Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
FAQ Community Calendar Today's Posts Search

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 07-08-2013, 12:15 AM
Rich's Avatar
Rich Rich is offline
 
Join Date: Mar 2004
Location: U.S.A
Posts: 921
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Spam Exploit - vBgallery

This is just a post to educate. I recently experienced a spam issue on my server. The site was running 3.8 with vbgallery 2.51. We couldn't isolate the issue and it prompted us to upgrade the site, prematurely, to counter the spam. The upgrade killed the spam but we never knew where it was coming from as we hosted so many scripts and files it was difficult to isolate without being able to isolate it to one script. Today I upgraded that gallery on my dev site to transfer the files over to a CDN, instead of hosting them locally. I had a few minor style issues after the upgrade so I did some google digging and came across this thread:

http://www.photopost.com/forum/insta...bg-2-51-a.html

Photopost was made aware of the exploit in Feb. of 2012 and they chose to simply ignore it. I never received a notice that their was an exploit. These people knowingly allowed their clients running that version to be exploited by not sending out a notice or a simple patch. The spam was being sent via the ecard or send to friend feature. "Chuck" tried blaming vbulletin as usual until it was made clear where it was coming from. Intentionally allowing your client base to fall victim to an exploit that could have been announced is not only poor development but shows horrible character on the development teams part.

If you are running vbgallery 2.5.1 and have the ecard or send to friend feature active, it has an exploit. Spammers can hook in somehow and mail spam directly through your server. You would be a fool to use their products knowing this is how he handled this exploit.

I hope this can stay up to help notify people since the "developers" over at photopost chose not to.

Thanks to Brandon Sheley you can download the attached zip which contains a pdf displaying the entire conversation that Chuck deleted! You can see first hand how much he cares about his clients. lmao
Attached Files
File Type: zip SPamm explot in GBG 2.zip (81.3 KB, 12 views)
Reply With Quote
 


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 10:55 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.03937 seconds
  • Memory Usage 2,464KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)bbcode_php
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (7)post_thanks_box
  • (3)post_thanks_box_bit
  • (7)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (2)post_thanks_postbit
  • (7)post_thanks_postbit_info
  • (7)postbit
  • (2)postbit_attachment
  • (7)postbit_onlinestatus
  • (7)postbit_wrapper
  • (1)showthread_list
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_threadedmode.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids_threaded
  • showthread_threaded_construct_link
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_attachment
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete