""Fixing your site after you have been hacked""

I just noticed that vBulletin have this guide on their site:

Fixing your site after you have been hacked

http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked

It's as if the staff know the software is going to get hacked, yet they probably aren't fixing issues with their software.

Poor customers.

Made me laugh.

 

I think it's more like they don't want to fix the issue but more like they don't know how to fix the issue.

 

Yeah, most likely that. Haha.

 

Would it not be smarter for VB to post something that says " Securing your site BEFORE it is hacked"

Or even: " Fixing your software BEFORE we sell it to you"

 

Thought I'd ask.

 

Pretty cheap blows all around in this thread.

We do have a blog up on how to secure your site (before being hacked)- http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site

There has also been a long standing post (created by Steve) with best ways to keep your site secure which has been available for those interested in further securing their site.

The fact is if you have a forum, any forum, you run the risk of being hacked. VB was hit with a tough exploit last year and it seemed prudent to make securing your site before a hack a bigger issue. Had people followed the recommended security procedures the September Exploit wouldn't have been able to damage their site.

The last two exploits were most easily dealt with by removing a directory and a file- for different reasons. There is (and never really has been) a good reason to keep your /install/ directory available- the hack just made it more obvious- it is better for everyone /install/ directory gets removed rather than to fix the issue in the file and leave the /install/ directory accessible.

As for the flash uploader that wasn't a file vBulletin originally supplied, it was Yahoo who had the exploit and wasn't going to fix it. vBulletin doesn't have flash developers, but it didn't really matter, within a week or so as I predicted a community member patched the file and released it on vBulletin.org.

 

I agree. Could this be a result of many of the good skillful guys leaving VB?

 

@BirdOPrey5 After 10 years of being exploited by could be, possible, potential vB exploits, I have concluded the best possible measure one can take to protect against any possible, could be, potential vB exploit was not to install the software. Problem solved, exploit fixed.

 

A clear solution!

 

I get you are upset with the company but there has been one notable exploit (September last year) that had serious repercussions in the years since I've been there. It's not perfect but hardly a bad track record. IPB has its share of exploits found and XF has a fraction the history vBulletin has. There are a lot of reasons you could bring up to say you are unhappy with vBulletin that I would understand (maybe not agree with, but understand) however to claim a history of exploits isn't one of them.

It's unlikely anyone would have gotten hacked with the flash uploader or any number of more minor exploits - the fact we even bring them up is our commitment to security- and you use it as negative against the software.

 

The exploit you did link to was from a BETA version of 5.0 which was never supposed to be used on a live site and which was fixed long ago.

The OpenSuse Exploit was from an old version of VBSEO, not vBulletin by the way. - http://web.archiveorange.com/archive/v/9nunmzVJPX8E3BLt9K7S - Kind of thing where the headline makes page one but the correction is buried in the back of the paper.

 

By the way- the alleged "secret" exploits- have you reported them?

 

@BirdOPrey5

The only reason vB brings them up is because others (not staff or vB coders) exposes them. If your (vB) commitment to security is so strong, why is it others are aware of the exploit weeks, months, years before vB says anything about it? I have read posts on vB by members who reported exploits only to be met with ridicule and denial.
SO no I don't agree with your opinion they are committed to security (for a commercial product even beta's should not be released to the general public) if that were true, there would be more scrutiny for such problems before the product is sold. That being said, shit happens and it is what vB does with the reports and treats those who report them and the lengthy time it takes for a fix even when the know exactly where the exploit is.
In the early days there was genuine commitment, today? not so much. It's just so much lip service.
The vB ship has sunk and at this point in time is un salvageable. I don't believe they care enough to make sure all the rivets and sealant is in place before launching it into the water with customers aboard. In my opinion the coding sucks and the quality control that should be in place for a retail product is non existent. It is a sad state when the customers were (past tense) more committed than vB et all.

 

There have been a number of patches released over the years for exploits found by VB staff themselves. They don't always make as much news as others. My feeling is you are exaggerating.

 

oh well, yup they are my opinions and have saved me thousands of dollars by not re investing in them.