Hi vBulletin,

I've found a way to hack vBulletin and have sent in a report to support@vbulletin.com.
I have yet to receive a response to even state that the email was received.

To put it bluntly this is the sort of attack which could be used to gain access to a forum and masquerade as the user, or worse obtain the users password and use it to hack other systems which that user uses with the same username / password combination.

It would be nice to receive an acknowledgement, whilst I won't use the hack, or tell others how to successfully exploit it, that's not to say there are not others out there who are not as trustworthy as me.

I'm not asking for any monetary compensation, all I'm asking is that the bug report is properly acknowledged and the risk is appropriately mitigated, since I myself frequent several forums powered by vBulletin.

I don't think this is too much to ask.

Andrew

Whenever our system receives an email from an unknown source you get an email back with instructions you must follow to confirm you are human and not a spammer.

Until those instructions are completed we never get the email. Once we do receive the email you will receive another reply with the ticket number generated so you can reply/track the issue.

Please do not post details here- if you do did receive a ticket number please post that so I can look for your message, I don't immediately see it in our queue this morning.

I caution other people before panicking that more often than not exploits we get emailed about turn out to be with older versions of the software already patched or 3rd party modifications- but in the event it is an exploit with the current VB versions we work very hard to patch it as soon as possible and are very grateful to those that help us find such exploits.

What vbulletin version is this about?

I haven't seen any tickets from the email you used to register with.

Please feel free to cc me in on the next time you send it.

Zachery.woods@vbulletin.com

Any off topic / sarcastic / useless posts will be infracted beyond this point. Not the place for it.

Please do not post details here- if you do did receive a ticket number please post that so I can look for your message.
Ahm, wasn't the ticket id supposed to be confidential, because all that's needed to access a ticket is that id? Has that changed, or do I remember that wrongly?

Ahm, wasn't the ticket id supposed to be confidential, because all that's needed to access a ticket is that id? Has that changed, or do I remember that wrongly?
You need the ticketid along with a randomly generated hash.

Ahm, wasn't the ticket id supposed to be confidential, because all that's needed to access a ticket is that id? Has that changed, or do I remember that wrongly?
As lynne pointed out, without the hash the ticketid is pretty useless.

And... Even if you did manage to figure out the random hash we hide sensitive data like passwords and personal details so that they aren't visible even with the hash.

Ah, o.k., I stand corrected there. Thanks for clearing this up.