vBulletin software flaw

uvarvu · 22 Jul 2010 at 20:19

Not sure on the urgency of this.

BBC link

matthewhotdude · 22 Jul 2010 at 20:29

uvarvu said:
Not sure on the urgency of this.

BBC link

Urgent for the people running 3.8.6 thankfully I'm not

Fuzz · 22 Jul 2010 at 20:31

Yes lets give it full world wide media coverage.
That seems a sensible idea

Van Hellseek · 22 Jul 2010 at 20:34

Only affects v3.8.6

Dunks · 22 Jul 2010 at 20:34

Scubascorpion said:
Yes lets give it full world wide media coverage.
That seems a sensible idea

Yeah, I mean why report on anything at all that could be used the wrong way.

Cosimo · 22 Jul 2010 at 20:36

Ah yes, here all the full administrator rights.

Eek, I’ve been rumbled.

Werewolf · 22 Jul 2010 at 21:00

And this is one of the reasons it's not always a good idea to update straight away

Van Hellseek · 22 Jul 2010 at 21:02

Werewolf said:
And this is one of the reasons it's not always a good idea to update straight away

Yes but likewise using outdated software is a security risk too, especially as most updates are mainly security fixes.

matt0r · 22 Jul 2010 at 21:06

Werewolf said:
And this is one of the reasons it's not always a good idea to update straight away

seek said:
Yes but likewise using outdated software is a security risk too, especially as most updates are mainly security fixes.

So we've learnt its risky to update and not-update ...

AMG · 22 Jul 2010 at 21:13

thats like 1 step foward and two back

Fuzz · 22 Jul 2010 at 21:15

Dunks said:
Yeah, I mean why report on anything at all that could be used the wrong way.

Because the people who matter would already know and the people who don't know, don't matter.

alex24 · 22 Jul 2010 at 21:18

Nope, update, but not immediately. Leave a sensible period of time for any bugs to be ironed out, unless the version you're using is known to be buggy or a security risk.

Van Hellseek · 23 Jul 2010 at 01:13

alexhull24 said:
unless the version you're using is known to be buggy or a security risk.

All versions are known to be this, when a new update is released which points out the previous bugs/security flaws!

alex24 · 23 Jul 2010 at 01:15

Hmmm, perhaps I mean a serious bug (i.e. a big security hole/risk) as opposed to niggle. Seems like you can't win.

RadoX · 23 Jul 2010 at 01:29

why has this made big news ? theres allsorts of sql injections (presuming its a sql injection flaw) or other flaws that turn up in popular web software every day. i dont know the latest scene website and milw0rm is offline now. ill take a look round for the PoC but i really cant see why this has made major news. ms08-67 didnt get a bbc news page dedicated to it when it was 0day and that was a devistating exploit effecting nearly all windows machines and giving root privileges and for about a week it went unpatched. whereas this effects a tiny ammount of forums ones wich wouldnt be worth hacking anyway apart from maby the email list for spam since any decent forum will have updated there software straight away and have there box configed correctly to stop kiddies OWNIN|G TO DA MAX!!1!!!

Van Hellseek · 23 Jul 2010 at 01:33

RadoX said:
why has this made big news ? theres allsorts of sql injections (presuming its a sql injection flaw) or other flaws that turn up in popular web software every day. i dont know the latest scene website and milw0rm is offline now. ill take a look round for the PoC but i really cant see why this has made major news. ms08-67 didnt get a bbc news page dedicated to it when it was 0day and that was a devistating exploit effecting nearly all windows machines and giving root privileges and for about a week it went unpatched. whereas this effects a tiny ammount of forums ones wich wouldnt be worth hacking anyway apart from maby the email list for spam since any decent forum will have updated there software straight away and have there box configed correctly to stop kiddies OWNIN|G TO DA MAX!!1!!!

It's probably news because vB has been big news with their release of vB4 lately. Of course this issue only affects older versions (or one very specific older version) of the software, but clearly that doesn't stop the BBC cashing in on the 'omg vBulletin is teh hots news' thing.

RadoX · 23 Jul 2010 at 01:34

oh btw if anyone running a forum cant update for whatever reason just remove faq.php and all will be fine

RadoX · 23 Jul 2010 at 01:39

seek said:
It's probably news because vB has been big news with their release of vB4 lately. Of course this issue only affects older versions (or one very specific older version) of the software, but clearly that doesn't stop the BBC cashing in on the 'omg vBulletin is teh hots news' thing.

so all the remote M$ exploits arent newsworthy ? or all the local PE exploits for *nix ? that are out every few weeks to a month ?

Van Hellseek · 23 Jul 2010 at 01:43

RadoX said:
so all the remote M$ exploits arent newsworthy ? or all the local PE exploits for *nix ? that are out every few weeks to a month ?

Well that's kind of my point.