[Critical] New vBulletin 5 SQL Injection

Affects the following versions:

vBulletin 5.0.4
vBulletin 5.0.5
vBulletin 5.1.0
vBulletin 5.1.1
vBulletin 5.1.2

Patch immediately! It allows for people to manipulate your databases as well as download the entire thing.

Source: http://www.vbulletin.com/forum/foru...r-vbulletin-5-0-4-5-0-5-5-1-0-5-1-1-and-5-1-2

http://www.csoonline.com/article/24...es-dangerous-sql-injection-vulnerability.html

 

Anyone want to bet this was used against vBulletin.com and was partly responsible for the data breach late last year? On a completely different, yet related note,Internet Brands don't know what they are doing. How the heck do you introduce a SQL injection these days into your code? It's like the biggest thing you're taught to avoid by OWASP.

 

It's definitely new on the disclosures side of things, but for all we know someone found it long time ago and never made it public or sold it on the underground markets and used it personally.

 

Is it my imagination or have there been rather a lot of patches issued recently to plug holes in vB5? It certainly does seem that a code review is in order.

 

Code review? More like they need to actually first pay decently and hire programmers who know how to code securely.

 

I don't disagree, there's clearly an issue there.

 

OR better yet...sell vBulletin and all its assets/members/etc. to XenForo :p

 

Yeah, this latest security breach is just adding insult to injury.

Scott

 

What's beyond that? I kinda felt the insults happened long ago when vBulletin 4 was released in the sorry state it was.

 

Yeah. I am not sure the spiral downwards since the vB4 release will ever stop. It is just too obvious the love of the IB leadership is being put to use in other portions of the company and vB is being basically badly neglected, which over time, I suspect, will lead to its end. It is amazing to think about it, especially when vB was purchased from Jelsoft as a very strategic goal for IB overall, seeing 80% of their "verticals" for advertising are on vB forums.

Scott

 

It amazes me when you think how much they must have paid to purchase vBulletin. They must have thrown a lot of money down the drain since how things have gone, bet it's worth a fraction of what they paid for it from Jelsoft originally. If they ever sell and another company looks through sales records since IB owned it, what's it's now worth.

But, and I've always thought this. I think Jelsoft was very clever when they sold vBulletin on. They knew things was changing at that time on web with social networking. Maybe they even saw a down-trend in sales and decided right time to get out and sell.

 

The patch broke the site? lol.

 

Probably why mark aint updated his test site yet then

I hope you did a jira (or what ever the silly thing is called) report

 

Could it not be related to Bob running it on a Windows based server.

 

Don't know, seems odd that. Because they posted the patch and make no mention about it closing forums down once installed. Which I'm pretty sure they'd say if it did that as a warning of what the patch will do, effectively make your board unusable.

http://www.vbulletin.com/forum/foru...r-vbulletin-5-0-4-5-0-5-5-1-0-5-1-1-and-5-1-2