I doubt Jelsoft is hiring, and I dont know if I want to fix something as broken as vbulletin, its DB performance is horendous, its code implmentation is *cringe*, and I doubt they would like a formal AGILE method, altough I do hear they are adopting AGILE (a microsoft originating project mangement style that rocks)
But yes, VB hacking easy as pie, also there is a way to make users do things invisible, a user remote control if you will.
In my experiance the most I would get out reporting the 71 or so hacks I have found to date is a free copy of VB.
This guy claims he can hack vbulletin in 41 different ways with notepad and opera. How much is he bullshitting me?
Ok here is a quick one.
Custom Sigs accept code, you could cross script it and send to the admin, that wuld cause the admin to load a page to change his pass and send it to you.
Or you could steal his cookie.
Of you could have him execute delete from on his entire db.
So all you do is mail the ++++ and let your custom kill him.
reverse engineering you to give up your password to someone who could supposedly "hack" you in order to protect you is usually how someone who talks a lot of game obtains 99.9% of their passwords.
He's a noob that found a list of the cross site scripting exploits on old versions of vB, pretty much if you're up to date his rants about insecurity are worthless.
The only thing he's somewhat right about is the cookie thing. If you log into your board on a public wireless network, anyone can sniff out your cookie without any problem. Once you that cookie is stolen they can do a lot of stuff without authorization until you change your password.
03-07-2009, 06:55 AM
vBulletin Unsafe?
Linear Mode
