35,000 vBulletin Sites Have Already Been Exploited By Week Old Hole 91
realized writes "Last week Slashdot covered a new vBulletin exploit. Apparently hackers have been busy since then because according to security firm Imperva, more than 35,000 sites were recently hacked via this vulnerability. The sad part about this is that it could have all been avoided if the administrator of the websites just removed the /install and/or /core/install folders – something that you would think the installer should do on its own."
Web applications that have write access to directories they then load code from have always seemed a bit iffy to me (wp-content anyone?)
Re:That's what you get for using vBulletin (Score:4, Informative)
My entire day job is coding in PHP (and Javascript, and MySQL, and Mongo, and Node, and...). Seems to work well for my company, as well as the dozens of others with whom I've worked.
But keep using whatever's hot right now, it won't affect me one iota.
Much more than 1 week old (Score:5, Informative)
My site uses vBulletin.
This vulnerability is MUCH older than the 1 week mentioned in Slashdot's summary.
Several weeks ago the vBulletin folks sent an email advisory to all registered users (eg, people who actually paid for the software) . In fact, they sent 2 messages. The first warned of this vulnerability and suggested immediately deleting the install folder, if it wasn't already deleted as recommeded. The 2nd message, only a couple days later announced a new version which fixed this bug, even if the install folder was not deleted.
vBulletin has a web-based admin control interface, separate from the main forum. Even in the old, vulnerable versions, the admin section will not work if the install folder still exists. It just displays a message saying you must deleted the install folder before you're allowed admin access to your own forum. Any sites that were vulnerable to this bot must have been set up by just unpacking the zip file and then running the wizard to set up the database. It specifically tells you to delete the install folder at the end of that process. So anyone who got hit not only ignored that instruction, but also never even used the admin section of their forum, because it's intentionally disabled to force people to properly delete the install folder.
Sure, there may be 30-some thousand forums out there with this problem, but every single one of them was set up so poorly that the forum owner never even accessed their admin interface.