Dangerous VBulletin Exploit In the Wild 43
An anonymous reader writes "vBulletin is a popular proprietary CMS that was recently reported to be vulnerable to an unspecified attack vector. Although vBulletin has not disclosed the root cause of the vulnerability or its impact, we determined the attacker's methods. The identified vulnerability allows an attacker to abuse the vBulletin configuration mechanism in order to create a secondary administrative account. Once the attacker creates the account, they will have full control over the exploited vBulletin application, and subsequently the supported site."
Short form: (Score:5, Informative)
For the TL;DR crowd:
* Delete /core/install and /install directory in all 4.x and 5.x vBulletin installs or block access to same. Do it now.
Min
Re:Short form: (Score:4, Insightful)
What's odd is that those directories shouldn't be public in the first place. You're supposed to remove them (or block them) once the install is done and before you turn the forum live.
Re:Short form: (Score:5, Insightful)
You're also not supposed to have security compromising settings activated by default, when you manufacture a software product. You know that there will always be people who run it in production straight out of the box.
Re: (Score:2)
That's the responsibility of the site admin, not the software writers. Granted, it's probably that easy because too many "admins" would complain at the complexity of opening up a folder to proper access for the installation - "What's this permissions stuff anyway??" You can also consider that some "admins" are going to leave doors open, no matter how many warnings and locks you put in.
Re: (Score:2)
No, it really isn't. Software that can overwrite the configuration arbitrarily without authentication simply does not belong in a location where it can be executed remotely. That's a serious flaw in the software (and one that is shared with lots of other similar software). At a bare minimum, the install suite should immediately detect that a configuration file exists and should refuse to restart the install until the admin logs in via
Re: (Score:1)
The whole damned thing is one continuous "remotely"... rarely is it installed by someone with a CLI (or a clue how to use one.) They ftp this stuff to a "www" server and start clicking. And then promptly ignore ("forget") the big flashing RED on the first page telling them to REMOVE the installer when done.
Re: (Score:2)
Agreed - my message was not intended to suggest that the software was excused, more c/p-ing the remediation instructions from TFA as a public service.
Min
Re: (Score:2)
Did I hear somebody mention Wordpress? ;)
You mean the stuff so bad it makes VBulletin look good?
Re: (Score:2)
What's odd is that those directories shouldn't be public in the first place. You're supposed to remove them (or block them) once the install is done and before you turn the forum live.
Yep, pretty sure that's part of the installation instructions. Not exactly a product vulnerability, more like a couple lazy admins didn't close the door when they finished moving in.
Re: (Score:2)
What's odd is that those directories shouldn't be public in the first place. You're supposed to remove them (or block them) once the install is done and before you turn the forum live.
So, what you're saying is: While you're doing the install the server is hosting PHP, and the admin pages make the board is vulnerable, you should limit it to your IP address at least -- And you have to do this outside of the software, there's no Install_IP = [your IP] config to set prior to uploading this executable code.
Additionally, when the setup is done it doesn't just delete those damn files? Think about it. You JUST installed the software. Deleting those files has no downside. If you need to re-i
Re: (Score:2)
CMS? (Score:3, Informative)
Did vBulletin change or something. I thought vBulletin was forum software, this states CMS. Or is CMS the preferred buzzword du jour?
Either way, this will mean more spam on lots of forums and more identity theft for those that use the same password for forums and bank accounts. Yawn.
Re:CMS? (Score:5, Funny)
When vbulletin was bought it was turned into a bloated piece of crap. It's only gotten worse since.
Re: (Score:3)
No, CMS is not the preferred term for forum software. However, a lot of forum software and CMS systems are becoming highly integrated because they do a lot of overlapping things.
E.g., the front page may consist of news articles,
Re:CMS? (Score:4, Informative)
vBulletin added a CMS and blog component in a previous major rewrite.
Re:I got hit by this... (Score:4, Insightful)
Deleting the install directory is a good idea for the install scripts to do.
Re: (Score:2)
Maybe, but what if something screws up? What if you want to test an installation setup and then try again? I don't know, you can't explain away incompetence of "admins," but you can argue some I guess. Most software developers would disagree with the notion of deleting the installer once install is complete - that's usually up to the user. You don't "make install" and the source code is gone, you don't install VLC and lose the DMG that it came on, you don't unzip and install forum software and then have no
Re: (Score:3)
So make a check box that the admin can 'remove installer files'.
This is relatively common for this type of software.
If you're going to warn the admins to remove the files, give them an automated way to do so.
Re: (Score:2)
if ($config['basedir']) screwoff(); (Score:2)
Our setup related scripts refuse to run if the software is already configured. Something like:
if ($config['basedir']) screwoff();
That's in case someone forgets to delete them.
Re: (Score:2)
There are 2 of us....this is troubling.
Lazy admins? (Score:3, Insightful)
When vBulletin itself suggests to remove all install directories after installing vBulletin, I'd put it down to lazy admins who can't be effed removing the said directories when advised to in the first place. Hence the "Be sure to delete the install directories, they are a security risk" disclaimer.
Re: (Score:2, Insightful)
idiots exist, therefore idiot proof it. holding it (Score:2)
People at work are always saying "the user is doing it wrong". They say that all the time because users do it wrong all the time. A guy named Murphy made it a law - if there's a wrong way to do it, someone will do it wrong. (That's the actual original Murphy's law.)
I'm constantly pointing out that yes, we KNOW that the users will do it wrong if we let them. We also know how to easily prevent those mistakes. Idiots exist, so idiot proof your software.
Re: (Score:2)
How about lazy developers who can't be bothered to write code that checks and warns about improperly secured installations. Drupal does this. There's no reason a "CMS" like vBulletin can't either.
Re: (Score:2)
Old news (Score:4, Insightful)
This is old news (2013-08-27) even by Slashdot's standards. Forums that were vulnerable have been probably all hacked (then fixed) already ;)