vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   new vb exploit! :S (https://vborg.vbsupport.ru/showthread.php?t=211453)

rob01 04-17-2009 04:57 AM
new vb exploit! :S
 
there is a new vb exploit problem!


im not sure if it was already fixed in verison 3.8.2, but is still available under 3.8.1 and 3.8.2



picture::
https://vborg.vbsupport.ru/external/2009/04/63.jpg


cheers


ahh sorry about the double post... pls delete the other post

Michael.A 04-17-2009 05:13 AM
how did u use the same name????

rob01 04-17-2009 05:15 AM
is a name exploit ! all vb 3.8.* has it

TigerC10 04-17-2009 12:12 PM
It results from a bad import of data, it's not an exploit - it's bad administration.

BlueNinjaGo 04-17-2009 12:55 PM
Quote:
Originally Posted by TigerC10 (Post 1793240)
It results from a bad import of data, it's not an exploit - it's bad administration.
Like how? So I can avoid it...

nexialys 04-17-2009 01:35 PM
an Exploit is something that can help a hacker insert or extract data from the engine, not changing username of a member post...

and from what i see from the screeny, if it's not a very modified vBulletin *(with possible flaws due to modifications) it's a phpBB forum.

TigerC10 04-17-2009 02:09 PM
Quote:
Originally Posted by BlueNinjaGo (Post 1793275)
Like how? So I can avoid it...
One case is if you restore a database backup and an error occurs during restoration. Another, more common occurance, is when merging one board into another board where the username already exists. I've even experienced it when an admin switches vB over to something else like PHPBB and then switches back over to vB - duplication occurs.

Anyway, after importing data the admin should always check for username duplication.

Quote:
Originally Posted by nexialys (Post 1793299)
an Exploit is something that can help a hacker insert or extract data from the engine, not changing username of a member post...
I disagree, if a person were able to change their username upon post - it is still an exploit. It may not be a traditional "hack", but it is still considered an exploit.

Quote:
Originally Posted by nexialys (Post 1793299)
and from what i see from the screeny, if it's not a very modified vBulletin *(with possible flaws due to modifications) it's a phpBB forum.
If it is a PHPBB forum, then they're using the vBulletin online status image next to the username.

rob01 04-17-2009 02:18 PM
is not PHPBB

is not a bad merge since this forum has been using vb since ages, and is not a databese backup , since this is posible to do in other vb forums

cheers

i dont think the other vb forums have the same problem of bad import data

but this forum is since 2007 or older.. and they always have used vb

TigerC10 04-17-2009 02:57 PM
It could be a database backup, do you host this website yourself or do you have a hosting provider? Because I've known hosting providers to lose servers and restore backups only to have a hitch in the backup or in the restoration of the backup.

EDIT:
Nevermind, I figured this one out. Instead of using a standard "M" in the username, this person used the greek letter Mu html character code "Μ" or "Μ". This allows for a completly new user with the name that looks just like someone else's since the character "Mu" is not the same as M.

Here's a list of some other greek symbols that can be used for registration fake outs:
http://www.w3schools.com/tags/ref_symbols.asp

Alpha, Beta, Epsilon, Zeta, Eta, Iota, Kappa, Mu, Nu, Omicron, Rho, Tau, Upsilon, Chi


To fix it, add these to your illegal user names

AdminCP -> vBulletin Options -> User Registration Options -> Illegal User Names
Code:
Α Β Ε Ζ Η Ι Κ Μ Ν Ο Ρ Τ Υ Χ ν ο
Code:
Α Β Ε Ζ Η Ι Κ Μ Ν Ο Ρ Τ Υ Χ ν ο
Or if you really want to be strict about it, just add a singular semicolin like ';' to the illegal name list.

BlueNinjaGo 04-17-2009 03:23 PM
Nevermind, didn't see your edit.

ch1nkayy 04-18-2009 04:26 PM
---------------------

TigerC10 04-18-2009 09:19 PM
Quote:
Originally Posted by ch1nkayy (Post 1793999)
This is done by using "weird" characters. =)
As you can see, I already mentioned that...

Quote:
Originally Posted by TigerC10 (Post 1793336)
Nevermind, I figured this one out. Instead of using a standard "M" in the username, this person used the greek letter Mu html character code "Μ" or "Μ". This allows for a completly new user with the name that looks just like someone else's since the character "Mu" is not the same as M.

Here's a list of some other greek symbols that can be used for registration fake outs:
http://www.w3schools.com/tags/ref_symbols.asp

Alpha, Beta, Epsilon, Zeta, Eta, Iota, Kappa, Mu, Nu, Omicron, Rho, Tau, Upsilon, Chi


To fix it, add these to your illegal user names

AdminCP -> vBulletin Options -> User Registration Options -> Illegal User Names

...

Or if you really want to be strict about it, just add a singular semicolin like ';' to the illegal name list.

Michael.A 04-18-2009 10:31 PM
thanks for telling me this that well help me alot :)

TNCclubman 04-18-2009 10:48 PM
thread title should be changed so as to avoid confusion...


All times are GMT. The time now is 05:22 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01022 seconds
  • Memory Usage 1,749KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_code_printable
  • (6)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (14)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete