×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

35,000 vBulletin Sites Have Already Been Exploited By Week Old Hole

Unknown Lamer posted about 6 months ago | from the delete-stale-files dept.

Security 91

realized writes "Last week Slashdot covered a new vBulletin exploit. Apparently hackers have been busy since then because according to security firm Imperva, more than 35,000 sites were recently hacked via this vulnerability. The sad part about this is that it could have all been avoided if the administrator of the websites just removed the /install and/or /core/install folders – something that you would think the installer should do on its own." Web applications that have write access to directories they then load code from have always seemed a bit iffy to me (wp-content anyone?)

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

91 comments

That's what you get for using vBulletin (-1, Offtopic)

Anonymous Coward | about 6 months ago | (#45143175)

Learn some languages and build your own forum. It's not hard and all the skills you'll acquire will look great on a resume.

Re:That's what you get for using vBulletin (5, Insightful)

smash (1351) | about 6 months ago | (#45143251)

not hard to do if you don't care about security you mean.

Re:That's what you get for using vBulletin (-1)

Anonymous Coward | about 6 months ago | (#45143387)

Since a self-written forum likely will have far less features, it will be far easier to make secure.

Provided you know what you're doing, of course.

Re:That's what you get for using vBulletin (0)

Anonymous Coward | about 6 months ago | (#45143741)

Since a self-written forum likely will have far less features, it will be far easier to make secure.

Provided you know what you're doing, of course.

Coughs, Unbelievably Not Thorough.

Re:That's what you get for using vBulletin (1)

jones_supa (887896) | about 6 months ago | (#45143869)

Since a self-written forum likely will have far less features, it will be far easier to make secure.

Also, it is not directly vulnerable to specific exploits crafted against well-known bulletin board software.

Re:That's what you get for using vBulletin (2)

smash (1351) | about 6 months ago | (#45144317)

Probably not, but more likely vulnerable to schoolboy errors, unless the developer has already had experience in writing an internet exposed project of significant size.

Re:That's what you get for using vBulletin (2)

smash (1351) | about 6 months ago | (#45144283)

The "provided you know what you're doing" part is the big that is surprisingly difficult to get right for non-trivial software.

It requires a fairly large investment in time and energy to know what you are doing. If you think it's "easy" you probably don't.

Re:That's what you get for using vBulletin (-1)

Anonymous Coward | about 6 months ago | (#45146369)

Are you suggesting forum software isn't trivial? This isn't some orchestration software suite or printer firmware, it's a damned place to post shitty comments.

(in b4 snarky "like this one")

Re:That's what you get for using vBulletin (1)

Kalriath (849904) | about 6 months ago | (#45147977)

Actually? Most of them actually more closely resemble orchestration software suites or application server middleware.

Re:That's what you get for using vBulletin (1)

smash (1351) | about 6 months ago | (#45150681)

Yes, I am suggesting it is not trivial, or there would be a high quality, full-featured, secure open source version available that had a stellar security record. Unless you can point me to such a project? No? Thought not.

Re:That's what you get for using vBulletin (5, Insightful)

Shoten (260439) | about 6 months ago | (#45143253)

Learn some languages and build your own forum. It's not hard and all the skills you'll acquire will look great on a resume.

Right...because everyone who could ever want to use a forum is a web developer, right? And, of course, every one-off forum app will be TOTALLY free from vulnerabilities, of course. Oh, and let's not forget that there's no benefit whatsoever to different forums being somewhat similar in terms of user interaction...so let's just throw that out the door as well.

Seriously?

Re:That's what you get for using vBulletin (4, Insightful)

Krojack (575051) | about 6 months ago | (#45143321)

Plus writing your own message board from scratch isn't an easy task. There is a LOT within these systems. I've been coding in PHP for about 8 years and even I don't want to take on this task.

Re:That's what you get for using vBulletin (0, Redundant)

Anonymous Coward | about 6 months ago | (#45143773)

even I don't want to take on this task.

And neither should you, if you're the kind of person who admits to "coding in PHP".

Re:That's what you get for using vBulletin (-1)

Anonymous Coward | about 6 months ago | (#45144303)

Smugness apart (yours), yes, it's possible to code in PHP. Without quotes even. Just because a language is bad (or your perception of it) doesn't mean you can't code in it.

Re:That's what you get for using vBulletin (0)

Anonymous Coward | about 6 months ago | (#45144805)

It was a direct quote.

Re:That's what you get for using vBulletin (3, Informative)

TheSpoom (715771) | about 6 months ago | (#45145045)

My entire day job is coding in PHP (and Javascript, and MySQL, and Mongo, and Node, and...). Seems to work well for my company, as well as the dozens of others with whom I've worked.

But keep using whatever's hot right now, it won't affect me one iota.

Re:That's what you get for using vBulletin (1)

smash (1351) | about 6 months ago | (#45144353)

Well yeah, as with any web app, you can't "just learn php and write your own forum!".

You'll need to learn css, html, php, sql, javascript and how to properly secure against stuff like SQL injection and cross site scripting. Php (or perl) is just a tiny part of a project like this.

Re:That's what you get for using vBulletin (1)

Anonymous Coward | about 6 months ago | (#45145837)

You have coded in PHP for 8 years?

Dear god, you poor bastard.

Re:That's what you get for using vBulletin (0)

Anonymous Coward | about 6 months ago | (#45147851)

thats the point. But its like Linux leaving /tmp open and not user per-user-tmp (/home/xx/tmp) folders when the server gets hit. Unless it reboots, anyone can write anything, ANY size to /tmp.

Delete the install/setup script when done. Its common sence.

Re:That's what you get for using vBulletin (1)

bill_mcgonigle (4333) | about 6 months ago | (#45143357)

GP is a fool. But do contribute to Vanilla [vanillaforums.org] or similar open source projects.

Re:That's what you get for using vBulletin (0)

Anonymous Coward | about 6 months ago | (#45143485)

GP is a fool. But do contribute to Vanilla [vanillaforums.org] or similar open source projects.

He might be a fool for thinking it's easy to put together a secure, stable, bug-free forum, but he's certainly not a fool for thinking that such an attempt looks good on a resume to a bunch of HR drones...

Re:That's what you get for using vBulletin (1)

wmac1 (2478314) | about 6 months ago | (#45149099)

It is a proprietary software with open source. It means you will pay at least $ 599 /year and the source is open to hackers for them to find bugs and exploit.

Could you tell us why in the hell I should contribute to such a thing?

Re:That's what you get for using vBulletin (2)

TheSpoom (715771) | about 6 months ago | (#45143461)

I've created my own forum software in the past. GP is vastly understating the complexity of modern forum software. That said, I encourage actual web developers to try it as an exercise.

Also, I think GP isn't differentiating between "secure" on the surface when you look at code that you've written, and "secure" against multiple thousands of potential adversaries when a product is used everywhere. They will think of things that you haven't. That's why you get code audited.

Re:That's what you get for using vBulletin (1)

amicusNYCL (1538833) | about 6 months ago | (#45145375)

A forum is a great learning exercise for people. I answer a lot of PHP and Javascript questions on the w3schools forum, and having a beginner design and develop a forum gives them exposure to a lot of skills (user authentication and management, form processing, file uploading, database design and API integration, ajax if they want to add it, etc). Something like a forum or photo gallery is a great beginner project to expose them to the majority of web programming skills that they'll use most often in a job.

But security is a completely separate topic. The OWASP site shows the breadth of application security as a topic. People often ask questions about what they need to do to make their site secure from hackers, and they ask about a function like mysqli::escape_string and think that that's all they need to know about security. It can be difficult to drill it into their head that security is an integral part about designing an application. Good programmers can make really obscure and really dangerous design decisions that could have a major impact on security, and unless you keep yourself aware of the breadth of vulnerabilities that you need to protect yourself from then it's certainly no surprise that exploits get found in major professional products from time to time. You don't need to be a poor programmer to make a design decision that has a very negative, if subtle, impact on security.

Re:That's what you get for using vBulletin (0)

Anonymous Coward | about 6 months ago | (#45145573)

w3schools?

Why?

Re:That's what you get for using vBulletin (1)

RockDoctor (15477) | about 6 months ago | (#45177701)

Learn some languages and build your own forum. It's not hard and all the skills you'll acquire will look great on a resume.

How would having that on my resume help me to get work oil wells?

Week old by Slashdot time (4, Funny)

Anonymous Coward | about 6 months ago | (#45143219)

Months old by the rest of the internet...

Good (-1)

Anonymous Coward | about 6 months ago | (#45143239)

I love a parade. And slashdot, it's week-old hole. Or is that (wife's) weak, old hole?

Re:Good (1)

Anonymous Coward | about 6 months ago | (#45144459)

it's more than a month old actually.

http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5
August 13th.

Well (1)

Anonymous Coward | about 6 months ago | (#45143279)

How many abandoned forums overran by spambots are there out there? Quite a lot I reckon, this isn't surprising at all.

Re:Well (1)

Anonymous Coward | about 6 months ago | (#45143455)

Not many vBulletin ones I'd wager, since it's paid software. Plenty of phpBB ones and the like, though.

Right-o (3, Interesting)

Anonymous Coward | about 6 months ago | (#45143289)

I just switched from using conventional passwords to 20+ character random strings and manage them with KeePassX. It took 3+ hours to go through all my 50+ different somewhat important accounts, but no way I'm using same passwords on different sites anymore.

There have already been 5 serious leaks in services I use, including Adobe and my dedicated server provider.

Re:Right-o (4, Interesting)

firex726 (1188453) | about 6 months ago | (#45143361)

Yea, it seems like I am getting an email monthly from one site or another I use telling me they were compromised and to change my passwords.

Re:Right-o (1)

Just Some Guy (3352) | about 6 months ago | (#45146935)

Yea, it seems like I am getting an email monthly from one site or another I use telling me they were compromised and to change my passwords.

...usually phrased like "Hi 'YOUR_USERNAME'. Your password, 'FOOLMETWICE', might have been compromised. Click here to change it.".

The password manager I use has a "security audit" tab that lists sites using the same password, and passwords that I haven't changed in more than a few months, a year, or several years. I fixed all the dupes by giving them each unique passwords, and I have a monthly reminder to myself to update all the old ones.

Re:Right-o (4, Interesting)

Archangel Michael (180766) | about 6 months ago | (#45143443)

Personally, I start with the premise that the sites are already insecure. From there, I only provide information needed. I also create a unique email address for each site, so that if they are compromised, only my account on that site is compromised and nothing else is at risk. My private email address remains only for personal communication.

To compromise my life would require the NSA, and I already figure that has happened, but that I am not interesting enough to act on it .... yet.

Re:Right-o (1)

Just Some Guy (3352) | about 6 months ago | (#45146947)

I don't sweat that so much. My personal email is right there above this message, after all. Good luck guessing my random as-strong-as-allowed password on any given site, though.

Re:Right-o (0)

Anonymous Coward | about 6 months ago | (#45144427)

nah, you just need a different password for every site, What's the use of a "password keeper" software when that narrows the attack surface to just your pc.

Re:Right-o (1)

smash (1351) | about 6 months ago | (#45144509)

They still need to break the password DB encryption. Its a trade-off. What is yout alternative to keeping a unique password for every site? Paper? Unencrypted plaintext file?

Re:Right-o (1)

Stalks (802193) | about 6 months ago | (#45144947)

SHA256(passphrase,domain) = password

Re:Right-o (1)

Jakeula (1427201) | about 6 months ago | (#45145937)

This is exactly correct. I use SHA256(passphrase,domain) on every site. It is easy to recover my passwords where ever I am and all I have to remember is the passphrase and then look at the domain. I used to just type in a random password and use password resets every time I wanted to log in, that seemed to work pretty well and is about as fast as generating my SHA256 password.

Re:Right-o (0)

Anonymous Coward | about 6 months ago | (#45147511)

The point *was* to use a different random password for every site *and* manage them with a password manager that stores them in a secure encrypted database.

If anyone had access to your computer and was able to gain root privileges, you're pretty much fucked no matter how you handle your passwords. But that's a different story and is far more unlikely than someone gaining access to leaked hash tables and bruteforcing passwords.

Re:Right-o (1)

krovisser (1056294) | about 6 months ago | (#45144455)

I did this too. It's nice not having to remember passwords anymore. I just keep my database and key backed up, and have a lot less "what was this password again" troubles.

A bit iffy??? (5, Insightful)

NoNonAlphaCharsHere (2201864) | about 6 months ago | (#45143359)

Web applications that have write access to directories they then load code from have always seemed a bit iffy to me

You misspelled "batshit-insane".

Re:A bit iffy??? (2)

buchner.johannes (1139593) | about 6 months ago | (#45143665)

Web applications that have write access to directories they then load code from have always seemed a bit iffy to me

You misspelled "batshit-insane".

By itself, that's not batshit-insane. Any web app that supports a user-friendly installation of plugins has to do that (Wordpress, Joomla!, ... ). If it only fetches plugins from its own, managed repository, it can be secure.

But please, suggest a user-friendly alternative.

Re:A bit iffy??? (0)

Anonymous Coward | about 6 months ago | (#45143797)

The problem isn't plugins. The problem is that any minor vulnerability in the scripts turns into a code execution vulnerability. If you can't execute things which you can write to, then you can only run code if you can inject it (via a developer making stupid use of eval-like functions).

Basically, it's a really easy way to make every single bug in your program just that much worse.

Re:A bit iffy??? (1)

Dracos (107777) | about 6 months ago | (#45143859)

Yes, it very much is batshit-insane. To allow such a thing is to put an inordinate amount of trust in your web application and your http server, both of which should be considered insecure no matter how secure you think they are. WP goes one step further and allows its plugins to be edited from the admin interface, which is batshit-donkeyfuck-insane.

There is always a trade off between security and user friendliness... these anti-features cross the line so far that they've disappeared beyond the horizon.

Re:A bit iffy??? (1)

amicusNYCL (1538833) | about 6 months ago | (#45145463)

What would be the alternative though? Is it possible to have the same functionality in a secure way? If my application needs to write to certain directories, and that is not an option or else the application would be useless, then how can those directories be protected? Any CMS that needs to upload images, for example, would be affected by that, right? It can be fairly trivial to protect in that case (put the upload directory outside of the web root and just return the file data), but what about an application where users need to upload arbitrary web-accessible content, which may contain PHP files? Other than trusting that your users aren't going to just upload a malicious PHP script through the interface (and they would have no reason to do so), what can be done in that situation?

Re:A bit iffy??? (1)

amicusNYCL (1538833) | about 6 months ago | (#45145481)

I should clarify in case this is the first reponse:

we already route all requests for files in the upload directory to a PHP script via htaccess to authenticate users before they can access the file, and there is also an option in the application whether or not to allow PHP execution in that directory (if disabled, it returns the file contents instead of including and executing the file).

Is that all that is necessary?

Re:A bit iffy??? (2)

Dracos (107777) | about 6 months ago | (#45147083)

Uploading images or other files that will not be executed by the CMS is not the issue here. The ability to upload modules and plugins is a much greater risk. Being able to delete those things (as granted by write permission) can render the entire CMS inoperable. The further insanity of allowing code to be editable within the CMS is even more dangerous, as that can introduce simple breakage via a syntax error and be a good place for malicious code to hide, easily placed there by a compromised CMS account.

Re:A bit iffy??? (1)

drinkypoo (153816) | about 6 months ago | (#45148609)

What would be the alternative though? Is it possible to have the same functionality in a secure way?

You'd have a separate site for maintenance. This does sort of mandate some duplication of effort. Right now if you want to update your CMS core you have to do this through a shell, file manager, or ftp in most cases as it is. It's not a big stretch to have an admin site with its own codebase sufficient for performing updates. Content management etc would continue to be performed through the CMS as normal. You might or might not want to use the same auth tables.

Re:A bit iffy??? (4, Interesting)

Bigbutt (65939) | about 6 months ago | (#45143815)

First thing I did with my Wordpress site was check the 'net for suggestions on how to secure the site. I've blocked off the admin access areas through the httpd.conf file restricting it to my work and home IPs. I occasionally have to update the IP when my home dhcp address changes but it works fine for what I'm doing.

[John]

Re:A bit iffy??? (1)

Jason Levine (196982) | about 6 months ago | (#45149163)

I've found quite a few plugins to help secure WordPress. One of the ones I really like is Apocalypse Meow [wordpress.org]. This locks people out from even trying to log into your site after X attempts. (You define what X is but it defaults to 5.) If they go over the attempts, they get banned from trying to log in for a day (or however long you define). It also removes the WordPress version information from your site's HTML code which has no purpose except to tell hackers "try these methods to get into my website". It can stop direct execution of PHP scripts from inside wp-content and more.

Having it on my site for awhile, I've found that hackers predominantly try one of three usernames. The first, of course, is "admin", the default WordPress administrator username. If you have your admin account named "admin", rename it at once. Even if you do nothing else, you've increased your security a ton. The next account they try is the name of the site. If you run "example.com", they'll try the username "example". If you run "SomeOtherSite.com", they'll use "SomeOtherSite". The last one they'll use is "administrator" (an obvious choice people might change "admin" to).

Re:A bit iffy??? (0)

Anonymous Coward | about 6 months ago | (#45156477)

If it's just admin access, you could just as well limit that to localhost and use ssh port forwarding to gain access for the few occasions that you really need it.

Oh dear (0)

Anonymous Coward | about 6 months ago | (#45149237)

I thought you had this sorted.

Why Only Now? (4, Interesting)

terrab0t (559047) | about 6 months ago | (#45143407)

If you watch your server access logs, you will regularly see bots checking for common install URLs of popular website software. I'm blown away that vBulletin's hasn't been targeted for years.

Re:Why Only Now? (4, Interesting)

moteyalpha (1228680) | about 6 months ago | (#45144103)

If you watch your server access logs, you will regularly see bots checking for common install URLs of popular website software. I'm blown away that vBulletin's hasn't been targeted for years.

You are absolutely right. I was shocked at how quickly the knocking began. Within a day of registering a new address it already had obvious attempts to find a hole. The logs also show many other things that would worry people IF they knew it was happening. Very few people have the experience and skills to deal with it. It seems obvious that the intruder has the advantage. In a system with more than 2 to the 64th directions to guard against, the attacker has the advantage of surprise.
Analogy: Open field, everybody has a gun, some have food, others want it.
It could be that the only way to win is not to play at all. The problem is that the game has already started and this is no longer a choice. There is a dominant strategy. It is a conflict of interests. It is thus "Bellum Omnium contra omnes". No way to tell how it will end, but everybod has a "shot". ;)

Re:Why Only Now? (1)

Cramer (69040) | about 6 months ago | (#45146415)

I'm blown away that vBulletin's hasn't been targeted for years.

IT HAS! This bullshit comes up every few years. All because people are too stupid and lazy to follow the instructions and remove the f'ing installer when done.

PHPhhhtt! (0)

Anonymous Coward | about 6 months ago | (#45143943)

Web applications that have write access to directories they then load code from have always seemed a bit iffy to me (wp-content anyone?)

It seems to be a common problem with PHP apps in general. They also seem to have problems with SSL proxying.

I don't serve PHP-based apps, no matter how pretty or useful, unless they are guaranteed to never be used externally.

Re:PHPhhhtt! (0)

Anonymous Coward | about 6 months ago | (#45145697)

It seems to be a common problem with PHP apps in general.

Part PHP's mix-code-and-html design, part shitty developers and users who can't be bothered to install code inside DocumentRoot and data outside DocumentRoot

They also seem to have problems with SSL proxying.

I've never heard of such a problem. Googling, all I see are people who set up applications to redirect users to SSL and then get surprised when it tries to redirect incoming HTTP requests to the SSL site because the application sees a non-SSL request.

Story Doesn't Say (0)

Anonymous Coward | about 6 months ago | (#45144213)

What's the point of the hack? Great, you created an admin account on a vBulletin site, now what are you gonna do? Will you post spam, delete other people's posts, post propaganda? The story doesn't say what they are or intend to do with the compromised sites.

Does vBulletin store unsalted passwords?

Re:Story Doesn't Say (2)

smash (1351) | about 6 months ago | (#45144465)

Download the usernames, email addresses and password hashes, duh! Salted passwords or unsalted, even a list of email addresses is worth something. Most of them ask for your date of birth as well. DOB, plus email address plus password hash and you're well on your way to identity theft.

Re:Story Doesn't Say (1)

Anonymous Coward | about 6 months ago | (#45144773)

Easy, send fake messages from the admin saying that users need to reset passwords and send them to some attack site, harvest that and you might get a password they use for the email address, break into that etc etc etc.

Re:Story Doesn't Say (0)

Anonymous Coward | about 6 months ago | (#45145173)

You install your own PHP code on the server to do what you want.

Re:Story Doesn't Say (1)

Cramer (69040) | about 6 months ago | (#45146477)

As others point out... swipe the email addresses of all the users (99% useless, but people still do it), swipe the encrypted passwords (you'll have some success recovering some of them), swipe the "remember me" login cookie -- which automatically logs you in. But that's all script-kiddie piss.

The pros are there to install malware into your site and/or redirect (read: out right, steal) your ad revenue. Some of them are very clever and redirect search engine hits, and search result clicks. (and they hide in parts of the database you cannot normally see)

vB's fault (0)

Anonymous Coward | about 6 months ago | (#45144399)

Blame this on vB taking forever to come out with a patch once they knew about it. The actual software tells you when there is an update - AND - tells you to remove the /install/ now.

Re:vB's fault (0)

Anonymous Coward | about 6 months ago | (#45145505)

The instructions told you to remove /install/ before, but instructions are for little girls so nobody bothered to read them.

Hopefully a simple question (0)

Anonymous Coward | about 6 months ago | (#45145153)

Why do database driven sites(forums) need to be able to write to the file system?
Why can't entire web sites like these be flagged read only to the file system?
Wouldn't that prevent 99.99% of these attacks?

Re:Hopefully a simple question (1)

ogar572 (531320) | about 6 months ago | (#45145261)

Because of the promise of 1. point and click install of everything 2. renders fast (because of caching) 3. thousand of plugins 4. Don't need a programmer to use it

Re:Hopefully a simple question (0)

Anonymous Coward | about 6 months ago | (#45145359)

I agree. We keep our databases completely in-memory and backup to redundant DIMMs.

Re:Hopefully a simple question (1)

Cramer (69040) | about 6 months ago | (#45146559)

For starters you don't want every damned thing to be in the database. SQL (mysql esp) is HORRIBLE at storing *files*... which means images, and various random attachments (pdf, exe, zip, etc., etc., etc.) Also, the more you have in the database, the harder it is to find (and fix) whatever the hell hackers tweak.

Their very nature means they have to be able to write a lot of stuff. It doesn't matter where you put it, it's still writable, and hackers will be able to alter it. The forum software itself is not a static blob; there are plugins, and templates, and tweaks, and customizations, and thousands of configuration knobs -- and it all has to be writable, at least during installation and setup. Locking it down, just like deleting the f'ing installer, is something thousands of people can't be bothered to do.

