I don't necessarily agree with the idea that ALL code is susceptible to exploits. It depends on what the code does.

Sorry for the misinterpretation. What I intended to convey was that it's NOT just hacks and mods that are susceptible to being hacked...so removing all mods won't unilaterally make a site safe. This exploit could just as easily have been found in the base vBulletin code; or even an exploit in coding within the server OS, etc.

Vigilance in keeping up to date on ALL software patches & updates is still needed to have any real security; and even then - there's ALWAYS a risk.

Daily back-ups is your only real security.

Haha that would be appropriate wouldn't it? lol At least some of us still see a lighter side.

Just lets not jump at the developers throat, like aquariumpros said the issue couldve come from anywhere. It's unfortunate that it was Valter who was the one in the primary line of fire this time. Fundamentally the web is worse than reality as far as safety is concerned so what more do we argue from there?

Boofo is right. Not everything is evil but there is always someone trying to better something that causes an addition that is slightly overlooked. But if we said ok Windows 98 is the shit we dont need to go anywhere from here or worse if apple said ok iMac thats it weve done perfect lets not screw it up where would we be today?

In that same light no add-ons at all would be similar to saying ok Im born. I'm vanilla there are viruses and germs out there so I'm going to build a sanitized glass orb and live in it the rest of my life. But in a funny kind of way VB allows backups that make risks a little manageable. Life doesn't really give us that option in the ideal form does it? Something to ponder. Make use of it I'm sure its been said a gazillion times before.

You also have to remember how long Valter's mod was out before it got exploited. All it takes is someone playing around with something long enough to find a way around certain things. Valter is an excellent coder that caught an unlucky break that could happen to any one of us.

+100

Well, it couldn't happen to me, but it could happen to all the rest of the coders. ;)

So true ;).






































:p

Would that allow them to upload outside of the forum directory? That is what they did to me. The forum directory resides withing my public_html (user/public_html/forums) they uploaded files to (user/public_html). I suspect this issue goes deeper than everybody thinks.

If they upload a shell type of script then it's pretty much out the door imo.

http://en.wikipedia.org/wiki/Shell_script

Lol Boofo. But thats the thing with people. You'd use something for years and the minute something goes wrong you scream at shout and burn it to the ground. Sad reality.

Nickbe from following the issue quite closely if they get into the sql from there uploading content etc to your home directory is peanuts apparently.(if I recall that bit of info correctly) Well fundamentally its the maximum that can be done isn't it? Unless it escalates to your hosts and whole server getting hacked. That is unlikely I suspect? A vulnerability always results in either losing admin rights of a board, your files being erased or your account used to host the hackers files on the sly. But this seems to be more of a bragging rights venture by the looks of it ? I guess all the small time hackers will pick up on the yet unpatched board and continue the mischief.

Ok so they can hack the plugin to find a whole and get into the SQL or so....yes??
I was checking Valter's plugin and now it's quarantine, what happened now with it????

Should we disable it or is there a way that Valter will fix it ?!?!?

Can't post in the thread for news :(

Cheers

Yes essentially thats what I understood reading the posts.

It was quarantined yesterday because someone seems to have found another exploit (a few pages back on this thread I think) even with the latest update. I'd suggest disabling it in the least if you have a large/well known board. I just copied over my rules and uninstalled it completely for now. That dumps the SQL tables as well as I didn't want to risk it.

He will fix it no doubt. The first time around the fix came within a few hours. But there doesn't seem to be any Valter activity yet. He could just be busy elsewhere.

Yeah once its quarantined it gets locked. I ended up here for the same reason.

[S]I'm not convinced Advanced Forum Rules is the attack vector for the latest round. Sites that have never used it have reportedly been attacked.[/S]

Retracted. :o

I found a hole in the cookie handling code due to the use of the PHP eval function.
I.e. the hacker pre-sets a cookie to contain malicious code, and the eval function runs it when it picks up the cookie content (that it was expecting to be something else).


Kym

Valter responded to my PM this morning, it's been fixed and it's awaiting reactivation (or whatever they call it). But yeah, if you have the latest installed it should be disabled now I would think. I don't think you'd actually have to uninstall it because when you disable it the plugins are inactive.

That's right, I haven't seen any evidence that this mod was actually used for any attack (not that I've looked that hard - maybe on vbulletin.com?).

As for the "uninstall all mods" person, if you want your server to be safe from hacking unplug it from the internet (and keep it in a locked room).

Not a single site i have done repair work on was missing the specific mod in question. Not a single site i repaired had no modifications.

Well, fair enough - that's a pretty strong argument.

I reported the mod yesterday because I found the exploit.

And with the user table info on the 3rd page I even know how they got in there :D
interesting. It feels like solving a murder case ^^

Gut gemacht Inspector Derrick :D

Hey Nickbe,
They could have firstly uploaded the shell to the forum dir, and then upload another one (because php shells allow browsing of the directories on a certain web hosting account) in another writeable directory.

So yeah, even if they manage to get into your admin panel, and if you have no writeable directories you're pretty much safe.

That is not completely true, really depends on the servers setup and configuration.

Is "VSa - Advanced Registration" safe?

I do want to make one thing perfectly clear!

If you find that a currently installed modification on your site is "Quarantined" or "Discontinued" or in the "Modification Graveyard" for any sort of security issue you need to disable the modification IMMEDIATELY.

You don't want to uninstall unless you truly do not want the functionality otherwise when it's patched/fixed and you update all of your rules are gone or if it was a "Thanks" mod for example all of your thanks would be removed as you uninstalled.

Tks for all the info's guys! Much appreciated ;)

Seems like this one will make others talk as some might have weaknesses also that have not yet been approched?!?
Tho, even with a good alarm system, if they want to steal, they will find a way loll ;)

I know for a fact that lots of hackers or geeks try to infiltrate anything they can for pleasure, i get so many deny/block IP's report of failed login in my VPS/WHM that it's nuts!!!! A good firewall and well adjusted server security is always the key to peace and tranquility.....as long as it works lolll ;)

Cheers

<a href="https://vborg.vbsupport.ru/showpost.php?p=2195551&postcount=53" target="_blank">https://vborg.vbsupport.ru/showp...1&postcount=53</a>

I spend an hour on the weekend having a look at the plugin code.
I found an issue with the cookie handling because of the use of an eval function.

The first patch fixed the SQL injection but not cookie injection.

NVM. figured it out

Any info that you could share with us regarding the bug that we could fix in the script???

It could help everyone here ;)

Well Valters fixed it again. Hopefully thats the end of holes for this one and the poor man being hounded down.

I never once used this hack and my forum was hacked twice, once someone using some sort of iframe, and this last time someone edited forum.php to simply say "Xuplena"...

Not sure what is going on my pc is clean, and I have since added extra security against SQL injections. And I never once used Advanced Forum RUles.

There is also, word around hacking forums that there is an exploit out that effects 4.x.x. - 4.1.3

It is confirmed that there is a very new exploit out there. be careful /

That sure changes the game... (bold emphasis mine)

--------------- Added [DATE]1305900973[/DATE] at [TIME]1305900973[/TIME] ---------------

Where is it confirmed?

Please dont go around posting FUD. If you do not have a link to an exploit report, chances are there isn't one in the wild.

hi,

hmmmm people give valter a break.Ok i wasn't using that mod with a security hole and i can undestand the frusteration and anger you feel when your site is hacked but this coder is human and humans regardless of there amount of knowledge do make mistakes

the one (and only for that matter) 100% secure code is the one a human never wrote

i can't stand the bashing at the mod author stop it to me he is a respected coder i mean i don't know him but it's just plain bad to going to critize all of his work just because of one bad one

Check it out and confirm.

*you need to sign up to view their forums*

I am not spreading spam. But the vb team needs to verify this. This is the latest exploit that is going around. Take a look at the date on this thread & post. It is very recent...like I said, I am no hacker or exploiter nor have i tested it out. But it is something to take a look at...I think there is some credibility to this one.

http://www.hackforums.net/showthread...303176&page=11

http://www.hackforums.net/showthread...1230802&page=2

This thread is actually about the recent exploit from the AFR mod. If you have general vb exploits, I suggest to send a PM to an administrator.

Yea sorry. I did.

FUD is not spam, FUD is fear uncertainty and doubt.

Please send the full exploit information to sales@vbulletin.com

So its not any new exploit as such.

How do you go about tracking down the add-on that was the problem? I got rehacked tonight by Team Adimus and had also upgraded my advanced forum rules mod earlier this month after the first time.

AFR was updated again a few days ago, did you install that ?

No it wasn't...I realized that after posting here and back tracking to find the cause..found snoopytas post about the cookie vulernability. Its updated now though. Hopefully this time I can put this behind me...

--------------- Added [DATE]1306166227[/DATE] at [TIME]1306166227[/TIME] ---------------

Also found that they not only added vba.php to the includes folder, they also added it to includes/xml/includes as well as a file called include_bbs.php to both of those directories as well.