Is there any information about the vulnerability? I'd like a little info to figure out what the risk is. My forum is STILL reeling from losing vbplaza and now they are going to friggin riot. lol

I just want to know what I'm getting myself in to if I keep it, or if I need to just hold my breath and jump in the croc pond and uninstall it.

We cannot disclose the nature of its vulnerabilities as this information could be used to exploit boards who have not disabled or uninstalled it.

I cannot download the zip for vbpager. I can't seem to find it on my computer either. I have uninstalled the product but I want to be sure I revert all the template edits and delete all the files but I need the zip to do it. How can I get it?

Right Kirk, I don't want to know HOW to do it. Just what they can do to my forum if they know the exploit.

Like, can they delete posts? Members? Steal cookies? That kind of thing.

I haven't looked at each and every find for that specific release, but to my knowledge one could conceivably retrieve sensitive information from the database and have it "paged" to them, ironically enough.

I haven't looked at each and every find for that specific release, but to my knowledge one could conceivably retrieve sensitive information from the database and have it "paged" to them, ironically enough.
Good enough for me to shut it off.. and keeping it a secret is the best idea.. It makes the vulnerability worse if you start publishing what it does

Here's the readme, for those who need it:
/*================================================= =====================*\
|| ################################################## ################## ||
|| # vB Pager 3.0.4 for vBulletin 3.5.x # ||
|| #-------------------------------------------------------------------------------------------------------------------------# ||
|| # Copyright ?2000–2005 WwW.UAEWEB.COM All Rights Reserved. # ||
|| # This file may not be redistributed in whole or significant part. # ||
|| #----------------------------- VBULLETIN IS NOT FREE SOFTWARE -------------------------------- # ||
|| # http://www.vbulletin.com | http://www.vbulletin.com/license.html # ||
|| ################################################## ################## ||
\*================================================ ======================*/

vB Pager is a text-based instant messaging system over the community between members.
For more Informations and Updates, visit: https://vborg.vbsupport.ru/showthread.php?t=104609

################################################## ###########################
############################# New Installation ###################################
################################################## ###########################

Step 1. Upload all the files from the "files" directory in this zip into your forum directory.
Step 2. Import product-pager.xml as a new product.
Step 3. Edit templates as instructed below.

################################################## ###########################
############################## TEMPLATE EDITS ###############################
################################################## ###########################

In the template: MEMBERINFO
=============================
FIND
=============================
<if condition="$show['pm']">
<tr>
<td>
$vbphrase[private_message]:<br />
<a href="private.php?$session[sessionurl]do=newpm&amp;u=$userinfo[userid]" rel="nofollow"><phrase 1="$userinfo[username]">$vbphrase[send_private_message_to_x]</phrase></a>
</td>
</tr>
</if>
=============================
BELOW ADD
=============================
<!-- [START HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 1 ] -->
<if condition="$vboptions['vbpager_active'] AND $bbuserinfo['userid']">
<tr>
<td>
$vbphrase[pager_vbpager]:<br />
<a href="#" onclick="window.open('pager.php?do=buddylist&amp;puserid=$useri nfo[userid]','pagerbuddylist','statusbar=no,menubar=no,toolba r=no,scrollbars=yes,resizable=yes,width=$vboptions[vbpager_width],height=$vboptions[vbpager_height]'); return false;"><phrase 1="$userinfo[username]">$vbphrase[pager_send_pager_message_to_x]</phrase></a>
</td>
</tr>
</if>
<!-- [END HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 1 ] -->
=============================


