Slashdot Mirror
35,000 vBulletin Sites Have Already Been Exploited By Week Old Hole
realized writes "Last week Slashdot covered a new vBulletin exploit. Apparently hackers have been busy since then because according to security firm Imperva, more than 35,000 sites were recently hacked via this vulnerability. The sad part about this is that it could have all been avoided if the administrator of the websites just removed the /install and/or /core/install folders – something that you would think the installer should do on its own."
Web applications that have write access to directories they then load code from have always seemed a bit iffy to me (wp-content anyone?)
Months old by the rest of the internet...
not hard to do if you don't care about security you mean.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Learn some languages and build your own forum. It's not hard and all the skills you'll acquire will look great on a resume.
Right...because everyone who could ever want to use a forum is a web developer, right? And, of course, every one-off forum app will be TOTALLY free from vulnerabilities, of course. Oh, and let's not forget that there's no benefit whatsoever to different forums being somewhat similar in terms of user interaction...so let's just throw that out the door as well.
Seriously?
For your security, this post has been encrypted with ROT-13, twice.
How many abandoned forums overran by spambots are there out there? Quite a lot I reckon, this isn't surprising at all.
I just switched from using conventional passwords to 20+ character random strings and manage them with KeePassX. It took 3+ hours to go through all my 50+ different somewhat important accounts, but no way I'm using same passwords on different sites anymore.
There have already been 5 serious leaks in services I use, including Adobe and my dedicated server provider.
Plus writing your own message board from scratch isn't an easy task. There is a LOT within these systems. I've been coding in PHP for about 8 years and even I don't want to take on this task.
GP is a fool. But do contribute to Vanilla or similar open source projects.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
You misspelled "batshit-insane".
If you watch your server access logs, you will regularly see bots checking for common install URLs of popular website software. I'm blown away that vBulletin's hasn't been targeted for years.
I've created my own forum software in the past. GP is vastly understating the complexity of modern forum software. That said, I encourage actual web developers to try it as an exercise.
Also, I think GP isn't differentiating between "secure" on the surface when you look at code that you've written, and "secure" against multiple thousands of potential adversaries when a product is used everywhere. They will think of things that you haven't. That's why you get code audited.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
GP is a fool. But do contribute to Vanilla or similar open source projects.
He might be a fool for thinking it's easy to put together a secure, stable, bug-free forum, but he's certainly not a fool for thinking that such an attempt looks good on a resume to a bunch of HR drones...
Since a self-written forum likely will have far less features, it will be far easier to make secure.
Provided you know what you're doing, of course.
Coughs, Unbelievably Not Thorough.
even I don't want to take on this task.
And neither should you, if you're the kind of person who admits to "coding in PHP".
Since a self-written forum likely will have far less features, it will be far easier to make secure.
Also, it is not directly vulnerable to specific exploits crafted against well-known bulletin board software.
Web applications that have write access to directories they then load code from have always seemed a bit iffy to me (wp-content anyone?)
It seems to be a common problem with PHP apps in general. They also seem to have problems with SSL proxying.
I don't serve PHP-based apps, no matter how pretty or useful, unless they are guaranteed to never be used externally.
What's the point of the hack? Great, you created an admin account on a vBulletin site, now what are you gonna do? Will you post spam, delete other people's posts, post propaganda? The story doesn't say what they are or intend to do with the compromised sites.
Does vBulletin store unsalted passwords?
The "provided you know what you're doing" part is the big that is surprisingly difficult to get right for non-trivial software.
It requires a fairly large investment in time and energy to know what you are doing. If you think it's "easy" you probably don't.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
big = bit.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Probably not, but more likely vulnerable to schoolboy errors, unless the developer has already had experience in writing an internet exposed project of significant size.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Well yeah, as with any web app, you can't "just learn php and write your own forum!".
You'll need to learn css, html, php, sql, javascript and how to properly secure against stuff like SQL injection and cross site scripting. Php (or perl) is just a tiny part of a project like this.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Blame this on vB taking forever to come out with a patch once they knew about it. The actual software tells you when there is an update - AND - tells you to remove the /install/ now.
it's more than a month old actually.
http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5
August 13th.
It was a direct quote.
My entire day job is coding in PHP (and Javascript, and MySQL, and Mongo, and Node, and...). Seems to work well for my company, as well as the dozens of others with whom I've worked.
But keep using whatever's hot right now, it won't affect me one iota.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Why do database driven sites(forums) need to be able to write to the file system?
Why can't entire web sites like these be flagged read only to the file system?
Wouldn't that prevent 99.99% of these attacks?
