Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dangerous VBulletin Exploit In the Wild

Posted by Unknown on from the going-back-to-usenet dept.

An anonymous reader writes "vBulletin is a popular proprietary CMS that was recently reported to be vulnerable to an unspecified attack vector. Although vBulletin has not disclosed the root cause of the vulnerability or its impact, we determined the attacker's methods. The identified vulnerability allows an attacker to abuse the vBulletin configuration mechanism in order to create a secondary administrative account. Once the attacker creates the account, they will have full control over the exploited vBulletin application, and subsequently the supported site."

43 comments

  1. Short form: by Minupla · · Score: 5, Informative

    For the TL;DR crowd:

    * Delete /core/install and /install directory in all 4.x and 5.x vBulletin installs or block access to same. Do it now.

    Min

    --
    On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
    1. Re:Short form: by rsmith-mac · · Score: 3, Insightful

      What's odd is that those directories shouldn't be public in the first place. You're supposed to remove them (or block them) once the install is done and before you turn the forum live.

    2. Re:Short form: by 2fuf · · Score: 4, Insightful

      You're also not supposed to have security compromising settings activated by default, when you manufacture a software product. You know that there will always be people who run it in production straight out of the box.

    3. Re:Short form: by denmarkw00t · · Score: 1

      That's the responsibility of the site admin, not the software writers. Granted, it's probably that easy because too many "admins" would complain at the complexity of opening up a folder to proper access for the installation - "What's this permissions stuff anyway??" You can also consider that some "admins" are going to leave doors open, no matter how many warnings and locks you put in.

    4. Re:Short form: by Minupla · · Score: 1

      Agreed - my message was not intended to suggest that the software was excused, more c/p-ing the remediation instructions from TFA as a public service.

      Min

      --
      On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
    5. Re:Short form: by kelemvor4 · · Score: 1

      What's odd is that those directories shouldn't be public in the first place. You're supposed to remove them (or block them) once the install is done and before you turn the forum live.

      Yep, pretty sure that's part of the installation instructions. Not exactly a product vulnerability, more like a couple lazy admins didn't close the door when they finished moving in.

    6. Re:Short form: by VortexCortex · · Score: 1

      What's odd is that those directories shouldn't be public in the first place. You're supposed to remove them (or block them) once the install is done and before you turn the forum live.

      So, what you're saying is: While you're doing the install the server is hosting PHP, and the admin pages make the board is vulnerable, you should limit it to your IP address at least -- And you have to do this outside of the software, there's no Install_IP = [your IP] config to set prior to uploading this executable code.

      Additionally, when the setup is done it doesn't just delete those damn files? Think about it. You JUST installed the software. Deleting those files has no downside. If you need to re-install, you can! You must already have the ability to start from scratch.

      I wonder if the v stands for vulnerable? If they're this lax about THE PRIMARY exploit vector of initial credential creation, you can just imagine how they are on all other aspects. Of course I blame PHP -- That language itself breeds security vulnerabilities. Hell, PHP has exploits in itself. C/C++ will let you shoot yourself in the foot if you're not careful, and create vulns, but at least it doesn't come with a giant pool of exploits built in.

      I'm tired of digging around in the guts of these insecure and inefficient PHP based abominations to apply security patches atop dipshit mistakes, or break the whole system on upgrade because I've applied a different "skin" (since they don't actually use a proper templating system, and treat PHP as if it is one). I don't use vBulletin currently, but it was on my radar. I've been thinking of migrating to a different Forum (read: BBS), but I've been rather disappointed with the current CMS/Forum offerings.

      The biggest issue is with general purpose software like this is that when you design software with everyone in mind, you've designed it for no one in particular.

      I almost think I should just go old school and write one myself in C. I did that in Perl once forever-ago, but didn't have time to keep its features up to date with other offerings (it's not hard, just time consuming). Now I know exactly what I want in a forum, and nothing available gives it to me. The features overlap with a project I'm working on, so it may be time to scratch my own itch yet again.

      In other words: Don't pay for crap software if you care about security... If you want something done right, you have to do it yourself. The economy is down, employ a few coders for FFS.

    7. Re:Short form: by Anonymous Coward · · Score: 0

      You're also not supposed to have security compromising settings activated by default, when you manufacture a software product. You know that there will always be people who run it in production straight out of the box.

      Did I hear somebody mention Wordpress? ;)

    8. Re:Short form: by F.Ultra · · Score: 1

      Strange that the installer script doesn't refuse to run if it detects that it's already installed? That should solve the problem even for stupid admins.

    9. Re:Short form: by dgatwood · · Score: 1

      That's the responsibility of the site admin, not the software writers.

      No, it really isn't. Software that can overwrite the configuration arbitrarily without authentication simply does not belong in a location where it can be executed remotely. That's a serious flaw in the software (and one that is shared with lots of other similar software). At a bare minimum, the install suite should immediately detect that a configuration file exists and should refuse to restart the install until the admin logs in via the shell and moves the config file aside.

