Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #41  
Old 05-14-2011, 12:57 AM
Boofo's Avatar
Boofo Boofo is offline
 
Join Date: Mar 2002
Location: Des Moines, IA (USA)
Posts: 15,776
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by aquariumpros View Post
Might want to try to understand that ANY AND ALL code is susceptible to exploits - hence the reason there are always updates and patches offered (even for operating systems, and vBulletin core software, etc.).
I don't necessarily agree with the idea that ALL code is susceptible to exploits. It depends on what the code does.
Reply With Quote
  #42  
Old 05-14-2011, 01:11 AM
aquariumpros aquariumpros is offline
 
Join Date: Jul 2002
Location: Hawai`i
Posts: 98
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Boofo View Post
I don't necessarily agree with the idea that ALL code is susceptible to exploits. It depends on what the code does.
Sorry for the misinterpretation. What I intended to convey was that it's NOT just hacks and mods that are susceptible to being hacked...so removing all mods won't unilaterally make a site safe. This exploit could just as easily have been found in the base vBulletin code; or even an exploit in coding within the server OS, etc.

Vigilance in keeping up to date on ALL software patches & updates is still needed to have any real security; and even then - there's ALWAYS a risk.

Daily back-ups is your only real security.
Reply With Quote
  #43  
Old 05-14-2011, 01:59 AM
madshark's Avatar
madshark madshark is offline
 
Join Date: Oct 2009
Posts: 32
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by ChemicalKicks View Post
I keep reading "hacked by team Anus".
Haha that would be appropriate wouldn't it? lol At least some of us still see a lighter side.

Just lets not jump at the developers throat, like aquariumpros said the issue couldve come from anywhere. It's unfortunate that it was Valter who was the one in the primary line of fire this time. Fundamentally the web is worse than reality as far as safety is concerned so what more do we argue from there?

Boofo is right. Not everything is evil but there is always someone trying to better something that causes an addition that is slightly overlooked. But if we said ok Windows 98 is the shit we dont need to go anywhere from here or worse if apple said ok iMac thats it weve done perfect lets not screw it up where would we be today?

In that same light no add-ons at all would be similar to saying ok Im born. I'm vanilla there are viruses and germs out there so I'm going to build a sanitized glass orb and live in it the rest of my life. But in a funny kind of way VB allows backups that make risks a little manageable. Life doesn't really give us that option in the ideal form does it? Something to ponder. Make use of it I'm sure its been said a gazillion times before.
Reply With Quote
  #44  
Old 05-14-2011, 02:18 AM
Boofo's Avatar
Boofo Boofo is offline
 
Join Date: Mar 2002
Location: Des Moines, IA (USA)
Posts: 15,776
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

You also have to remember how long Valter's mod was out before it got exploited. All it takes is someone playing around with something long enough to find a way around certain things. Valter is an excellent coder that caught an unlucky break that could happen to any one of us.
Reply With Quote
  #45  
Old 05-14-2011, 03:47 AM
AusPhotography's Avatar
AusPhotography AusPhotography is offline
 
Join Date: Nov 2007
Location: Hobart & Adelaide .au
Posts: 521
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Boofo View Post
You also have to remember how long Valter's mod was out before it got exploited. All it takes is someone playing around with something long enough to find a way around certain things. Valter is an excellent coder that caught an unlucky break that could happen to any one of us.
+100
Reply With Quote
  #46  
Old 05-14-2011, 04:03 AM
Boofo's Avatar
Boofo Boofo is offline
 
Join Date: Mar 2002
Location: Des Moines, IA (USA)
Posts: 15,776
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by snoopytas View Post
+100
Well, it couldn't happen to me, but it could happen to all the rest of the coders.
Reply With Quote
  #47  
Old 05-14-2011, 04:15 AM
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
Senior Member
 
Join Date: Sep 2008
Location: North Carolina
Posts: 5,844
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Boofo View Post
Well, it couldn't happen to me, but it could happen to all the rest of the coders.
So true .






































Reply With Quote
  #48  
Old 05-14-2011, 06:33 AM
Nickbe Nickbe is offline
 
Join Date: Jul 2007
Posts: 116
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by FallenBeauties View Post
After they got into the Admin Panel they could have easily add a plugin which would allow them to upload something on the site, i.e php shell for modifying of the current files, or uploading of the newer files.
Would that allow them to upload outside of the forum directory? That is what they did to me. The forum directory resides withing my public_html (user/public_html/forums) they uploaded files to (user/public_html). I suspect this issue goes deeper than everybody thinks.
Reply With Quote
  #49  
Old 05-14-2011, 06:37 AM
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
Senior Member
 
Join Date: Sep 2008
Location: North Carolina
Posts: 5,844
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Nickbe View Post
Would that allow them to upload outside of the forum directory? That is what they did to me. The forum directory resides withing my public_html (user/public_html/forums) they uploaded files to (user/public_html). I suspect this issue goes deeper than everybody thinks.
If they upload a shell type of script then it's pretty much out the door imo.

http://en.wikipedia.org/wiki/Shell_script
Reply With Quote
  #50  
Old 05-14-2011, 06:41 AM
madshark's Avatar
madshark madshark is offline
 
Join Date: Oct 2009
Posts: 32
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Lol Boofo. But thats the thing with people. You'd use something for years and the minute something goes wrong you scream at shout and burn it to the ground. Sad reality.

Nickbe from following the issue quite closely if they get into the sql from there uploading content etc to your home directory is peanuts apparently.(if I recall that bit of info correctly) Well fundamentally its the maximum that can be done isn't it? Unless it escalates to your hosts and whole server getting hacked. That is unlikely I suspect? A vulnerability always results in either losing admin rights of a board, your files being erased or your account used to host the hackers files on the sly. But this seems to be more of a bragging rights venture by the looks of it ? I guess all the small time hackers will pick up on the yet unpatched board and continue the mischief.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 08:48 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04517 seconds
  • Memory Usage 2,272KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (8)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete