vBulletin Mods

The Official vBulletin Modifications Site
https://www.vbulletin.org/forum/showthread.php?t=327567

Is anyone maintaining VB4? Fixes, etc.?
by gambler726
28 Sep 2019 17:56

I am still using VB 4 and am reluctant to try VB5 based on what I read and based on the comparisons in the links below, it looks like very few have moved from VB4 to 5.

https://www.similartech.com/compare/...s-vbulletin-5x

https://www.similartech.com/compare/...-5x-vs-xenforo

https://www.similartech.com/compare/...-4x-vs-xenforo

I would also consider Xenforo but it's an unknown to me after 15 years with VB.

Here's the thing: I get this email out of nowhere from some one who says VB4 has a sql injection vulnerability and he wants to report this to my admin. I don't know if this is a scam to get me to pay him to fix it, but the email lists all of my database tables, which makes me uneasy, and they tell me all the data is accessible.

Again, possible scam but he has my attention.

I report it to my webhosting company to see that they think (and they are very good) and they tell me since VB4 is at end of life, I should upgrade to VB5 or risk continued security breaches.

Hence, the title of this post - is anyone out there still updating VB4 for security patches, etc.?

Another question, what's your thought on that provocative email? scam, threat or something else?

Thanks.

Dave 28 Sep 2019 18:56

If he said he found a SQL injection vulnerability in vBulletin 4, it's also possible that it's in one of the plugins you have installed and not in the core files of the forum. Are you sure he sent you a list of your actual database tables or did he just show you a list of the tables that are present in the default vBulletin 4 installation?

As far as I know, there are no known and public security vulnerabilities in the latest vBulletin 4 version. Even if someone published a vBulletin 4 exploit, there are plenty of people, including myself, who would publish an unofficial fix for it.

gambler726 28 Sep 2019 20:04

Thanks for the quick response.

Quote:

Originally Posted by Dave (Post 2600815)
If he said he found a SQL injection vulnerability in vBulletin 4, it's also possible that it's in one of the plugins you have installed and not in the core files of the forum. Are you sure he sent you a list of your actual database tables or did he just show you a list of the tables that are present in the default vBulletin 4 installation?

It was a list of the actual tables with my specific prefixes plus other tables I created.

Quote:

Originally Posted by Dave (Post 2600815)
As far as I know, there are no known and public security vulnerabilities in the latest vBulletin 4 version. Even if someone published a vBulletin 4 exploit, there are plenty of people, including myself, who would publish an unofficial fix for it.

I've gotten most, if not all, of my plugins from VB.org, and I use a lot of them. Turning them off, as I have done, makes it look like a different forum. I assume disabling them does not prevent the vulnerabilities?

Here is the email thread - everything is from the emailer. I may have made a mistake but I did reply once with a "thanks, I will look into it"


Quote:

On Fri, Sep 27, 2019 at 12:12 AM
Hi
I have found SQL injection vulnerability on website.
How i can report it?


On Fri, Sep 27, 2019 at 12:16 AM
its possible to retrieve data base information.

On Fri, Sep 27, 2019 at 12:27 AM
[Listed the tables]


Sent: Thursday, September 26, 2019 4:31 PM

all users information are affected now.
I am looking for admin for bug report.

On Fri, Sep 27, 2019 at 7:13 AM
Will I get compensated for my help?

There is impact. of vulnerability. There is potential attacker can take users information and more...

Dave 28 Sep 2019 20:13

Disabling the plugins, if they are coded properly, should disable them completely and prevent access to its hooks/files.

Feel free to PM me the URL of your forum and I will take a look and determine if I can find a vulnerability somewhere. If I can find something, I'll let you know the details and what further steps to take.

In Omnibus 28 Sep 2019 21:03

This sounds like a scam to me. Exploits are publicized. If there were one it would be reported by a lot of vBulletin 4 users, including myself.

Meister2017 28 Sep 2019 21:09

Why does it have to be fraud? If he has screenshots of the database it will be true. Every script has security holes and if you have plugins installed, the danger is even greater.

In Omnibus 28 Sep 2019 21:46

Quote:

Originally Posted by Meister2017 (Post 2600819)
Why does it have to be fraud? If he has screenshots of the database it will be true. Every script has security holes and if you have plugins installed, the danger is even greater.

The number of vBulletin 4 sites running plugins is in the thousands last I knew. The odds that one site has a security vulnerability discovered by one individual which has not been exploited or reported by others are virtually zero. I personally administrate a dozen vBulletin 4 sites, all of which use third party modifications. Not one of them has had an issue as I type this.

Screenshots don't prove anything. I can create a screenshot of any vBulletin database just by creating an empty database and installing a fresh copy of the software.

It's patently false to say that "every script" has security holes. I'm not even going to argue that because it's a non-starter. There are scripts that don't even access the database.

Is it possible there's an exploit out there? Of course. Is there any empirical evidence of one being out there? Not at this time.

iA1 28 Sep 2019 22:52

Quote:

Originally Posted by In Omnibus (Post 2600820)
Screenshots don't prove anything. I can create a screenshot of any vBulletin database just by creating an empty database and installing a fresh copy of the software.

OP says it is a list of his database tables, along with the prefix and it includes his own custom tables in it. I don't think it is a scam. You can create a generic db table list, but the probability of applying the same prefix used by OP and adding his custom tables in it is virtually zero.

There should be a system in place here at vb.org to scan all submitted plugins for security issues before allowing them for public download.

Dave 28 Sep 2019 23:03

Just so everyone is aware, I looked at the forum of OP and the security issue was present in non-vBulletin related scripts. Currently helping him fix the vulnerabilities.

In Omnibus 29 Sep 2019 00:26

Quote:

Originally Posted by Dave (Post 2600823)
Just so everyone is aware, I looked at the forum of OP and the security issue was present in non-vBulletin related scripts. Currently helping him fix the vulnerabilities.

Thanks, Dave. Can you share what scripts are involved in case anyone else is running them?

Dave 29 Sep 2019 02:10

Quote:

Originally Posted by In Omnibus (Post 2600824)
Thanks, Dave. Can you share what scripts are involved in case anyone else is running them?

It was all custom made so no one would have these scripts running on their webserver.

In Omnibus 29 Sep 2019 03:25

Quote:

Originally Posted by Dave (Post 2600825)
It was all custom made so no one would have these scripts running on their webserver.

OK. Thanks for the info. Now no one has to overreact. :D

gambler726 29 Sep 2019 16:26

Thanks for your help Dave!

And thanks for everyone's input.


All times are GMT. The time now is 12:32.

Powered by vBulletin® Version 3.8.14
Copyright © 2020, MH Sub I, LLC dba vBulletin. All Rights Reserved. vBulletin® is a registered trademark of MH Sub I, LLC
Copyright ©2001 - , vbulletin.org. All rights reserved.