|
Is anyone maintaining VB4? Fixes, etc.?
I am still using VB 4 and am reluctant to try VB5 based on what I read and based on the comparisons in the links below, it looks like very few have moved from VB4 to 5.
https://www.similartech.com/compare/...s-vbulletin-5x https://www.similartech.com/compare/...-5x-vs-xenforo https://www.similartech.com/compare/...-4x-vs-xenforo I would also consider Xenforo but it's an unknown to me after 15 years with VB. Here's the thing: I get this email out of nowhere from some one who says VB4 has a sql injection vulnerability and he wants to report this to my admin. I don't know if this is a scam to get me to pay him to fix it, but the email lists all of my database tables, which makes me uneasy, and they tell me all the data is accessible. Again, possible scam but he has my attention. I report it to my webhosting company to see that they think (and they are very good) and they tell me since VB4 is at end of life, I should upgrade to VB5 or risk continued security breaches. Hence, the title of this post - is anyone out there still updating VB4 for security patches, etc.? Another question, what's your thought on that provocative email? scam, threat or something else? Thanks. |
If he said he found a SQL injection vulnerability in vBulletin 4, it's also possible that it's in one of the plugins you have installed and not in the core files of the forum. Are you sure he sent you a list of your actual database tables or did he just show you a list of the tables that are present in the default vBulletin 4 installation?
As far as I know, there are no known and public security vulnerabilities in the latest vBulletin 4 version. Even if someone published a vBulletin 4 exploit, there are plenty of people, including myself, who would publish an unofficial fix for it. |
Thanks for the quick response.
Quote:
Quote:
Here is the email thread - everything is from the emailer. I may have made a mistake but I did reply once with a "thanks, I will look into it" Quote:
|
Disabling the plugins, if they are coded properly, should disable them completely and prevent access to its hooks/files.
Feel free to PM me the URL of your forum and I will take a look and determine if I can find a vulnerability somewhere. If I can find something, I'll let you know the details and what further steps to take. |
This sounds like a scam to me. Exploits are publicized. If there were one it would be reported by a lot of vBulletin 4 users, including myself.
|
Why does it have to be fraud? If he has screenshots of the database it will be true. Every script has security holes and if you have plugins installed, the danger is even greater.
|
Quote:
Screenshots don't prove anything. I can create a screenshot of any vBulletin database just by creating an empty database and installing a fresh copy of the software. It's patently false to say that "every script" has security holes. I'm not even going to argue that because it's a non-starter. There are scripts that don't even access the database. Is it possible there's an exploit out there? Of course. Is there any empirical evidence of one being out there? Not at this time. |
Quote:
There should be a system in place here at vb.org to scan all submitted plugins for security issues before allowing them for public download. |
Just so everyone is aware, I looked at the forum of OP and the security issue was present in non-vBulletin related scripts. Currently helping him fix the vulnerabilities.
|
Quote:
|
| All times are GMT. The time now is 01:11 PM. |
Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
| X vBulletin 3.8.12 by vBS Debug Information | |
|---|---|
|
|
 More Information |
|
|
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|