Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 28 Sep 2019, 18:56
gambler726 gambler726 is offline
 
Join Date: May 2016
Is anyone maintaining VB4? Fixes, etc.?

I am still using VB 4 and am reluctant to try VB5 based on what I read and based on the comparisons in the links below, it looks like very few have moved from VB4 to 5.

https://www.similartech.com/compare/...s-vbulletin-5x

https://www.similartech.com/compare/...-5x-vs-xenforo

https://www.similartech.com/compare/...-4x-vs-xenforo

I would also consider Xenforo but it's an unknown to me after 15 years with VB.

Here's the thing: I get this email out of nowhere from some one who says VB4 has a sql injection vulnerability and he wants to report this to my admin. I don't know if this is a scam to get me to pay him to fix it, but the email lists all of my database tables, which makes me uneasy, and they tell me all the data is accessible.

Again, possible scam but he has my attention.

I report it to my webhosting company to see that they think (and they are very good) and they tell me since VB4 is at end of life, I should upgrade to VB5 or risk continued security breaches.

Hence, the title of this post - is anyone out there still updating VB4 for security patches, etc.?

Another question, what's your thought on that provocative email? scam, threat or something else?

Thanks.
Reply With Quote
  #2  
Old 28 Sep 2019, 19:56
Dave Dave is online now
 
Join Date: Jun 2010
Real name: Dave
If he said he found a SQL injection vulnerability in vBulletin 4, it's also possible that it's in one of the plugins you have installed and not in the core files of the forum. Are you sure he sent you a list of your actual database tables or did he just show you a list of the tables that are present in the default vBulletin 4 installation?

As far as I know, there are no known and public security vulnerabilities in the latest vBulletin 4 version. Even if someone published a vBulletin 4 exploit, there are plenty of people, including myself, who would publish an unofficial fix for it.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #3  
Old 28 Sep 2019, 21:04
gambler726 gambler726 is offline
 
Join Date: May 2016
Thanks for the quick response.

Originally Posted by Dave View Post
If he said he found a SQL injection vulnerability in vBulletin 4, it's also possible that it's in one of the plugins you have installed and not in the core files of the forum. Are you sure he sent you a list of your actual database tables or did he just show you a list of the tables that are present in the default vBulletin 4 installation?
It was a list of the actual tables with my specific prefixes plus other tables I created.

Originally Posted by Dave View Post
As far as I know, there are no known and public security vulnerabilities in the latest vBulletin 4 version. Even if someone published a vBulletin 4 exploit, there are plenty of people, including myself, who would publish an unofficial fix for it.
I've gotten most, if not all, of my plugins from VB.org, and I use a lot of them. Turning them off, as I have done, makes it look like a different forum. I assume disabling them does not prevent the vulnerabilities?

Here is the email thread - everything is from the emailer. I may have made a mistake but I did reply once with a "thanks, I will look into it"


On Fri, Sep 27, 2019 at 12:12 AM
Hi
I have found SQL injection vulnerability on website.
How i can report it?


On Fri, Sep 27, 2019 at 12:16 AM
its possible to retrieve data base information.

On Fri, Sep 27, 2019 at 12:27 AM
[Listed the tables]


Sent: Thursday, September 26, 2019 4:31 PM

all users information are affected now.
I am looking for admin for bug report.

On Fri, Sep 27, 2019 at 7:13 AM
Will I get compensated for my help?

There is impact. of vulnerability. There is potential attacker can take users information and more...
Reply With Quote
  #4  
Old 28 Sep 2019, 21:13
Dave Dave is online now
 
Join Date: Jun 2010
Real name: Dave
Disabling the plugins, if they are coded properly, should disable them completely and prevent access to its hooks/files.

Feel free to PM me the URL of your forum and I will take a look and determine if I can find a vulnerability somewhere. If I can find something, I'll let you know the details and what further steps to take.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #5  
Old 28 Sep 2019, 22:03
In Omnibus's Avatar
In Omnibus In Omnibus is offline
 
Join Date: Apr 2010
Real name: Kris
This sounds like a scam to me. Exploits are publicized. If there were one it would be reported by a lot of vBulletin 4 users, including myself.
Reply With Quote
  #6  
Old 28 Sep 2019, 22:09
Meister2017 Meister2017 is offline
 
Join Date: Sep 2017
Why does it have to be fraud? If he has screenshots of the database it will be true. Every script has security holes and if you have plugins installed, the danger is even greater.
Reply With Quote
  #7  
Old 28 Sep 2019, 22:46
In Omnibus's Avatar
In Omnibus In Omnibus is offline
 
Join Date: Apr 2010
Real name: Kris
Originally Posted by Meister2017 View Post
Why does it have to be fraud? If he has screenshots of the database it will be true. Every script has security holes and if you have plugins installed, the danger is even greater.
The number of vBulletin 4 sites running plugins is in the thousands last I knew. The odds that one site has a security vulnerability discovered by one individual which has not been exploited or reported by others are virtually zero. I personally administrate a dozen vBulletin 4 sites, all of which use third party modifications. Not one of them has had an issue as I type this.

Screenshots don't prove anything. I can create a screenshot of any vBulletin database just by creating an empty database and installing a fresh copy of the software.

It's patently false to say that "every script" has security holes. I'm not even going to argue that because it's a non-starter. There are scripts that don't even access the database.

Is it possible there's an exploit out there? Of course. Is there any empirical evidence of one being out there? Not at this time.
Reply With Quote
  #8  
Old 28 Sep 2019, 23:52
iA1 iA1 is offline
 
Join Date: Jul 2018
Originally Posted by In Omnibus View Post
Screenshots don't prove anything. I can create a screenshot of any vBulletin database just by creating an empty database and installing a fresh copy of the software.
OP says it is a list of his database tables, along with the prefix and it includes his own custom tables in it. I don't think it is a scam. You can create a generic db table list, but the probability of applying the same prefix used by OP and adding his custom tables in it is virtually zero.

There should be a system in place here at vb.org to scan all submitted plugins for security issues before allowing them for public download.
__________________
Make your forum mobile friendly and get app-like features:
App-like icon on your smartphone homescreen
Responsive style - for vBulletin 4.2.x as well as vB 3.8.x - Contact for custom work
Push notifications for new replies, likes and PM
Reply With Quote
  #9  
Old 29 Sep 2019, 00:03
Dave Dave is online now
 
Join Date: Jun 2010
Real name: Dave
Just so everyone is aware, I looked at the forum of OP and the security issue was present in non-vBulletin related scripts. Currently helping him fix the vulnerabilities.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #10  
Old 29 Sep 2019, 01:26
In Omnibus's Avatar
In Omnibus In Omnibus is offline
 
Join Date: Apr 2010
Real name: Kris
Originally Posted by Dave View Post
Just so everyone is aware, I looked at the forum of OP and the security issue was present in non-vBulletin related scripts. Currently helping him fix the vulnerabilities.
Thanks, Dave. Can you share what scripts are involved in case anyone else is running them?
Reply With Quote
  #11  
Old 29 Sep 2019, 03:10
Dave Dave is online now
 
Join Date: Jun 2010
Real name: Dave
Originally Posted by In Omnibus View Post
Thanks, Dave. Can you share what scripts are involved in case anyone else is running them?
It was all custom made so no one would have these scripts running on their webserver.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #12  
Old 29 Sep 2019, 04:25
In Omnibus's Avatar
In Omnibus In Omnibus is offline
 
Join Date: Apr 2010
Real name: Kris
Originally Posted by Dave View Post
It was all custom made so no one would have these scripts running on their webserver.
OK. Thanks for the info. Now no one has to overreact.
Reply With Quote
  #13  
Old 29 Sep 2019, 17:26
gambler726 gambler726 is offline
 
Join Date: May 2016
Thanks for your help Dave!

And thanks for everyone's input.
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 14:57.

Layout Options | Width: Wide Color: