The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
|
|||||||
|
#1
08-29-2007, 01:02 PM
|
|||
|
|||
PhBB Spammer..Urgent help needed.
Hi guys...i am the lead admin in a small vb forum.i run vB 3.6.4.
I got an email from a member saying that he has got a tool named "phpBB Spammer".He said he made a change to the cookies from my site and then was able to log into the admincp from one of my admins userid.He does not know the password to that admin id. I was shocked when i heard that.Please,please lemme know if its possible to get into the admincp without the password using this tool. Thanks If i m posting this in the wrong section...i m sorry...please move it. 
|
|
#2
08-29-2007, 01:14 PM
|
|||
|
|||
|
I doubt this is possible with default vBulletin without modifications. You are however not running the latest version, there have been security updates since 3.6.4.
If you can reproduce this (or have access to the software used), then please open a support ticket with the details and someone will verify the claim.
|
|
#3
08-29-2007, 01:27 PM
|
|||
|
|||
|
It is possible, however not likely for this. Perhaps he was just trying to scare you.
I'm sure Marco knows a lot more about the internals of vB than I do. But this is why I believe it's fairly impossible. The cookies stored contains a) your user ID (easily obtainable b) your password in md5 hash format c) a randomly generated md5 hash. In order for vBulletin to consider you as logged on, not only must your USERID, PASSWORD combination must match the user information stored on the user table, but the session hash needs to match the session information. So in order to infiltrate a login they need to know your user ID (not that hard to obtain), password and session hash.. It is more likely for them to guess your password than your session hash (near infinite possibilities).. and if they know your password, they'll just login as you through the forums. But perhaps there is a related issue to that version of vB.. and in any case you should upgrade.
|
|
#4
08-29-2007, 02:21 PM
|
|||
|
|||
|
...and the session table also matches the IP-address.
|
|
#5
08-30-2007, 03:52 AM
|
|||
|
|||
|
Marco van Herwaarden and Knippschild ,thanks for the replies.There is no way the guy who emailed my admin could have got his admin password.They live around 10,000 km from each other.
He just said he used the tool named phpbb spammer,edited the cookies he got from my site and then was able to log in using my admins id.How on earth is that possible if he doesnt have the password. ? What exactly is this phpbb spammer thing ? is it some sort of hacking tool ? anyway,i will be ugrading to 3.6.8 in a few hours time. Also,is it possible to allow admincp logins only from a certain ip address ?
|
|
#6
08-30-2007, 07:09 AM
|
|||
|
|||
|
You could setup a .htaccess on your AdminCP directory to only allow certain IP's.
PS If you can reproduce this with 3.6.8 (doubt it), then please open a support ticket with the relevant details.
|
 |
«
Previous Thread
|
Next Thread
»
Linear Mode
|
|
All times are GMT. The time now is 06:14 PM.