• OzzModz is no longer taking registrations. All registrations are being redirected to Snog's Site
    All addons and support is available there now.

Security Exploit Patched in versions 3.5, 3.6, 3.7, 3.8, 4.X, 5.X of vBulletin

Ozzy47

Administrator
A security issue has been found that affects all versions of vBulletin including 3.x, 4.x and 5.x. We have released security patches to account for this vulnerability. This includes patches for vBulletin 3.8.7, vBulletin 4.2.2 and all versions of vBulletin 5 (including Cloud accounts). The patch is also applied to vBulletin 5.1.0 RC1. It is imperative that you apply these patches as soon as possible.

Due to functionality changes, the minimum PHP version for the patch is 5.2.0. This represents an increase for both vBulletin 3. Alternatively customers can install the JSON functions separately via http://pecl.php.net/package/json in which case it will work with any compatible PHP version that their particular version of vBulletin supports. You will need to collaborate with your hosting provider or systems administrator to apply the changes to PHP.O

Original thread, http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4024547-vbulletin-security-patch-for-3-8-7-4-2-2-and-5-x
 
Here is the details.
Security Exploit Patched on vBulletin – PHP Object Injection

The vBulletin team just issued a warning, and released patches for a security exploit that affected all versions of vBulletin including 3.5, 3.6, 3.7, 3.8, 4.X, 5.X. They recommend that anyone using vBulletin apply these patches as soon as possible. Here is part of their announcement:

A security issue has been found that affects all versions of vBulletin including 3.x, 4.x and 5.x. We have released security patches to account for this vulnerability. This includes patches for vBulletin 3.8.7, vBulletin 4.2.2 and all versions of vBulletin 5 (including Cloud accounts). The patch is also applied to vBulletin 5.1.0 RC1. It is imperative that you apply these patches as soon as possible.
Due to functionality changes, the minimum PHP version for the patch is 5.2.0. This represents an increase for vBulletin 3. Alternatively customers can install the JSON functions separately in which case it will work with any compatible PHP version that their particular version of vBulletin supports. You will need to collaborate with your hosting provider or systems administrator to apply the changes to PHP.

If you are using vBulletin, you know what to do: Patch now!
What really worries me from this announcement is that they increased their minimal PHP version requirement on the security patch. It means many webmasters will not be able to apply the patch quickly enough, and some may end up breaking their sites.
So, if your host is not running an updated version of PHP, you need to contact them ASAP to get it updated or your site will be vulnerable.
What a Security Exploit Mans?

The vBulletin team provided no details on what exactly they patched, or what the vulnerability was. All they have said is it was a “security exploit”, which should be enough of a warning for people to update their forums.
Based on their patches, we were able to clearly see what the issue was:
Code:
[INDENT] They removed:
                $temp = unserialize($check);
And added:
                $temp = json_decode($check, true); 
[/INDENT]

Later in the code where they were running “serialize($_POST”, they changed it to “json_encode($_POST)”. It appears like a PHP Object injection where they are passing user supplied data to an “unserialize” function.
This may lead to privilege escalation, remote code execution, or maybe even allow an attacker to run any PHP function they want. We don’t know how bad it is yet, but our team is still investigating this issue and trying to confirm the severity, and what can really be done.
Users running our Website Firewall are already protected against PHP Object injections, and we are building a custom virtual patching signature for it as well. Stay tuned for updates.

Source, Security Exploit Patched on vBulletin PHP Object Injection | Sucuri Blog
 
Code:
 So, if your host is not running an updated version of PHP, you need to contact them ASAP to get it updated or your site will be vulnerable.

Updated version?

Never mind, I am reading it now.
 
Last edited:
I saw that, that is why I did the manual updates.
3.7.4 ← not updating it
3.8.4 ← manual update
3.8.5 ← manual update
3.8.7 ← uploaded update
4.2.2 deleting it

I think I am good for now... or until vbulletin says we all must update php5.whatever or else.. Then our sites will not work and force us to upgrade to... a better forum software.
 
I'm not messing with it. I think it's all BS, trying to get people to panic and upgrade their PHP.
 
But, what if? Is it worth waking to a hacked site? Na... upgrading is painless, its just a few files.
We don't see 50 threads of "OMGZ I've been HAAAAACKED" and looking at the file changes and the packet downloaded from vBcom, it is clear to me this is only a 'vulnerability' if the evol hax0r is already in your files, by some other means. And if one IS in your files, you have alot more vulnerabilities than this obscure bullshit.

'Exploit' is said to have existed for ten years, and it's never been a cause of a hack?

I'll pass. I don't trust a frikkin thing Internet Brands says.
 
I just smell too much BS on this. It just soooo happens to be a 'exploit' affecting ALL versions of vB currently running, and that most people will upgrade PHP for, conveniently when v5 is a failure, and many v3 and v4 owning people balk at it due mainly first of all, to the PHP upgrade needed.

It just seems scripted, to save a failing product - to get us to buy the v5 shit sandwich.

A 'exploit' that's never been exploited? In ten years?

Nah. Ain't buying.
 
[MENTION=1]Ozzy47[/MENTION] does you have issue with this patch update ?
Maintenance > General Update Tools > Fix broken user profiles

Code:
Warning: Declaration of vBForum_Item_SocialGroupMessage::getLoadQuery() should be compatible with vB_Model::getLoadQuery($required_query = '', $force_rebuild = false) in ..../packages/vbforum/item/socialgroupmessage.php on line 21
Warning: Declaration of vBForum_Item_SocialGroupDiscussion::getLoadQuery() should be compatible with vB_Model::getLoadQuery($required_query = '', $force_rebuild = false) in ..../packages/vbforum/item/socialgroupdiscussion.php on line 21
 
Nope, as I have hidden those errors as vB recommended.

In class_core.php locate lines 5683-5685, find this code:
Code:
 case E_NOTICE:    
        // Just ignore these completely //    
    break;

Replace with this:
Code:
case E_NOTICE: 
       case E_STRICT;     
   case E_DEPRECATED;        
    // Just ignore these completely //  
      break;
 
i agree its bs indeed and i am not applying this
Well... To be more fair I can see how they might have found this, knew it was extremely remote it could ever happen, but out of a extreme abundance of caution decided to release a patch. It happens.

I need not ascribe bad intentions on IB for no really good reason. Nevertheless, I am skipping this patch.
 
Back
Top