Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 07-08-2013, 12:15 AM
Rich's Avatar
Rich Rich is offline
 
Join Date: Mar 2004
Location: U.S.A
Posts: 921
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Spam Exploit - vBgallery

This is just a post to educate. I recently experienced a spam issue on my server. The site was running 3.8 with vbgallery 2.51. We couldn't isolate the issue and it prompted us to upgrade the site, prematurely, to counter the spam. The upgrade killed the spam but we never knew where it was coming from as we hosted so many scripts and files it was difficult to isolate without being able to isolate it to one script. Today I upgraded that gallery on my dev site to transfer the files over to a CDN, instead of hosting them locally. I had a few minor style issues after the upgrade so I did some google digging and came across this thread:

http://www.photopost.com/forum/insta...bg-2-51-a.html

Photopost was made aware of the exploit in Feb. of 2012 and they chose to simply ignore it. I never received a notice that their was an exploit. These people knowingly allowed their clients running that version to be exploited by not sending out a notice or a simple patch. The spam was being sent via the ecard or send to friend feature. "Chuck" tried blaming vbulletin as usual until it was made clear where it was coming from. Intentionally allowing your client base to fall victim to an exploit that could have been announced is not only poor development but shows horrible character on the development teams part.

If you are running vbgallery 2.5.1 and have the ecard or send to friend feature active, it has an exploit. Spammers can hook in somehow and mail spam directly through your server. You would be a fool to use their products knowing this is how he handled this exploit.

I hope this can stay up to help notify people since the "developers" over at photopost chose not to.

Thanks to Brandon Sheley you can download the attached zip which contains a pdf displaying the entire conversation that Chuck deleted! You can see first hand how much he cares about his clients. lmao
Attached Files
File Type: zip SPamm explot in GBG 2.zip (81.3 KB, 12 views)
Reply With Quote
  #2  
Old 07-12-2013, 04:13 PM
Rich's Avatar
Rich Rich is offline
 
Join Date: Mar 2004
Location: U.S.A
Posts: 921
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

You may notice that they took down the thread which was posted on Photopost regarding this issue. Chuck, who is the guy everyone gets for support, was shown the defect, acknowledged it and in turn said they won't be sending out a patch for "one issue". One issue! The issue is one that compromises the integrity of the script! That guy is clueless! I contacted atroll, the OP, and asked him to share over here since Photopost removed the thread and left all their customers using that version open to attacks. Any developer who knows their script is compromised and doesn't patch or notify the customers is pure scum trash! I will never do business with those people again, that is for 100% certain!
Reply With Quote
  #3  
Old 07-12-2013, 05:07 PM
TNCclubman's Avatar
TNCclubman TNCclubman is offline
 
Join Date: Sep 2008
Posts: 690
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

heres the post that was deleted...

My server is spamming through VBGallery 2.51. I am 100% sure that this is the case. Let me explain all that has gone on to prove this.

I was on another server that I have since left and move this site to a new server. The only site hosted on this server is the one I am referring to now. The reason I left was partly because of this spamming going on that is was sending out.

If I go into my ADMINCP plugins and turn off the VBGallery plugin then the spamming stops.

If I turn it back on it starts back up in a day or two. I have left the plugin turned off for almost two weeks and the server never sent out any spam. But as soon as it gets turned back on the spam starts getting sent out from my server again.

Here is another link that help me isolate it down to VBGallery. There is another user by thew name of beishe8 that also brings up that he had this same problem and how he narrowed it down to Photopost vBGallery misc.php. You can find his results on page two of this thread.
https://www.vbulletin.com/forum/show...mail-log/page2

Chuck can you verify this and put out a fix for it ASAP?

--------------- Added [DATE]1373652539[/DATE] at [TIME]1373652539[/TIME] ---------------

followed by this

No, I think you have misunderstood me. This is not getting posted to the forums it is going directly out through email straight off the server.
The person can use VBG to send a mass email to over 765 emails at one time and this is not users that are registered on the web site. This is any email address they paste in.

The person has found a way to use VBGallery as a mass emailing feature on a servers with VBG installed. They are using the server through VBG to send 765 email and more at a time through the server.

You say to Turn off the email to a friend feature. That is a vBulletin feature and not a VBG feature if I am correct, right? Please explain a little bit about turning this off as I cannot seem to find that feature in the VBG Admin section.

Here is a link I found tonight that might also have something to do with this
Exploit in VB Gallery 2.5.1

--------------- Added [DATE]1373652643[/DATE] at [TIME]1373652643[/TIME] ---------------

http://www.photopost.com/forum/how-d...y-2-5-1-a.html
Reply With Quote
  #4  
Old 07-12-2013, 06:00 PM
Rich's Avatar
Rich Rich is offline
 
Join Date: Mar 2004
Location: U.S.A
Posts: 921
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Can you get the rest of the thread that was deleted? I am particularly interested in the post by Chuck where he acknowledges the exploit and says he won't be patching it.

That first link doesn't work for me btw. I know a fix for the issue was posted on their site somewhere but he never notified anyone that the exploit existed and they didn't release an official fix for it either. instead he started working on the vb4 version and left everyone else to get screwed over by spam. It was a nightmare for the site I had that was spamming. We got blacklisted and had to go around and get un-blacklisted once we resolved the issue.
Reply With Quote
  #5  
Old 07-12-2013, 08:52 PM
Brandon Sheley's Avatar
Brandon Sheley Brandon Sheley is offline
 
Join Date: Mar 2005
Location: Google Kansas
Posts: 4,678
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Rich View Post
Can you get the rest of the thread that was deleted?
cached
http://webcache.googleusercontent.co...ient=firefox-a

and printed (PDF in the zip)
Attached Files
File Type: zip SPamm explot in GBG 2.zip (81.3 KB, 9 views)
Reply With Quote
Благодарность от:
Rich
  #6  
Old 09-08-2013, 03:53 PM
Rich's Avatar
Rich Rich is offline
 
Join Date: Mar 2004
Location: U.S.A
Posts: 921
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I am posting so that it remains active and viewable. I know there are people out there that are affected by this. Hopefully they see this thread.
Reply With Quote
  #7  
Old 09-11-2013, 10:03 PM
tgmorris tgmorris is offline
 
Join Date: Nov 2003
Posts: 180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I just got hit by this and it took me several hours to track down the root cause. I'm not about to spend a great deal of $$$ at this point to see what Photopost suggested as the solution so I came up with my own.

I trust the user community so I just added a plugin at the ppgal_misc_email_image hook

PHP Code:
if (!$vbulletin->userinfo['userid'])
{
    
print_no_permission();

This will result in the spammer getting a "No permission" screen instead of the form they're looking for. I probably could have gotten a bit fancier and checked the usergroup permissions but this will work for me. Hopefully, this will solve the problem.

UPDATE: I checked the server logs this morning and the user tried & failed today so it looks like the hole is closed for now.
Reply With Quote
2 благодарности(ей) от:
puertoblack2003, tbworld
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 06:23 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04045 seconds
  • Memory Usage 2,262KB
  • Queries Executed 14 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_php
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (7)post_thanks_box
  • (3)post_thanks_box_bit
  • (7)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (2)post_thanks_postbit
  • (7)post_thanks_postbit_info
  • (7)postbit
  • (2)postbit_attachment
  • (7)postbit_onlinestatus
  • (7)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_attachment
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete