The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
||||
|
||||
ATTN: Impex Users
I think this is a good place to mention something I have been seeing on my own web site's Currently Active Users page.
Apparently there are some data thieves out there using script programs to activate and run your own forum's Impex programs and the script will save your forum's data to any server they designate in the script itself, which allows these thieves to look through your data at their own leisure. The first time I saw these people doing this, my first thought wasn't piracy; it was, "Hey, I don't have Impex installed. What's going on?" The next time it happened, I reported the incident to the server provider where the script was trying to aim data to, and they closed that thief's server account permanently (they thanked me in an email for bringing it to their attention.) The following times I have seen this, I have simply IP banned their ISPs. I know that is a bit extreme, but I got tired of seeing the attempts being made. So if you have Impex installed on your web server where your forum is located, please keep in mind that you are inviting these people to hit your forum site to back up your web forum data to read through later. And yes, this will also mean that they can get your passwords, too. Impex, while a good program, I am to understand, is a major security risk in this case. If you are not using the program, disable it and that will prevent these people from being able to use it on your own web site. Thank you for your time. I just thought vbulletin should know what was happening with this situation. Please look into this! (I posted this information on vbulletin.com, but I wanted to make sure everyone knew about this so they could take protective measures.) |
#2
|
||||
|
||||
Well it's your own fault if you left a security risk on your server. I believe it does say to remove impex files once you're done.
|
#3
|
|||
|
|||
Quote:
Also the part where you say "will save your forum's data to any server they designate" does not make much sense as the target database (and MySQL server) for ImpEx is in the config file that resides on the same server as the ImpEx script, so without FTP access they can not change the target. If they are hosting ImpEx on their own server, all of the following requirements would still need to be true in order to read your data: - Your server must allow external connections to the database - Your databasename must be known - Your MySQL username & password must be known Finally passwords are stored hashed in the database and can by no way be retrieved. If you have any evidence that ImpEx (might) be insecure, please open a Support Ticket providing as much details as possible. At this time there are however no known security issues. |
#4
|
||||
|
||||
Actually, I never meant to imply that I ever had impex installed.
However.... in the currently active users list, what else could an Unknown Location with something like... "/index.php/impex/ with the script url here" ...mean? But in the case where these other people have found their own posts and accounts duplicated on a forum they never joined... this IS how it could be done. As for password in the database, and I know this from experience from working on my own board... any Admin with the proper access can back up a database to their computer and view the file in notepad and see the so-called encrypted password. No offence. It's not encrypted. At any rate, I am not going to say anything more about it, except... Bottom Line: as Dean C said, "Well it's your own fault if you left a security risk on your server. I believe it does say to remove impex files once you're done." Those people who leave that up are getting what they deserve and have no right to complain. Thank you for listening. (PS: I don't type in British English, so typed words have different meanings. And I am about zonked with needing sleep. And yes, WinXP can crash. It happened to me 2 weeks ago; that's why I'm on Linux now. ) |
#5
|
|||
|
|||
In order to run Impex you need the following informations :
1. Customer Number 2. Impex Config file variables such as database name & password Without these information noone can run and gather your data. And whats with the I dont type British English bla bla... That is the funniest sentence i've ever read on vbulletin.org for a long time. You just think you find something important but hey you dont cause your posts mean nothing. |
#6
|
||||
|
||||
Nonsense. I'll happily give you a dump of my user table from my dev forums, for you to try and get my password.
|
#7
|
|||
|
|||
Quote:
the unknown location like you say is just something that is unknown... logically... and if in the WOL you see such location, it means that someone TRY to access that path.. .doesn't mean it does access it with success... most of the web crawlers have that url in their path because it is a known url,... most people trying to make you fear will also use that path... jut to see if you are fool enough to let it on your site. anyway, you have to consider suggesting this problem to vbulletin.com if you really think it's a risk, because you're actually not on the official website now... |
#8
|
|||
|
|||
More then likely the reason they are looking for impex is because an older version used in conjunction with 3.5.1-3.5.4 I think it was had a few RFI exploits....this is why it is so important to keep updated.
|
#9
|
|||
|
|||
With the salt in hand a brute force is just as likely as a "pure" md5 hash (md5($password). I'm not going to take you up on your offer but given enough time I could get your password if I had a copy of your user table.
|
#10
|
||||
|
||||
I still challenge you, or anyone to do it.
|
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|