A forum is a great learning exercise for people. I answer a lot of PHP and Javascript questions on the w3schools forum, and having a beginner design and develop a forum gives them exposure to a lot of skills (user authentication and management, form processing, file uploading, database design and API integration, ajax if they want to add it, etc). Something like a forum or photo gallery is a great beginner project to expose them to the majority of web programming skills that they'll use most often in a job.
But security is a completely separate topic. The OWASP site shows the breadth of application security as a topic. People often ask questions about what they need to do to make their site secure from hackers, and they ask about a function like mysqli::escape_string and think that that's all they need to know about security. It can be difficult to drill it into their head that security is an integral part about designing an application. Good programmers can make really obscure and really dangerous design decisions that could have a major impact on security, and unless you keep yourself aware of the breadth of vulnerabilities that you need to protect yourself from then it's certainly no surprise that exploits get found in major professional products from time to time. You don't need to be a poor programmer to make a design decision that has a very negative, if subtle, impact on security.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
w3schools?
Why?
This is why people should use Invision - http://www.invisionpower.com/apps/board/ instead of vbulletin. As far as I can recall over the last few years when security exploits were discovered in Invision they at least were forthcoming and explained what the issue was and how it was to be fixed etc instead of just hiding it.
It's a good thing Slashdot's bulletin board is so ancient and convoluted that no one knows how to exploit it.
You have coded in PHP for 8 years?
Dear god, you poor bastard.
I've used vBulletin for years. While it's never had a particularly stellar security record, it has only gone down hill since Internet Brands bought Jelsoft.
The only remotely secure way to run vBulletin these days is to stick it in its own php-fpm pool with its own user account and insure that all files are 440 and all directories are 550. The upload directories (customavatar, attachment, etc) need to be 770 and then be excluded from PHP execution in your httpd config. Deleting "install/" goes without saying. (And we have it behind a Basic Auth, just in case someone forgets.)
Even today, with that fairly verbose nginx config and a fully patched and up to date vBulletin, I still find delightful files in my upload directories like "r00t.php" and "shell.php".
Oh? You're on shared hosting? Good luck with that...
My site uses vBulletin.
This vulnerability is MUCH older than the 1 week mentioned in Slashdot's summary.
Several weeks ago the vBulletin folks sent an email advisory to all registered users (eg, people who actually paid for the software) . In fact, they sent 2 messages. The first warned of this vulnerability and suggested immediately deleting the install folder, if it wasn't already deleted as recommeded. The 2nd message, only a couple days later announced a new version which fixed this bug, even if the install folder was not deleted.
vBulletin has a web-based admin control interface, separate from the main forum. Even in the old, vulnerable versions, the admin section will not work if the install folder still exists. It just displays a message saying you must deleted the install folder before you're allowed admin access to your own forum. Any sites that were vulnerable to this bot must have been set up by just unpacking the zip file and then running the wizard to set up the database. It specifically tells you to delete the install folder at the end of that process. So anyone who got hit not only ignored that instruction, but also never even used the admin section of their forum, because it's intentionally disabled to force people to properly delete the install folder.
Sure, there may be 30-some thousand forums out there with this problem, but every single one of them was set up so poorly that the forum owner never even accessed their admin interface.
PJRC: Electronic Projects, 8051 Microcontroller Tools
USENET never had this problem.
Give me Classic Slashdot or give me death!
Can someone please post a couple of links to show what the software looks like on a site. I have no idea what the typical layout and default look and feel is like.
work in progress
I always assume that it's pretty standard practice to delete any /install folder. I mean seriously.. Not only are you keeping your installation tidy but obviously it prevents anyone from re-running any install scripts.
So it either comes down to people being lazy or just not knowing. I forget how many "webmasters" or "developers" are out there that don't even know the basics. As sort of an argument point spin-off, better software has led to less hands on deployment and made it easier for more people to deploy sites. In this vein people haven't learned how to RTFM since installs are so easy. /rant
Sadly most people that install forum software of any type, just don't follow security bulletins, or read install instructions properly anyways. Damn computer amateurs...
thats the point. But its like Linux leaving /tmp open and not user per-user-tmp (/home/xx/tmp) folders when the server gets hit. Unless it reboots, anyone can write anything, ANY size to /tmp.
Delete the install/setup script when done. Its common sence.
Actually? Most of them actually more closely resemble orchestration software suites or application server middleware.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
It is a proprietary software with open source. It means you will pay at least $ 599 /year and the source is open to hackers for them to find bugs and exploit.
Could you tell us why in the hell I should contribute to such a thing?
I thought you had this sorted.
It's GPLv2. What are you talking about?
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Yes, I am suggesting it is not trivial, or there would be a high quality, full-featured, secure open source version available that had a stellar security record. Unless you can point me to such a project? No? Thought not.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
How would having that on my resume help me to get work oil wells?
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"