Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 09-28-2019, 03:56 PM
gambler726 gambler726 is offline
 
Join Date: May 2016
Posts: 8
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Is anyone maintaining VB4? Fixes, etc.?

I am still using VB 4 and am reluctant to try VB5 based on what I read and based on the comparisons in the links below, it looks like very few have moved from VB4 to 5.

https://www.similartech.com/compare/...s-vbulletin-5x

https://www.similartech.com/compare/...-5x-vs-xenforo

https://www.similartech.com/compare/...-4x-vs-xenforo

I would also consider Xenforo but it's an unknown to me after 15 years with VB.

Here's the thing: I get this email out of nowhere from some one who says VB4 has a sql injection vulnerability and he wants to report this to my admin. I don't know if this is a scam to get me to pay him to fix it, but the email lists all of my database tables, which makes me uneasy, and they tell me all the data is accessible.

Again, possible scam but he has my attention.

I report it to my webhosting company to see that they think (and they are very good) and they tell me since VB4 is at end of life, I should upgrade to VB5 or risk continued security breaches.

Hence, the title of this post - is anyone out there still updating VB4 for security patches, etc.?

Another question, what's your thought on that provocative email? scam, threat or something else?

Thanks.
Reply With Quote
  #2  
Old 09-28-2019, 04:56 PM
Dave Dave is offline
 
Join Date: May 2010
Posts: 2,583
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

If he said he found a SQL injection vulnerability in vBulletin 4, it's also possible that it's in one of the plugins you have installed and not in the core files of the forum. Are you sure he sent you a list of your actual database tables or did he just show you a list of the tables that are present in the default vBulletin 4 installation?

As far as I know, there are no known and public security vulnerabilities in the latest vBulletin 4 version. Even if someone published a vBulletin 4 exploit, there are plenty of people, including myself, who would publish an unofficial fix for it.
Reply With Quote
  #3  
Old 09-28-2019, 06:04 PM
gambler726 gambler726 is offline
 
Join Date: May 2016
Posts: 8
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks for the quick response.

Quote:
Originally Posted by Dave View Post
If he said he found a SQL injection vulnerability in vBulletin 4, it's also possible that it's in one of the plugins you have installed and not in the core files of the forum. Are you sure he sent you a list of your actual database tables or did he just show you a list of the tables that are present in the default vBulletin 4 installation?
It was a list of the actual tables with my specific prefixes plus other tables I created.

Quote:
Originally Posted by Dave View Post
As far as I know, there are no known and public security vulnerabilities in the latest vBulletin 4 version. Even if someone published a vBulletin 4 exploit, there are plenty of people, including myself, who would publish an unofficial fix for it.
I've gotten most, if not all, of my plugins from VB.org, and I use a lot of them. Turning them off, as I have done, makes it look like a different forum. I assume disabling them does not prevent the vulnerabilities?

Here is the email thread - everything is from the emailer. I may have made a mistake but I did reply once with a "thanks, I will look into it"


Quote:
On Fri, Sep 27, 2019 at 12:12 AM
Hi
I have found SQL injection vulnerability on website.
How i can report it?


On Fri, Sep 27, 2019 at 12:16 AM
its possible to retrieve data base information.

On Fri, Sep 27, 2019 at 12:27 AM
[Listed the tables]


Sent: Thursday, September 26, 2019 4:31 PM

all users information are affected now.
I am looking for admin for bug report.

On Fri, Sep 27, 2019 at 7:13 AM
Will I get compensated for my help?

There is impact. of vulnerability. There is potential attacker can take users information and more...
Reply With Quote
  #4  
Old 09-28-2019, 06:13 PM
Dave Dave is offline
 
Join Date: May 2010
Posts: 2,583
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Disabling the plugins, if they are coded properly, should disable them completely and prevent access to its hooks/files.

Feel free to PM me the URL of your forum and I will take a look and determine if I can find a vulnerability somewhere. If I can find something, I'll let you know the details and what further steps to take.
Reply With Quote
Благодарность от:
In Omnibus
  #5  
Old 09-28-2019, 07:03 PM
In Omnibus's Avatar
In Omnibus In Omnibus is offline
 
Join Date: Apr 2010
Location: Inside A Blade Server
Posts: 840
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

This sounds like a scam to me. Exploits are publicized. If there were one it would be reported by a lot of vBulletin 4 users, including myself.
Reply With Quote
Благодарность от:
gambler726
  #6  
Old 09-28-2019, 07:09 PM
Meister2017 Meister2017 is offline
 
Join Date: Sep 2017
Posts: 36
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Why does it have to be fraud? If he has screenshots of the database it will be true. Every script has security holes and if you have plugins installed, the danger is even greater.
Reply With Quote
  #7  
Old 09-28-2019, 07:46 PM
In Omnibus's Avatar
In Omnibus In Omnibus is offline
 
Join Date: Apr 2010
Location: Inside A Blade Server
Posts: 840
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Meister2017 View Post
Why does it have to be fraud? If he has screenshots of the database it will be true. Every script has security holes and if you have plugins installed, the danger is even greater.
The number of vBulletin 4 sites running plugins is in the thousands last I knew. The odds that one site has a security vulnerability discovered by one individual which has not been exploited or reported by others are virtually zero. I personally administrate a dozen vBulletin 4 sites, all of which use third party modifications. Not one of them has had an issue as I type this.

Screenshots don't prove anything. I can create a screenshot of any vBulletin database just by creating an empty database and installing a fresh copy of the software.

It's patently false to say that "every script" has security holes. I'm not even going to argue that because it's a non-starter. There are scripts that don't even access the database.

Is it possible there's an exploit out there? Of course. Is there any empirical evidence of one being out there? Not at this time.
Reply With Quote
  #8  
Old 09-28-2019, 08:52 PM
iA1 iA1 is offline
 
Join Date: Jul 2018
Posts: 150
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by In Omnibus View Post
Screenshots don't prove anything. I can create a screenshot of any vBulletin database just by creating an empty database and installing a fresh copy of the software.
OP says it is a list of his database tables, along with the prefix and it includes his own custom tables in it. I don't think it is a scam. You can create a generic db table list, but the probability of applying the same prefix used by OP and adding his custom tables in it is virtually zero.

There should be a system in place here at vb.org to scan all submitted plugins for security issues before allowing them for public download.
Reply With Quote
Благодарность от:
gambler726
  #9  
Old 09-28-2019, 09:03 PM
Dave Dave is offline
 
Join Date: May 2010
Posts: 2,583
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Just so everyone is aware, I looked at the forum of OP and the security issue was present in non-vBulletin related scripts. Currently helping him fix the vulnerabilities.
Reply With Quote
3 благодарности(ей) от:
bazookajoe, iA1, yellow_spider
  #10  
Old 09-28-2019, 10:26 PM
In Omnibus's Avatar
In Omnibus In Omnibus is offline
 
Join Date: Apr 2010
Location: Inside A Blade Server
Posts: 840
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Dave View Post
Just so everyone is aware, I looked at the forum of OP and the security issue was present in non-vBulletin related scripts. Currently helping him fix the vulnerabilities.
Thanks, Dave. Can you share what scripts are involved in case anyone else is running them?
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 12:21 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04407 seconds
  • Memory Usage 2,276KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (6)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (6)post_thanks_box_bit
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (4)post_thanks_postbit
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete