Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Dangerous VBulletin Exploit In the Wild

Unknown Lamer posted 1 year,13 days | from the going-back-to-usenet dept.

Security 43

An anonymous reader writes "vBulletin is a popular proprietary CMS that was recently reported to be vulnerable to an unspecified attack vector. Although vBulletin has not disclosed the root cause of the vulnerability or its impact, we determined the attacker's methods. The identified vulnerability allows an attacker to abuse the vBulletin configuration mechanism in order to create a secondary administrative account. Once the attacker creates the account, they will have full control over the exploited vBulletin application, and subsequently the supported site."

Sorry! There are no comments related to the filter you selected.

Short form: (5, Informative)

Minupla (62455) | 1 year,13 days | (#45081033)

For the TL;DR crowd:

* Delete /core/install and /install directory in all 4.x and 5.x vBulletin installs or block access to same. Do it now.

Min

Re:Short form: (3, Insightful)

rsmith-mac (639075) | 1 year,13 days | (#45081283)

What's odd is that those directories shouldn't be public in the first place. You're supposed to remove them (or block them) once the install is done and before you turn the forum live.

Re:Short form: (4, Insightful)

2fuf (993808) | 1 year,13 days | (#45081391)

You're also not supposed to have security compromising settings activated by default, when you manufacture a software product. You know that there will always be people who run it in production straight out of the box.

Re:Short form: (1)

denmarkw00t (892627) | 1 year,13 days | (#45081907)

That's the responsibility of the site admin, not the software writers. Granted, it's probably that easy because too many "admins" would complain at the complexity of opening up a folder to proper access for the installation - "What's this permissions stuff anyway??" You can also consider that some "admins" are going to leave doors open, no matter how many warnings and locks you put in.

Re:Short form: (1)

dgatwood (11270) | 1 year,13 days | (#45084701)

That's the responsibility of the site admin, not the software writers.

No, it really isn't. Software that can overwrite the configuration arbitrarily without authentication simply does not belong in a location where it can be executed remotely. That's a serious flaw in the software (and one that is shared with lots of other similar software). At a bare minimum, the install suite should immediately detect that a configuration file exists and should refuse to restart the install until the admin logs in via the shell and moves the config file aside.

But for real security, I'd go one step further. The install tools should be a set of scripts that live outside the web root and are run locally by the user on the command line, rather than using a web UI to do the initial setup. Any design in which the setup process could be simultaneously performed by more than one person results in an inherent race condition in which someone could hijack the site and add a second admin account during the initial configuration process, and you might never even know that it happened.

No, this is unsafe by design. Software should be safe by design in its default (untouched) configuration. This violates proper software security practices pretty egregiously. Yes, the admins should have read the directions, but that doesn't mean that the software writers are blameless by any stretch of the imagination.

Re:Short form: (1)

Cramer (69040) | 1 year,12 days | (#45088877)

The whole damned thing is one continuous "remotely"... rarely is it installed by someone with a CLI (or a clue how to use one.) They ftp this stuff to a "www" server and start clicking. And then promptly ignore ("forget") the big flashing RED on the first page telling them to REMOVE the installer when done.

Re:Short form: (1)

Minupla (62455) | 1 year,13 days | (#45081913)

Agreed - my message was not intended to suggest that the software was excused, more c/p-ing the remediation instructions from TFA as a public service.

Min

Re:Short form: (0)

Anonymous Coward | 1 year,13 days | (#45083489)

You're also not supposed to have security compromising settings activated by default, when you manufacture a software product. You know that there will always be people who run it in production straight out of the box.

Did I hear somebody mention Wordpress? ;)

Re:Short form: (1)

unitron (5733) | 1 year,8 days | (#45122007)

Did I hear somebody mention Wordpress? ;)

You mean the stuff so bad it makes VBulletin look good?

Re:Short form: (1)

kelemvor4 (1980226) | 1 year,13 days | (#45081929)

What's odd is that those directories shouldn't be public in the first place. You're supposed to remove them (or block them) once the install is done and before you turn the forum live.

Yep, pretty sure that's part of the installation instructions. Not exactly a product vulnerability, more like a couple lazy admins didn't close the door when they finished moving in.

Re:Short form: (1)

VortexCortex (1117377) | 1 year,13 days | (#45082685)

What's odd is that those directories shouldn't be public in the first place. You're supposed to remove them (or block them) once the install is done and before you turn the forum live.

So, what you're saying is: While you're doing the install the server is hosting PHP, and the admin pages make the board is vulnerable, you should limit it to your IP address at least -- And you have to do this outside of the software, there's no Install_IP = [your IP] config to set prior to uploading this executable code.

Additionally, when the setup is done it doesn't just delete those damn files? Think about it. You JUST installed the software. Deleting those files has no downside. If you need to re-install, you can! You must already have the ability to start from scratch.

I wonder if the v stands for vulnerable? If they're this lax about THE PRIMARY exploit vector of initial credential creation, you can just imagine how they are on all other aspects. Of course I blame PHP -- That language itself breeds security vulnerabilities. Hell, PHP has exploits in itself. C/C++ will let you shoot yourself in the foot if you're not careful, and create vulns, but at least it doesn't come with a giant pool of exploits built in.

I'm tired of digging around in the guts of these insecure and inefficient PHP based abominations to apply security patches atop dipshit mistakes, or break the whole system on upgrade because I've applied a different "skin" (since they don't actually use a proper templating system, and treat PHP as if it is one). I don't use vBulletin currently, but it was on my radar. I've been thinking of migrating to a different Forum (read: BBS), but I've been rather disappointed with the current CMS/Forum offerings.

The biggest issue is with general purpose software like this is that when you design software with everyone in mind, you've designed it for no one in particular.

I almost think I should just go old school and write one myself in C. I did that in Perl once forever-ago, but didn't have time to keep its features up to date with other offerings (it's not hard, just time consuming). Now I know exactly what I want in a forum, and nothing available gives it to me. The features overlap with a project I'm working on, so it may be time to scratch my own itch yet again.

In other words: Don't pay for crap software if you care about security... If you want something done right, you have to do it yourself. The economy is down, employ a few coders for FFS.

Re:Short form: (1)

F.Ultra (1673484) | 1 year,13 days | (#45084633)

Strange that the installer script doesn't refuse to run if it detects that it's already installed? That should solve the problem even for stupid admins.

Re:Short form: (0)

Anonymous Coward | 1 year,13 days | (#45085479)

Doesn't the install process tell you to delete directories like that already? (I have no idea but I've seen it in other similar installs). I suppose that's not something most people even realize they're supposed to do if not told to do it.

CMS? (3, Informative)

Anonymous Coward | 1 year,13 days | (#45081055)

Did vBulletin change or something. I thought vBulletin was forum software, this states CMS. Or is CMS the preferred buzzword du jour?

Either way, this will mean more spam on lots of forums and more identity theft for those that use the same password for forums and bank accounts. Yawn.

Re:CMS? (4, Funny)

liamevo (1358257) | 1 year,13 days | (#45081233)

When vbulletin was bought it was turned into a bloated piece of crap. It's only gotten worse since.

Re:CMS? (0)

Anonymous Coward | 1 year,13 days | (#45081935)

I always thought it was funny that the worst bloated forum software is also known as just 'VB'.

They should port VBulletin to Visual Basic

Re:CMS? (2)

tlhIngan (30335) | 1 year,13 days | (#45082217)

Did vBulletin change or something. I thought vBulletin was forum software, this states CMS. Or is CMS the preferred buzzword du jour?

Either way, this will mean more spam on lots of forums and more identity theft for those that use the same password for forums and bank accounts. Yawn.

No, CMS is not the preferred term for forum software. However, a lot of forum software and CMS systems are becoming highly integrated because they do a lot of overlapping things.

