Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dangerous VBulletin Exploit In the Wild

Posted by Unknown on from the going-back-to-usenet dept.

An anonymous reader writes "vBulletin is a popular proprietary CMS that was recently reported to be vulnerable to an unspecified attack vector. Although vBulletin has not disclosed the root cause of the vulnerability or its impact, we determined the attacker's methods. The identified vulnerability allows an attacker to abuse the vBulletin configuration mechanism in order to create a secondary administrative account. Once the attacker creates the account, they will have full control over the exploited vBulletin application, and subsequently the supported site."

12 of 43 comments (clear)

  1. Short form: by Minupla · · Score: 5, Informative

    For the TL;DR crowd:

    * Delete /core/install and /install directory in all 4.x and 5.x vBulletin installs or block access to same. Do it now.

    Min

    --
    On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
    1. Re:Short form: by rsmith-mac · · Score: 3, Insightful

      What's odd is that those directories shouldn't be public in the first place. You're supposed to remove them (or block them) once the install is done and before you turn the forum live.

    2. Re:Short form: by 2fuf · · Score: 4, Insightful

      You're also not supposed to have security compromising settings activated by default, when you manufacture a software product. You know that there will always be people who run it in production straight out of the box.

  2. CMS? by Anonymous Coward · · Score: 3, Informative

    Did vBulletin change or something. I thought vBulletin was forum software, this states CMS. Or is CMS the preferred buzzword du jour?

    Either way, this will mean more spam on lots of forums and more identity theft for those that use the same password for forums and bank accounts. Yawn.

    1. Re:CMS? by liamevo · · Score: 4, Funny

      When vbulletin was bought it was turned into a bloated piece of crap. It's only gotten worse since.

    2. Re:CMS? by tlhIngan · · Score: 2

      Did vBulletin change or something. I thought vBulletin was forum software, this states CMS. Or is CMS the preferred buzzword du jour?

      Either way, this will mean more spam on lots of forums and more identity theft for those that use the same password for forums and bank accounts. Yawn.

      No, CMS is not the preferred term for forum software. However, a lot of forum software and CMS systems are becoming highly integrated because they do a lot of overlapping things.

      E.g., the front page may consist of news articles, but an integrated CMS-forum would let it be that it's a forum post in a specific forum, or it becomes one when written outside the forum. So the front page of a lot of sites is really driven by a post in the backend forums, and when you click on the comment link, it either links you direct to the forums, or a simplfied forum view based on existing forum content.

      Stuff like files and downloads can also be linked to internal forums (or generally more annoying), to forum posts themselves so they auto-update when the post gets updated.

      Add in other features like a wiki and direct editing and updating based on forum posts and you end up with a a relatively comprehensive CMS system that started as a forum application.

      There are many sites which would basically be a forum - they offer little to no content of their own, but have due to time or other factors became de-factor sites for discussing various topics. Upgrading the site to later versions of the forum software often add CMS features enabling one to "blog" based on existing forum activity.

      One could see how a regular blog (like say, /.) could really be seen as a lamer version of forum software.

    3. Re:CMS? by trogdor8667 · · Score: 3, Informative

      vBulletin added a CMS and blog component in a previous major rewrite.

  3. Lazy admins? by Anonymous Coward · · Score: 3, Insightful

    When vBulletin itself suggests to remove all install directories after installing vBulletin, I'd put it down to lazy admins who can't be effed removing the said directories when advised to in the first place. Hence the "Be sure to delete the install directories, they are a security risk" disclaimer.

    1. Re:Lazy admins? by Anonymous Coward · · Score: 2, Insightful

      ...because having a default install configuration which allows total compromise of the site isn't incredibly irresponsible.

  4. Old news by Reez · · Score: 4, Insightful

    This is old news (2013-08-27) even by Slashdot's standards. Forums that were vulnerable have been probably all hacked (then fixed) already ;)

  5. Re:I got hit by this... by NatasRevol · · Score: 3, Insightful

    Deleting the install directory is a good idea for the install scripts to do.

    --
    There are two types of people in the world: Those who crave closure
  6. Re:I got hit by this... by NatasRevol · · Score: 2

    So make a check box that the admin can 'remove installer files'.

    This is relatively common for this type of software.

    If you're going to warn the admins to remove the files, give them an automated way to do so.

    --
    There are two types of people in the world: Those who crave closure