The Arcive of Official vBulletin Modifications Site.

gambler726 · #1 09-28-2019, 03:56 PM

I am still using VB 4 and am reluctant to try VB5 based on what I read and based on the comparisons in the links below, it looks like very few have moved from VB4 to 5.

https://www.similartech.com/compare/...s-vbulletin-5x

https://www.similartech.com/compare/...-5x-vs-xenforo

https://www.similartech.com/compare/...-4x-vs-xenforo

I would also consider Xenforo but it's an unknown to me after 15 years with VB.

Here's the thing: I get this email out of nowhere from some one who says VB4 has a sql injection vulnerability and he wants to report this to my admin. I don't know if this is a scam to get me to pay him to fix it, but the email lists all of my database tables, which makes me uneasy, and they tell me all the data is accessible.

Again, possible scam but he has my attention.

I report it to my webhosting company to see that they think (and they are very good) and they tell me since VB4 is at end of life, I should upgrade to VB5 or risk continued security breaches.

Hence, the title of this post - is anyone out there still updating VB4 for security patches, etc.?

Another question, what's your thought on that provocative email? scam, threat or something else?

Thanks.

Dave · #2 09-28-2019, 04:56 PM

If he said he found a SQL injection vulnerability in vBulletin 4, it's also possible that it's in one of the plugins you have installed and not in the core files of the forum. Are you sure he sent you a list of your actual database tables or did he just show you a list of the tables that are present in the default vBulletin 4 installation?

As far as I know, there are no known and public security vulnerabilities in the latest vBulletin 4 version. Even if someone published a vBulletin 4 exploit, there are plenty of people, including myself, who would publish an unofficial fix for it.

gambler726 · #3 09-28-2019, 06:04 PM

Thanks for the quick response.

Quote:

Originally Posted by Dave

If he said he found a SQL injection vulnerability in vBulletin 4, it's also possible that it's in one of the plugins you have installed and not in the core files of the forum. Are you sure he sent you a list of your actual database tables or did he just show you a list of the tables that are present in the default vBulletin 4 installation?

It was a list of the actual tables with my specific prefixes plus other tables I created.

Quote:

Originally Posted by Dave

As far as I know, there are no known and public security vulnerabilities in the latest vBulletin 4 version. Even if someone published a vBulletin 4 exploit, there are plenty of people, including myself, who would publish an unofficial fix for it.

I've gotten most, if not all, of my plugins from VB.org, and I use a lot of them. Turning them off, as I have done, makes it look like a different forum. I assume disabling them does not prevent the vulnerabilities?

Here is the email thread - everything is from the emailer. I may have made a mistake but I did reply once with a "thanks, I will look into it"

Quote:

On Fri, Sep 27, 2019 at 12:12 AM
Hi
I have found SQL injection vulnerability on website.
How i can report it?

On Fri, Sep 27, 2019 at 12:16 AM
its possible to retrieve data base information.

On Fri, Sep 27, 2019 at 12:27 AM
[Listed the tables]

Sent: Thursday, September 26, 2019 4:31 PM

all users information are affected now.
I am looking for admin for bug report.

On Fri, Sep 27, 2019 at 7:13 AM
Will I get compensated for my help?

There is impact. of vulnerability. There is potential attacker can take users information and more...

Dave · #4 09-28-2019, 06:13 PM

Disabling the plugins, if they are coded properly, should disable them completely and prevent access to its hooks/files.

Feel free to PM me the URL of your forum and I will take a look and determine if I can find a vulnerability somewhere. If I can find something, I'll let you know the details and what further steps to take.

In Omnibus · #5 09-28-2019, 07:03 PM

This sounds like a scam to me. Exploits are publicized. If there were one it would be reported by a lot of vBulletin 4 users, including myself.

Meister2017 · #6 09-28-2019, 07:09 PM

Why does it have to be fraud? If he has screenshots of the database it will be true. Every script has security holes and if you have plugins installed, the danger is even greater.

In Omnibus · #7 09-28-2019, 07:46 PM

Quote:

Originally Posted by Meister2017

Why does it have to be fraud? If he has screenshots of the database it will be true. Every script has security holes and if you have plugins installed, the danger is even greater.

The number of vBulletin 4 sites running plugins is in the thousands last I knew. The odds that one site has a security vulnerability discovered by one individual which has not been exploited or reported by others are virtually zero. I personally administrate a dozen vBulletin 4 sites, all of which use third party modifications. Not one of them has had an issue as I type this.

Screenshots don't prove anything. I can create a screenshot of any vBulletin database just by creating an empty database and installing a fresh copy of the software.

It's patently false to say that "every script" has security holes. I'm not even going to argue that because it's a non-starter. There are scripts that don't even access the database.

Is it possible there's an exploit out there? Of course. Is there any empirical evidence of one being out there? Not at this time.

iA1 · #8 09-28-2019, 08:52 PM

Quote:

Originally Posted by In Omnibus

Screenshots don't prove anything. I can create a screenshot of any vBulletin database just by creating an empty database and installing a fresh copy of the software.

OP says it is a list of his database tables, along with the prefix and it includes his own custom tables in it. I don't think it is a scam. You can create a generic db table list, but the probability of applying the same prefix used by OP and adding his custom tables in it is virtually zero.

There should be a system in place here at vb.org to scan all submitted plugins for security issues before allowing them for public download.

Dave · #9 09-28-2019, 09:03 PM

Just so everyone is aware, I looked at the forum of OP and the security issue was present in non-vBulletin related scripts. Currently helping him fix the vulnerabilities.

In Omnibus · #10 09-28-2019, 10:26 PM

Quote:

Originally Posted by Dave

Just so everyone is aware, I looked at the forum of OP and the security issue was present in non-vBulletin related scripts. Currently helping him fix the vulnerabilities.

Thanks, Dave. Can you share what scripts are involved in case anyone else is running them?

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.07546 seconds Memory Usage 2,265KB Queries Executed 11 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (6)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (1)pagenav (1)pagenav_curpage (1)pagenav_pagelink (10)post_thanks_box (6)post_thanks_box_bit (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (4)post_thanks_postbit (10)post_thanks_postbit_info (10)postbit (10)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start fetch_musername post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start post_thanks_function_fetch_thanks_bit_start post_thanks_function_show_thanks_date_start post_thanks_function_show_thanks_date_end post_thanks_function_fetch_thanks_bit_end post_thanks_function_fetch_post_thanks_template_start post_thanks_function_fetch_post_thanks_template_end pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

3 благодарности(ей) от:
bazookajoe, iA1, yellow_spider

Благодарность от:
In Omnibus

Благодарность от:
gambler726

Благодарность от:
gambler726

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!