Re:Hopefully a simple question (1)

BrentNewland (2832905) | about 6 months ago | (#45148199)

If the software is properly written, it will take care of the permissions. It's trivial to make a PHP script that checks the permissions on each folder and file in the program, and change them if they aren't right. You can even have the script fall back to FTP if PHP doesn't have permission to change permissions.

And this is why (0)

Anonymous Coward | about 6 months ago | (#45145669)

This is why people should use Invision - http://www.invisionpower.com/apps/board/ [invisionpower.com] instead of vbulletin. As far as I can recall over the last few years when security exploits were discovered in Invision they at least were forthcoming and explained what the issue was and how it was to be fixed etc instead of just hiding it.

Slashdot (0)

Anonymous Coward | about 6 months ago | (#45145809)

It's a good thing Slashdot's bulletin board is so ancient and convoluted that no one knows how to exploit it.

Nothing about this surprises me. (4, Interesting)

thevirtualcat (1071504) | about 6 months ago | (#45145897)

I've used vBulletin for years. While it's never had a particularly stellar security record, it has only gone down hill since Internet Brands bought Jelsoft.

The only remotely secure way to run vBulletin these days is to stick it in its own php-fpm pool with its own user account and insure that all files are 440 and all directories are 550. The upload directories (customavatar, attachment, etc) need to be 770 and then be excluded from PHP execution in your httpd config. Deleting "install/" goes without saying. (And we have it behind a Basic Auth, just in case someone forgets.)

Even today, with that fairly verbose nginx config and a fully patched and up to date vBulletin, I still find delightful files in my upload directories like "r00t.php" and "shell.php".

Oh? You're on shared hosting? Good luck with that...

Re:Nothing about this surprises me. (1)

denmarkw00t (892627) | about 6 months ago | (#45149695)

Oh? You're on shared hosting? Good luck with that...

Well, I wasn't on shared hosting...but then I installed vBulletin - ZING!

Much more than 1 week old (4, Informative)

pjrc (134994) | about 6 months ago | (#45146109)

My site uses vBulletin.

This vulnerability is MUCH older than the 1 week mentioned in Slashdot's summary.

Several weeks ago the vBulletin folks sent an email advisory to all registered users (eg, people who actually paid for the software) . In fact, they sent 2 messages. The first warned of this vulnerability and suggested immediately deleting the install folder, if it wasn't already deleted as recommeded. The 2nd message, only a couple days later announced a new version which fixed this bug, even if the install folder was not deleted.

vBulletin has a web-based admin control interface, separate from the main forum. Even in the old, vulnerable versions, the admin section will not work if the install folder still exists. It just displays a message saying you must deleted the install folder before you're allowed admin access to your own forum. Any sites that were vulnerable to this bot must have been set up by just unpacking the zip file and then running the wizard to set up the database. It specifically tells you to delete the install folder at the end of that process. So anyone who got hit not only ignored that instruction, but also never even used the admin section of their forum, because it's intentionally disabled to force people to properly delete the install folder.

Sure, there may be 30-some thousand forums out there with this problem, but every single one of them was set up so poorly that the forum owner never even accessed their admin interface.

Look and feel (1)

mynamestolen (2566945) | about 6 months ago | (#45146399)

Can someone please post a couple of links to show what the software looks like on a site. I have no idea what the typical layout and default look and feel is like.

Lazy Vs. Uninformed (1)

paysonwelch (2505012) | about 6 months ago | (#45146989)

I always assume that it's pretty standard practice to delete any /install folder. I mean seriously.. Not only are you keeping your installation tidy but obviously it prevents anyone from re-running any install scripts. So it either comes down to people being lazy or just not knowing. I forget how many "webmasters" or "developers" are out there that don't even know the basics. As sort of an argument point spin-off, better software has led to less hands on deployment and made it easier for more people to deploy sites. In this vein people haven't learned how to RTFM since installs are so easy. /rant

Sadly (1)

lapm (750202) | about 6 months ago | (#45147117)

Sadly most people that install forum software of any type, just don't follow security bulletins, or read install instructions properly anyways. Damn computer amateurs...
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...