Forgot your password?
typodupeerror
Security PHP

Dangerous VBulletin Exploit In the Wild 43

Posted by Unknown Lamer
from the going-back-to-usenet dept.
An anonymous reader writes "vBulletin is a popular proprietary CMS that was recently reported to be vulnerable to an unspecified attack vector. Although vBulletin has not disclosed the root cause of the vulnerability or its impact, we determined the attacker's methods. The identified vulnerability allows an attacker to abuse the vBulletin configuration mechanism in order to create a secondary administrative account. Once the attacker creates the account, they will have full control over the exploited vBulletin application, and subsequently the supported site."
This discussion has been archived. No new comments can be posted.

Dangerous VBulletin Exploit In the Wild

Comments Filter:
  • Short form: (Score:5, Informative)

    by Minupla (62455) <minupla@gmai l . com> on Wednesday October 09, 2013 @09:37AM (#45081033) Homepage Journal

    For the TL;DR crowd:

    * Delete /core/install and /install directory in all 4.x and 5.x vBulletin installs or block access to same. Do it now.

    Min

    • Re:Short form: (Score:4, Insightful)

      by rsmith-mac (639075) on Wednesday October 09, 2013 @10:10AM (#45081283)

      What's odd is that those directories shouldn't be public in the first place. You're supposed to remove them (or block them) once the install is done and before you turn the forum live.

      • Re:Short form: (Score:5, Insightful)

        by 2fuf (993808) on Wednesday October 09, 2013 @10:23AM (#45081391)

        You're also not supposed to have security compromising settings activated by default, when you manufacture a software product. You know that there will always be people who run it in production straight out of the box.

        • That's the responsibility of the site admin, not the software writers. Granted, it's probably that easy because too many "admins" would complain at the complexity of opening up a folder to proper access for the installation - "What's this permissions stuff anyway??" You can also consider that some "admins" are going to leave doors open, no matter how many warnings and locks you put in.

          • by dgatwood (11270)

            That's the responsibility of the site admin, not the software writers.

            No, it really isn't. Software that can overwrite the configuration arbitrarily without authentication simply does not belong in a location where it can be executed remotely. That's a serious flaw in the software (and one that is shared with lots of other similar software). At a bare minimum, the install suite should immediately detect that a configuration file exists and should refuse to restart the install until the admin logs in via

            • by Cramer (69040)

              The whole damned thing is one continuous "remotely"... rarely is it installed by someone with a CLI (or a clue how to use one.) They ftp this stuff to a "www" server and start clicking. And then promptly ignore ("forget") the big flashing RED on the first page telling them to REMOVE the installer when done.

        • by Minupla (62455)

          Agreed - my message was not intended to suggest that the software was excused, more c/p-ing the remediation instructions from TFA as a public service.

          Min

      • What's odd is that those directories shouldn't be public in the first place. You're supposed to remove them (or block them) once the install is done and before you turn the forum live.

        Yep, pretty sure that's part of the installation instructions. Not exactly a product vulnerability, more like a couple lazy admins didn't close the door when they finished moving in.

      • What's odd is that those directories shouldn't be public in the first place. You're supposed to remove them (or block them) once the install is done and before you turn the forum live.

        So, what you're saying is: While you're doing the install the server is hosting PHP, and the admin pages make the board is vulnerable, you should limit it to your IP address at least -- And you have to do this outside of the software, there's no Install_IP = [your IP] config to set prior to uploading this executable code.

        Additionally, when the setup is done it doesn't just delete those damn files? Think about it. You JUST installed the software. Deleting those files has no downside. If you need to re-i

      • by F.Ultra (1673484)
        Strange that the installer script doesn't refuse to run if it detects that it's already installed? That should solve the problem even for stupid admins.
  • CMS? (Score:3, Informative)

    by Anonymous Coward on Wednesday October 09, 2013 @09:40AM (#45081055)

    Did vBulletin change or something. I thought vBulletin was forum software, this states CMS. Or is CMS the preferred buzzword du jour?

    Either way, this will mean more spam on lots of forums and more identity theft for those that use the same password for forums and bank accounts. Yawn.

    • Re:CMS? (Score:5, Funny)

      by liamevo (1358257) on Wednesday October 09, 2013 @10:04AM (#45081233)

      When vbulletin was bought it was turned into a bloated piece of crap. It's only gotten worse since.

    • by tlhIngan (30335)

      Did vBulletin change or something. I thought vBulletin was forum software, this states CMS. Or is CMS the preferred buzzword du jour?

      Either way, this will mean more spam on lots of forums and more identity theft for those that use the same password for forums and bank accounts. Yawn.

      No, CMS is not the preferred term for forum software. However, a lot of forum software and CMS systems are becoming highly integrated because they do a lot of overlapping things.

      E.g., the front page may consist of news articles,

    • Re:CMS? (Score:4, Informative)

      by trogdor8667 (817114) on Wednesday October 09, 2013 @05:05PM (#45085639) Homepage

      vBulletin added a CMS and blog component in a previous major rewrite.

  • Lazy admins? (Score:3, Insightful)

    by Anonymous Coward on Wednesday October 09, 2013 @09:54AM (#45081165)

    When vBulletin itself suggests to remove all install directories after installing vBulletin, I'd put it down to lazy admins who can't be effed removing the said directories when advised to in the first place. Hence the "Be sure to delete the install directories, they are a security risk" disclaimer.

    • Re: (Score:2, Insightful)

      by Anonymous Coward
      ...because having a default install configuration which allows total compromise of the site isn't incredibly irresponsible.
    • How about lazy developers who can't be bothered to write code that checks and warns about improperly secured installations. Drupal does this. There's no reason a "CMS" like vBulletin can't either.

      • Yup zencart does this to, puts a huge big ugly red banner at the top of the site telling you about any misconfigured settings, or keeping the install directory. They say at the very minimum change the directory name, or put it in a non web accessible location.
  • Old news (Score:4, Insightful)

    by Reez (65123) on Wednesday October 09, 2013 @10:02AM (#45081217)

    This is old news (2013-08-27) even by Slashdot's standards. Forums that were vulnerable have been probably all hacked (then fixed) already ;)

news: gotcha

Working...