E.g., the front page may consist of news articles, but an integrated CMS-forum would let it be that it's a forum post in a specific forum, or it becomes one when written outside the forum. So the front page of a lot of sites is really driven by a post in the backend forums, and when you click on the comment link, it either links you direct to the forums, or a simplfied forum view based on existing forum content.

Stuff like files and downloads can also be linked to internal forums (or generally more annoying), to forum posts themselves so they auto-update when the post gets updated.

Add in other features like a wiki and direct editing and updating based on forum posts and you end up with a a relatively comprehensive CMS system that started as a forum application.

There are many sites which would basically be a forum - they offer little to no content of their own, but have due to time or other factors became de-factor sites for discussing various topics. Upgrading the site to later versions of the forum software often add CMS features enabling one to "blog" based on existing forum activity.

One could see how a regular blog (like say, /.) could really be seen as a lamer version of forum software.

Re:CMS? (3, Informative)

trogdor8667 (817114) | 1 year,13 days | (#45085639)

vBulletin added a CMS and blog component in a previous major rewrite.

I got hit by this... (0)

Anonymous Coward | 1 year,13 days | (#45081067)

On my small forum. They replaced the front page of the forum with some sort of Syrian propaganda. They could have done a lot worse. Took a little bit to figure out, but deleting the install directory is a good idea anyway.

Re:I got hit by this... (3, Insightful)

NatasRevol (731260) | 1 year,13 days | (#45081371)

Deleting the install directory is a good idea for the install scripts to do.

Re:I got hit by this... (1)

denmarkw00t (892627) | 1 year,13 days | (#45081939)

Maybe, but what if something screws up? What if you want to test an installation setup and then try again? I don't know, you can't explain away incompetence of "admins," but you can argue some I guess. Most software developers would disagree with the notion of deleting the installer once install is complete - that's usually up to the user. You don't "make install" and the source code is gone, you don't install VLC and lose the DMG that it came on, you don't unzip and install forum software and then have no easy way to reinstall or fix a botched configuration.

Re:I got hit by this... (2)

NatasRevol (731260) | 1 year,13 days | (#45081971)

So make a check box that the admin can 'remove installer files'.

This is relatively common for this type of software.

If you're going to warn the admins to remove the files, give them an automated way to do so.

Re:I got hit by this... (1)

master_kaos (1027308) | 1 year,13 days | (#45083139)

and then you have the same problem you have now, they aren't going to check the "remove installer files" checkbox, and probably even uncheck it if it was defaulted to checked.

if ($config['basedir']) screwoff(); (1)

raymorris (2726007) | 1 year,13 days | (#45084447)

Our setup related scripts refuse to run if the software is already configured. Something like:

if ($config['basedir']) screwoff();

That's in case someone forgets to delete them.

Re:I got hit by this... (0)

Anonymous Coward | 1 year,13 days | (#45082409)

And what software... Anywhere these days... Does the installer OR uninstaller clean the fuck up after itself?

Yeah... None of them.
Sloppy is the new standard.

CMS??? (-1, Troll)

Impy the Impiuos Imp (442658) | 1 year,13 days | (#45081143)

Centers for Medicare & Medicaid Services [cms.gov]

It's shut down rigt now, fools. That's why it isn't working right!

Re:CMS??? (1)

filthpickle (1199927) | 1 year,13 days | (#45081517)

Thought the exact same thing.

There are 2 of us....this is troubling.

Lazy admins? (3, Insightful)

Anonymous Coward | 1 year,13 days | (#45081165)

When vBulletin itself suggests to remove all install directories after installing vBulletin, I'd put it down to lazy admins who can't be effed removing the said directories when advised to in the first place. Hence the "Be sure to delete the install directories, they are a security risk" disclaimer.

Re:Lazy admins? (2, Insightful)

Anonymous Coward | 1 year,13 days | (#45081819)

...because having a default install configuration which allows total compromise of the site isn't incredibly irresponsible.

Re:Lazy admins? (0)

Anonymous Coward | 1 year,13 days | (#45082977)

Problem is however that the vBulletin's advised way of running it is to have the folders removed. People operating it outside of the advised settings shouldn't be surprised when something goes wrong. The install scripts do important things like writing to the database, copying SQL information. performing first use operations. Who in their right mind would leave that sort of scripts available even though the job has been done?

idiots exist, therefore idiot proof it. holding it (1)

raymorris (2726007) | 1 year,13 days | (#45084495)

People at work are always saying "the user is doing it wrong". They say that all the time because users do it wrong all the time. A guy named Murphy made it a law - if there's a wrong way to do it, someone will do it wrong. (That's the actual original Murphy's law.)

I'm constantly pointing out that yes, we KNOW that the users will do it wrong if we let them. We also know how to easily prevent those mistakes. Idiots exist, so idiot proof your software.

Re:Lazy admins? (1)

wiredlogic (135348) | 1 year,13 days | (#45082351)

How about lazy developers who can't be bothered to write code that checks and warns about improperly secured installations. Drupal does this. There's no reason a "CMS" like vBulletin can't either.

Re:Lazy admins? (0)

Anonymous Coward | 1 year,13 days | (#45083033)

When I used to run vBulletin back in the 3.X.X days, I was aware of a notice in the AdminCP saying "The /install directory is still present. Please remove it".

Invision Power Board was notorious for just leaving the directory there but placing an "install.lock" file to tell the install scripts to "die" when it was found.

Don't know why VB doesn't do it, but I'm pretty sure they'd want to start advising people now that these sorts of hacks are coming back into common play.

Re:Lazy admins? (1)

master_kaos (1027308) | 1 year,13 days | (#45083163)

Yup zencart does this to, puts a huge big ugly red banner at the top of the site telling you about any misconfigured settings, or keeping the install directory. They say at the very minimum change the directory name, or put it in a non web accessible location.

Re:Lazy admins? (0)

Anonymous Coward | 1 year,13 days | (#45084941)

I'd put it down to lazy admins who can't be effed removing the said directories

What does the Electronic Frontier Foundation have to do with it?

Old news (4, Insightful)

Reez (65123) | 1 year,13 days | (#45081217)

This is old news (2013-08-27) even by Slashdot's standards. Forums that were vulnerable have been probably all hacked (then fixed) already ;)

Re:Old news (0)

Anonymous Coward | 1 year,13 days | (#45082159)

You wish! A well crafted google search can still find more than a handful of sites coming up that would seem to have the vulnerability exposed. Most of them look like crap to begin with, so I'm not sure how you'd know if they were already hacked.

Can't be too common (0)

Anonymous Coward | 1 year,13 days | (#45081257)

As someone who works as a sysadmin for a hosting company, I can't say I've seen any more than one of these sites - and I'm not even sure I'm remembering vBulletin, it could have been something else obscure.

Not again (0)

Anonymous Coward | 1 year,13 days | (#45081385)

It's the 2000's all over again.

How nice of vBulleting for htel ist of targets (0)

Anonymous Coward | 1 year,13 days | (#45081453)

http://www.vbulletin.org/forum/showthread.php?t=253527

And this is why (0)

Anonymous Coward | 1 year,13 days | (#45082585)

This is why people should use Invision - http://www.invisionpower.com/apps/board/ [invisionpower.com] instead of vbulletin. As far as I can recall over the last few years when security exploits were discovered in Invision they at least were forthcoming and explained what the issue was and how it was to be fixed etc instead of just hiding it.

Re:And this is why (0)

Anonymous Coward | 1 year,13 days | (#45085439)

What? I've seen iPBs disappear in a flash. I used to run one in 2003, latest, and while in the panel I saw a member register, hoping my board finally got atteniton, only to see the whole thing disappear.

Re:And this is why (0)

Anonymous Coward | 1 year,6 days | (#45145625)

What? I've seen iPBs disappear in a flash. I used to run one in 2003, latest, and while in the panel I saw a member register, hoping my board finally got atteniton, only to see the whole thing disappear.

Sound's like maybe you were using Invisionfree or something. I ran several IPB boards from 2003-2006 and I never had one crash like that just because a member registered.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?