In the template: modifyoptions
=============================
FIND
=============================
$customfields[messaging]
=============================
ABOVE ADD
=============================
<!-- [START HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 2 ] -->
<if condition="$show['pager']">
<fieldset class="fieldset">
<legend><label for="cb_pageroption">$vbphrase[pager_vbpager]</label></legend>
<table cellpadding="0" cellspacing="$stylevar[formspacer]" border="0" width="100%">
<tr>
<td>
$vbphrase[pager_features_pager_messaging_system]
</td>
</tr>
<tr>
<td><label for="cb_pageroption"><input type="checkbox" name="pageroption" value="1" id="cb_pageroption" onclick="toggle_disabled(this.checked, 'pageroptiontbody')" $checked[pageroption] />$vbphrase[pager_enable_pager_messaging]</label></td>
</tr>
<tbody id="pageroptiontbody"<if condition="!$bbuserinfo[pageroption]"> disabled="disabled"</if>>
<tr>
<td><br />$vbphrase[pager_features_pager_messaging_from_buddylist]</td>
</tr>
<tr>
<td><label for="cb_pagerbuddyoption"><input type="checkbox" name="pagerbuddyoption" value="1" id="cb_pagerbuddyoption" $checked[pagerbuddyoption] />$vbphrase[pager_enable_pager_messaging_from_buddylist]</label></td>
</tr>
<if condition="$vboptions['vbpager_playsound']">
<tr>
<td><label for="cb_pagersoundoption"><input type="checkbox" name="pagersoundoption" value="1" id="cb_pagersoundoption" $checked[pagersoundoption] />$vbphrase[pager_enable_pager_sound_notification]</label></td>
</tr>
</if>
</tbody>
</table>
</fieldset>
<else />
<input type="hidden" name="pageroption" value="$bbuserinfo[pageroption]" />
<input type="hidden" name="pagerbuddyoption" value="$bbuserinfo[pagerbuddyoption]" />
<input type="hidden" name="pagersoundoption" value="$bbuserinfo[pagersoundoption]" />
</if>
<!-- [END HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 2 ] -->
=============================

In the template: navbar
=============================
FIND
=============================
<if condition="$show['pmstats']"><br /><phrase 1="$vbphrase[unread_x_nav_compiled]" 2="$vbphrase[total_x_nav_compiled]" 3="$session[sessionurl_q]">$vbphrase[private_messages_nav]</phrase></if>
=============================
BELOW ADD
=============================
<!-- [START HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 3 ] -->
<if condition="$show['pager']"><br /><a href="#" onclick="window.open('$vboptions[bburl]/pager.php?action=pager&do=log&folder=inbox','pagerinbox','statusbar=no,menubar=n o,toolbar=no,scrollbars=yes,resizable=yes,width=65 0,height=500'); return false;">$vbphrase[pager_pager_messages]</a><phrase 1="$bbuserinfo[pagerunread]" 2="$bbuserinfo[pagertotal]">$vbphrase[pager_messages_nav_x_y]</phrase></if>
<!-- [END HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 3 ] -->
=============================

FIND
=============================
<tr><td class="vbmenu_option"><a href="#" onclick="window.open('misc.php?$session[sessionurl]do=buddylist&amp;focus=1','buddylist','statusbar=no,me nubar=no,toolbar=no,scrollbars=yes,resizable=yes,w idth=250,height=300'); return false;">$vbphrase[open_buddy_list]</a></td></tr>
=============================
BELOW ADD
=============================
<!-- [START HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 4 ] -->
<tr><td class="vbmenu_option"><a href="#" onclick="window.open('$vboptions[bburl]/pager.php?$session[sessionurl]do=buddylist','pagerbuddylist','statusbar=no,menub ar=no,toolbar=no,scrollbars=yes,resizable=yes,widt h=$vboptions[vbpager_width],height=$vboptions[vbpager_height]'); return false;">$vbphrase[pager_open_vbpager]</a></td></tr>
<!-- [END HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 4 ] -->
=============================

In the template: footer
=============================
FIND
=============================
<script type="text/javascript">
<!--
// Main vBulletin Javascript Initialization
vBulletin_init();
//-->
</script>
=============================
BELOW ADD
=============================
<!-- [START HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 5 ] -->
$pagermessage
<!-- [END HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 5 ] -->
=============================

In the template: postbit (Optional)
=============================
FIND:
=============================
<if condition="$show['reputationlink']"><a href="reputation.php?$session[sessionurl]p=$post[postid]" rel="nofollow"><img class="inlineimg" src="$stylevar[imgdir_button]/reputation.gif" alt="<phrase 1="$post[username]">$vbphrase[add_to_xs_reputation]</phrase>" border="0" /></a> &nbsp;</if>
=============================
Add BELOW:
=============================
<!-- [START HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 6 ] -->
<if condition="$vboptions['vbpager_active'] AND $bbuserinfo[userid]">
<a href="#" onclick="window.open('pager.php?do=buddylist&amp;puserid=$post[userid]','pagerbuddylist','statusbar=no,menubar=no,toolba r=no,scrollbars=yes,resizable=yes,width=$vboptions[vbpager_width],height=$vboptions[vbpager_height]'); return false;"><img class="inlineimg" src="$stylevar[imgdir_statusicon]/vbpager_icon.gif" alt="<phrase 1="$post[username]">$vbphrase[pager_send_pager_message_to_x]</phrase>" border="0" /></a> &nbsp;</if>
<!-- [END HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 6 ] -->
=============================

In the template: postbit_legacy (Optional)
=============================
FIND:
=============================
<if condition="$show['reputationlink']"><a href="reputation.php?$session[sessionurl]p=$post[postid]" rel="nofollow"><img class="inlineimg" src="$stylevar[imgdir_button]/reputation.gif" border="0" alt="<phrase 1="$post[username]">$vbphrase[add_to_xs_reputation]</phrase>" /></a></if>
=============================
Add BELOW:
=============================
<!-- [START HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 7 ] -->
<if condition="$vboptions['vbpager_active'] AND $bbuserinfo['userid']">
<a href="#" onclick="window.open('pager.php?do=buddylist&amp;puserid=$post[userid]','pagerbuddylist','statusbar=no,menubar=no,toolba r=no,scrollbars=yes,resizable=yes,width=$vboptions[vbpager_width],height=$vboptions[vbpager_height]'); return false;"><img class="inlineimg" src="$stylevar[imgdir_statusicon]/vbpager_icon.gif" alt="<phrase 1="$post[username]">$vbphrase[pager_send_pager_message_to_x]</phrase>" border="0" /></a></if>
<!-- [END HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 7 ] -->
=============================

################################################## ###########################
############################### EDITS END ###############################
################################################## ###########################

Step 4. From The Admincp, Edit vB Pager Options and Usergroup Permissions.
Step 5: Enjoy your new hack. And if you haven't already, click install at vBulletin.org.

################################################## ###########################
############################### Many thanks to #############################
################################################## ###########################

- nexialys, for his help with the design and style.
- Zero Tolerance and Andreas a.k.a. KirbyDE, for their vB 3.5 tutorials.

################################################## ###########################
################################### THE END #################################
################################################## ###########################

Not asking for details about the vulnerability, I understand why they shoudnt be disclosed, I just have one basic question

In order to use the exploit, someone would have to have access to the pager system, correct?, Im thinking of limiting access to it to just a specific usergroup on my site, with only people I trust.

Yes, users need to be able to access the pager to actually use the vulnerability.

My members have voted unanimously to remove the security risk. So away it goes. Thank you for your answer Kirk!

i have had to disable this plugin as well , is there an alternative that allows for messages to be sent without the need of java based apps or refreshing. Vbpager was good because of its ajax features and I'm looking for a replacement.

I was really hoping someone would have fixed this by now.. Unfortunately no one can help fix it not knowing the exploit yet it is very understandable to not release info about the exploit.. Is anyone on staff working on this or is it a lost cause?

Are any of the other "pager" systems in the same bracket - i.e. open to vulnerability ?

Are any of the other "pager" systems in the same bracket - i.e. open to vulnerability ?
Not to my knowledge, no.

my site got destroyed this week... totally gutted... is it possible this happened because i was running the pager?

Yes, it is possible. I am sorry to hear about your board but we did advise everyone to uninstall it. It was left up to you if you were to do it.

Yes, it is possible. I am sorry to hear about your board but we did advise everyone to uninstall it. It was left up to you if you were to do it.

i am not a regular of these boards sad as it is.

let me ask this... if i create a user group of only select individuals who are allowed to use the pager will i be protected?

let me ask this... if i create a user group of only select individuals who are allowed to use the pager will i be protected?


Without going through the code we really couldn't say, there are multiple security holes in it. The only advice it not to use it.


Is anyone on staff working on this or is it a lost cause?


No one on the staff is working on it, nor are they likely to.

well then does anyone know of the mod closest to this one?