The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#101
|
||||
|
||||
Quote:
Quote:
|
Благодарность от: | ||
Max Taxable |
#102
|
||||
|
||||
Quote:
|
Благодарность от: | ||
findingpeace |
#103
|
||||
|
||||
Quote:
|
#104
|
||||
|
||||
Well I am a vBulletin customer, and it is my data I get what you are saying though, I'm just being a spaz - at least it's not our credit card or license info.
|
#105
|
||||
|
||||
But the thing that is essentially concerning me now the most here in this whole mess actually is:
Supposedly if they had access to write/modify files on vb.com and vb.org servers (By the way, isn't it the same server? Or Vb.com is on separate server from Vb.org?) are all downloadable scripts, mods, templates safe? I mean, assuming they had that access they could for example change certain mods or themes code to put vulnerabilities into them so they can hack other websites powered by vbulletin later. So, ideally if vb staff knows they had such access vb staff should do the diff of all downloadable content against the backups from the time before it happened to make sure people are safe when downloading and installing new content on their forums/servers. Also I would be more calm if they (you - I guess people in charge/responsible for vb here read this) could make a statement assuring your customers that everything is safe and nothing was modified or if there was anything modified that you took care to fix it. |
Благодарность от: | ||
findingpeace |
#106
|
|||
|
|||
Quote:
I'd rather you elaborated on that, with an explanation of "we made a mistake/a config file was left on the QA server/something else etc" rather than leaving the possibility of a vB exploit open. Even if it was only a QA server hacked, how did they then escalate that to the live DB? |
#107
|
||||
|
||||
Quote:
Quote:
|
#108
|
||||
|
||||
The databases are on a different server than the files (typical setup if you have more than one server).
|
#109
|
|||
|
|||
So how did they crack the the live DB MySQL? Was the password listed somewhere on the QA server or do you not know how it was done?
|
#110
|
|||
|
|||
Paul said
"They broke into an old stage server, mainly used by QA for test installs of vB4 & vB5.". If they broke into the server, the QA DB password could be gleaned by the vB config file. Hopefully it wasn't the same db user and password in use for vB.com or vB.org. In the past, the QA team has copied the vb.com live database (or parts of it) to one of their servers, and tested installations. Maybe that was done, and the db userid's/passwords were brought along with them. That would have given them access to the vb.com DB. But I would think the vb.com DB has restricted access via the hosts table or something. |
Thread Tools | |
Display Modes | |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|