5.0.0 all Beta releases SQL Injection Exploit 0day

Discussion in 'vBulletin Discussions' started by Brandon, Feb 22, 2013.

  1. Brandon

    Brandon Regular Member

    Brandon, Feb 22, 2013
    #1
  2. CM30

    CM30 Regular Member

    Oh great. Well, here's hoping vBulletin fix it sooner rather than later, otherwise there could be some pretty unhappy vBulletin 5 customers out there...
     
    CM30, Feb 22, 2013
    #2
    Brandon likes this.
  3. Brandon

    Brandon Regular Member

    Yup, especially the customer area access :eek:
     
    Brandon, Feb 22, 2013
    #3
  4. AWS

    AWS Administrator Admin Talk Staff

    Seen this last night on another site. You don't need a script to get the hash. You can do it with a URL. Only thing you need to do is point it at a thread an admin posted in. Once you got the hash it takes about 5 minutes to get the password.
     
    AWS, Feb 22, 2013
    #4
    Brandon likes this.
  5. Brandon

    Brandon Regular Member

    That's pretty scary to be honest!

    I saw this posted last night but I was already in bed and figured I would just post it today.
     
    Brandon, Feb 22, 2013
    #5
  6. AWS

    AWS Administrator Admin Talk Staff

    I am surprised no one has used this on vbulletin.com yet.

    I remember a user reported an exploit in the 3.8 branch shortly after IB took over and they marked it as trivial and told the user he didn't know what he was talking about. He then used it to gain access to one of the admin accounts, I don't remember who's it was, and posted in the private forum. Next day he showed screenshots of the private forums with him logged in. The thread was locked and removed. The trivial exploit was fixed the next day.
     
    AWS, Feb 22, 2013
    #6
    Iconic, Alfa1 and Brandon like this.
  7. Brandon

    Brandon Regular Member

    I think I remember that too @AWS

    IB doesn't care at all it seems
     
    Brandon, Feb 22, 2013
    #7
  8. Alfa1

    Alfa1 Regular Member

    If that would happen now then it could have far going consequences. Depending on whats in there.
     
    Alfa1, Feb 22, 2013
    #8
  9. fattony69

    fattony69 Regular Member

    This doesn't surprise me at all, sadly.
     
    fattony69, Feb 22, 2013
    #9
  10. AWS

    AWS Administrator Admin Talk Staff

    The exploit was sold to 2 people so expect to see vbulletin 5 hacked threads pop up at vbulletin.com. Of course the people that bought the kit will have a hard time finding any to hack.
     
    AWS, Feb 22, 2013
    #10
    fattony69, Mike Edge and Brandon like this.
  11. DaUnknownAdm!n

    DaUnknownAdm!n Regular Member

    I remember that as well, I believe they reported about it on TAZ as well, IIRC.
     
    DaUnknownAdm!n, Feb 25, 2013
    #11
    Brandon likes this.
Similar Threads

  1. XenForo 1.1.0 Beta/RC Releases

  2. vBulletin 5.0.0 all Beta releases SQL Injection Exploit 0day

  3. vBulletin 5 Beta XX SQLi 0day

  4. vBulletin releases vB 3.8.8 BETA

Loading...

Share This Page