This version fixes the security-problem and will be released within the next 24 hours, after the staff here verified it is ok :)

Thanks !!!

Many thanks.

Could we also get the patch instructions so that those on older versions can patch up, like last time?

Can you please provide a list of changes made with 2.7.2+ for those of us with heavily-customized arcades? I would like to just fix the security holes if possible :) Thanks for the quick response to the bugs too!

good stuff.

For now i disabled ibPro arcade i have tried to uninstall but seem to be not working anyways looking forward for new release ASAP :)

Great, thanks!

Thanks for the upcoming update.
Could you please explain what the exploit was and what could have happended to our boards?
Are passwords unsecure now or could some code be on our pages?
Please let us know what we can do to be sure that we are unaffected.

Thank you!

Thanks for the upcoming update.
Could you please explain what the exploit was and what could have happended to our boards?
Are passwords unsecure now or could some code be on our pages?
Please let us know what we can do to be sure that we are unaffected.

Thank you!

injection on arcade.php. Allowed a user to gain the MD5 and salt of any user it requested. best way to check if you are infected is to search for the following in your logs


Arcade&do=stats&comment=a&s_id=

If you find injection then follow it up.

...And just when I'd upgraded to 2.7.1 LOL
Anyway - thanks for the quick response Zero = looking forward to install the new version :)

J.

injection on arcade.php. Allowed a user to gain the MD5 and salt of any user it requested. best way to check if you are infected is to search for the following in your logs


Arcade&do=stats&comment=a&s_id=

If you find injection then follow it up.

For those not as tech minded it means a hacker could crack the password for any user on your site.

It would be a good idea to change the passwords of all admin accounts on your site if you had this mod installed.

injection on arcade.php. Allowed a user to gain the MD5 and salt of any user it requested. best way to check if you are infected is to search for the following in your logs


Arcade&do=stats&comment=a&s_id=If you find injection then follow it up.
Sorry for the noob question but which logs must we look at and where do we find them? Thanks.

Sorry for the noob question but which logs must we look at and where do we find them? Thanks.

web server logs, cpanel users can find them in /home/username/logs

Thanks MentaL.
No entries in my logs.

Any updates as to when the new version might be released? Thanks!

Once again we have no updates to a critical modification. Mr Zeropage implies that the update is with vBulletin.org staff for verification. Could we at least have an update regarding timescales? If there's an issue than fair enough, but as usual with vb these days, we are simply left in the dark.

Anxiously awaiting update :) Customer of mine is having a coronary over this, more so, his members ...

It would be nice for someone to update us on what on Earth is going on here.

I am not criticising the mod author here incidentally.

A statement has been made telling us to pull the most popular modification by many multiples. This then cripples many of our sites, or puts us at risk of being hacked.

A further statement is made stating that a patch has been made and will be released within 24 hours.

Two and a half days later - no patch, no further statement, abject silence from everyone.

If there's a delay in the patch because an issue has been found, then fine - but please tell us.

Instead, it seems everyone is content to hammer further nails into the coffin of forums, many of whom are already losing members to Facebook hand over fist.

We all gave our members an update and now WE look like we're the ones ignoring THEM, because vbulletin.org is ignoring US.

I am not complaining about the lack of a patch - I am complaining about the lack of updates.

web server logs, cpanel users can find them in /home/username/logs
Noob question, I can't really find what you're referring to but are you referring to Raw Access Logs?

There was an SQL injection exploit identified for this mod.

After confirming it I quarantined the mod.

I have discussed the exploit with the mod author and am waiting for him to upload a fixed version.

I am keeping a close eye on this and hope to approve the update as quickly as I can once I get it.

Thanks for the update. Let's hope the author will update it.

Noob question, I can't really find what you're referring to but are you referring to Raw Access Logs?

I'm also having some problems finding this. Any help would be greatly appreciated!

I'm also having some problems finding this. Any help would be greatly appreciated!

You have to search for your webserver log file. e.g. access.log
It depends on your webhost where to find this file.

In this file the webserver logs every call to a file on your server. There you need to search for the text posted by MentaL.
If you don't know where to look ask your provider!

^Found it. Thanks!

Oh well, customers don't like to wait ... converted away from IBProArcade, no more waiting.

Everything has been looked over and Mrzeropage will release it.
If anyone has a arcade that I have worked on ( There are lots of you guys ).. DO NOT OVER WRITE , Contact me and we will edit them manually .. or all the work that has been done will be lost!
If you know how to compare files you can do it yourself..
compare version v2.7.1+ with v2.7.2+ to find the code that needs to be added..

waiting for him to upload a fixed version.



MrZ was waiting on you (vb staff) to verified it is ok,, before uploading a new version..

:confused:

MrZ was waiting on you (vb staff) to verified it is ok,, before uploading a new version..

:confused:

I am waiting for him to upload a version with the fix he proposed. Once he does that I can (hopefully) approve it.

If he has a question he should respond in the quarantine thread or PM me.

So now everyone is waiting. The coder vor vB, vB for the the coder and we all for both :D

all good things come to people who wait ;)

will be release as soome and MrZ has a sec ..
life comes first..
then coding

I don't mind waiting. My members understand. In fact, one of my members told me that since I disabled the Arcade her house has never been cleaner. :)

No problem waiting for a fix as long as it makes my site secure :) Gotta fix all those evil holes!

<a href="http://www.rfxn.com/projects/linux-malware-detect/" target="_blank">http://www.rfxn.com/projects/linux-malware-detect/</a>

install this btw if you want to scan for shells. Will do setups and scans for a fee. Need root access though.

Any update on the new release?

J.

just waiting for approval, should be ok within the next hours ...

sorry for the delay, had technical problems and was offline *damn*
now everything back on rails again

Approved and restored.

thanks :)

Sweet! I'd just finished adding a ton of games and made a new module block for my forum's newsletter:

https://vborg.vbsupport.ru/external/2012/02/12.png

And then BAMN! Arcade modification graveyarded = It was a bit frustrating to be sure.
At anyrate - thanks so much! Much appreciation for your fabulous work with this modification MrZeropage!!!
Upgrading momentarily...

J.

Sweet! I'd just finished adding a ton of games and made a new module block for my forum's newsletter:

https://vborg.vbsupport.ru/external/2012/02/12.png

And then BAMN! Arcade modification graveyarded = It was a bit frustrating to be sure.
At anyrate - thanks so much! Much appreciation for your fabulous work with this modification MrZeropage!!!
Upgrading momentarily...

J.

No angry birds?!?!?!?

No angry birds?!?!?!?


Hey Jacquii,,if you dont have angry birds,,I know where you can get it.. ;)

I didn't put the Angry birds screenie in the graphic because it's not particularly my favorite LOL - But indeed I have Angry Birds and even Damn Birds which is kinda kewl. Thanks guys! Just finished patching so arcade is now online = YAY!

J.