due to no emergency data backup. :up:
This was done immediately upon learning of the issue.

All users who had clicked Install received the following email:

Official Security Exploit Warning:

The staff has been notified of a potential XSS vulnerability in the vbBux / vbPlaza modification. We have confirmed the exploit along with additional exploits in varying degrees. This notification is to serve as an official warning - it is HIGHLY recommended that you disable/uninstall the modification until a fix is provided.

To review protocol for modifications with confirmed exploits found please visit:

https://vborg.vbsupport.ru/info.php?do=security

Best Regards,
vBulletin.org Staff

.. highlighting the importance of clicking Install, if you want to receive IMPORTANT updates. :)

This was done immediately upon learning of the issue.

All users who had clicked Install received the following email:



.. highlighting the importance of clicking Install, if you want to receive IMPORTANT updates. :)

Great job. I am going back to the arcade mod and click installed incase I have not done so.
Looks like this exploit is gaining momentum, I just saw a blank website that I was visiting, that site had the mod installed, I warn the webemaster to disable it but..

Can I still run the Ibproarcade without the vbux/vplaza?

Yes.
It's an independent script with a vbux plugin.

I think one of my sites was hacked, what I have to do?

I disabled the hack by now, but I am still hacked. I prefer to not say the type of hacking to avoid others users from being hacked.