      But for real security, I'd go one step further. The install tools should be a set of scripts that live outside the web root and are run locally by the user on the command line, rather than using a web UI to do the initial setup. Any design in which the setup process could be simultaneously performed by more than one person results in an inherent race condition in which someone could hijack the site and add a second admin account during the initial configuration process, and you might never even know that it happened.

      No, this is unsafe by design. Software should be safe by design in its default (untouched) configuration. This violates proper software security practices pretty egregiously. Yes, the admins should have read the directions, but that doesn't mean that the software writers are blameless by any stretch of the imagination.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    10. Re:Short form: by Anonymous Coward · · Score: 0

      Doesn't the install process tell you to delete directories like that already? (I have no idea but I've seen it in other similar installs). I suppose that's not something most people even realize they're supposed to do if not told to do it.

    11. Re:Short form: by Cramer · · Score: 1

      The whole damned thing is one continuous "remotely"... rarely is it installed by someone with a CLI (or a clue how to use one.) They ftp this stuff to a "www" server and start clicking. And then promptly ignore ("forget") the big flashing RED on the first page telling them to REMOVE the installer when done.

    12. Re:Short form: by unitron · · Score: 1

      Did I hear somebody mention Wordpress? ;)

      You mean the stuff so bad it makes VBulletin look good?

      --

      I see even classic Slashdot is now pretty much unusable on dial up anymore.

  2. CMS? by Anonymous Coward · · Score: 3, Informative

    Did vBulletin change or something. I thought vBulletin was forum software, this states CMS. Or is CMS the preferred buzzword du jour?

    Either way, this will mean more spam on lots of forums and more identity theft for those that use the same password for forums and bank accounts. Yawn.

    1. Re:CMS? by liamevo · · Score: 4, Funny

      When vbulletin was bought it was turned into a bloated piece of crap. It's only gotten worse since.

    2. Re:CMS? by Anonymous Coward · · Score: 0

      I always thought it was funny that the worst bloated forum software is also known as just 'VB'.

      They should port VBulletin to Visual Basic

    3. Re:CMS? by tlhIngan · · Score: 2

      Did vBulletin change or something. I thought vBulletin was forum software, this states CMS. Or is CMS the preferred buzzword du jour?

      Either way, this will mean more spam on lots of forums and more identity theft for those that use the same password for forums and bank accounts. Yawn.

      No, CMS is not the preferred term for forum software. However, a lot of forum software and CMS systems are becoming highly integrated because they do a lot of overlapping things.

      E.g., the front page may consist of news articles, but an integrated CMS-forum would let it be that it's a forum post in a specific forum, or it becomes one when written outside the forum. So the front page of a lot of sites is really driven by a post in the backend forums, and when you click on the comment link, it either links you direct to the forums, or a simplfied forum view based on existing forum content.

      Stuff like files and downloads can also be linked to internal forums (or generally more annoying), to forum posts themselves so they auto-update when the post gets updated.

      Add in other features like a wiki and direct editing and updating based on forum posts and you end up with a a relatively comprehensive CMS system that started as a forum application.

      There are many sites which would basically be a forum - they offer little to no content of their own, but have due to time or other factors became de-factor sites for discussing various topics. Upgrading the site to later versions of the forum software often add CMS features enabling one to "blog" based on existing forum activity.

      One could see how a regular blog (like say, /.) could really be seen as a lamer version of forum software.

    4. Re:CMS? by trogdor8667 · · Score: 3, Informative

      vBulletin added a CMS and blog component in a previous major rewrite.

  3. I got hit by this... by Anonymous Coward · · Score: 0

    On my small forum. They replaced the front page of the forum with some sort of Syrian propaganda. They could have done a lot worse. Took a little bit to figure out, but deleting the install directory is a good idea anyway.

    1. Re:I got hit by this... by NatasRevol · · Score: 3, Insightful

      Deleting the install directory is a good idea for the install scripts to do.

      --
      There are two types of people in the world: Those who crave closure
    2. Re:I got hit by this... by denmarkw00t · · Score: 1

      Maybe, but what if something screws up? What if you want to test an installation setup and then try again? I don't know, you can't explain away incompetence of "admins," but you can argue some I guess. Most software developers would disagree with the notion of deleting the installer once install is complete - that's usually up to the user. You don't "make install" and the source code is gone, you don't install VLC and lose the DMG that it came on, you don't unzip and install forum software and then have no easy way to reinstall or fix a botched configuration.

    3. Re:I got hit by this... by NatasRevol · · Score: 2

      So make a check box that the admin can 'remove installer files'.

      This is relatively common for this type of software.

      If you're going to warn the admins to remove the files, give them an automated way to do so.

      --
      There are two types of people in the world: Those who crave closure
    4. Re:I got hit by this... by Anonymous Coward · · Score: 0

      And what software... Anywhere these days... Does the installer OR uninstaller clean the fuck up after itself?

      Yeah... None of them.
      Sloppy is the new standard.

    5. Re:I got hit by this... by master_kaos · · Score: 1

      and then you have the same problem you have now, they aren't going to check the "remove installer files" checkbox, and probably even uncheck it if it was defaulted to checked.

  4. Lazy admins? by Anonymous Coward · · Score: 3, Insightful

    When vBulletin itself suggests to remove all install directories after installing vBulletin, I'd put it down to lazy admins who can't be effed removing the said directories when advised to in the first place. Hence the "Be sure to delete the install directories, they are a security risk" disclaimer.

    1. Re:Lazy admins? by Anonymous Coward · · Score: 2, Insightful

      ...because having a default install configuration which allows total compromise of the site isn't incredibly irresponsible.

    2. Re:Lazy admins? by wiredlogic · · Score: 1

      How about lazy developers who can't be bothered to write code that checks and warns about improperly secured installations. Drupal does this. There's no reason a "CMS" like vBulletin can't either.

      --
      I am becoming gerund, destroyer of verbs.
    3. Re:Lazy admins? by Anonymous Coward · · Score: 0

      Problem is however that the vBulletin's advised way of running it is to have the folders removed. People operating it outside of the advised settings shouldn't be surprised when something goes wrong. The install scripts do important things like writing to the database, copying SQL information. performing first use operations. Who in their right mind would leave that sort of scripts available even though the job has been done?

    4. Re:Lazy admins? by Anonymous Coward · · Score: 0

      When I used to run vBulletin back in the 3.X.X days, I was aware of a notice in the AdminCP saying "The /install directory is still present. Please remove it".

      Invision Power Board was notorious for just leaving the directory there but placing an "install.lock" file to tell the install scripts to "die" when it was found.

      Don't know why VB doesn't do it, but I'm pretty sure they'd want to start advising people now that these sorts of hacks are coming back into common play.

    5. Re:Lazy admins? by master_kaos · · Score: 1

      Yup zencart does this to, puts a huge big ugly red banner at the top of the site telling you about any misconfigured settings, or keeping the install directory. They say at the very minimum change the directory name, or put it in a non web accessible location.

    6. Re:Lazy admins? by Anonymous Coward · · Score: 0

      I'd put it down to lazy admins who can't be effed removing the said directories

      What does the Electronic Frontier Foundation have to do with it?

  5. Old news by Reez · · Score: 4, Insightful

    This is old news (2013-08-27) even by Slashdot's standards. Forums that were vulnerable have been probably all hacked (then fixed) already ;)

    1. Re:Old news by Anonymous Coward · · Score: 0

      You wish! A well crafted google search can still find more than a handful of sites coming up that would seem to have the vulnerability exposed. Most of them look like crap to begin with, so I'm not sure how you'd know if they were already hacked.

  6. Can't be too common by Anonymous Coward · · Score: 0

    As someone who works as a sysadmin for a hosting company, I can't say I've seen any more than one of these sites - and I'm not even sure I'm remembering vBulletin, it could have been something else obscure.

  7. Not again by Anonymous Coward · · Score: 0

    It's the 2000's all over again.

  8. How nice of vBulleting for htel ist of targets by Anonymous Coward · · Score: 0

    http://www.vbulletin.org/forum/showthread.php?t=253527

  9. Re:CMS??? by filthpickle · · Score: 1

    Thought the exact same thing.

    There are 2 of us....this is troubling.

  10. And this is why by Anonymous Coward · · Score: 0

    This is why people should use Invision - http://www.invisionpower.com/apps/board/ instead of vbulletin. As far as I can recall over the last few years when security exploits were discovered in Invision they at least were forthcoming and explained what the issue was and how it was to be fixed etc instead of just hiding it.

    1. Re:And this is why by Anonymous Coward · · Score: 0

      What? I've seen iPBs disappear in a flash. I used to run one in 2003, latest, and while in the panel I saw a member register, hoping my board finally got atteniton, only to see the whole thing disappear.

    2. Re:And this is why by Anonymous Coward · · Score: 0

      What? I've seen iPBs disappear in a flash. I used to run one in 2003, latest, and while in the panel I saw a member register, hoping my board finally got atteniton, only to see the whole thing disappear.

      Sound's like maybe you were using Invisionfree or something. I ran several IPB boards from 2003-2006 and I never had one crash like that just because a member registered.

  11. if ($config['basedir']) screwoff(); by raymorris · · Score: 1

    Our setup related scripts refuse to run if the software is already configured. Something like:

    if ($config['basedir']) screwoff();

    That's in case someone forgets to delete them.

  12. idiots exist, therefore idiot proof it. holding it by raymorris · · Score: 1

    People at work are always saying "the user is doing it wrong". They say that all the time because users do it wrong all the time. A guy named Murphy made it a law - if there's a wrong way to do it, someone will do it wrong. (That's the actual original Murphy's law.)

    I'm constantly pointing out that yes, we KNOW that the users will do it wrong if we let them. We also know how to easily prevent those mistakes. Idiots exist, so idiot proof your software.