Hi,

Any link posted on any VB post has a suecurity problem - it sends the User ID and password (encyrpted) - this gives hackers easy access to members IDs.

VB has a huge security problem - any link out to onther site sends the user's UD an password to - it you can see it if you look in the top line URL, as can some hackers.

Just click any link out of any VB anf you give your user ID and passord away.

This is a Very easy fix, Matt did it long ago - all you have to do is NOT send the user ID and passowrd with links - I wish VB's next version learns and does this.

Frankly this isn't true. Where did you get such an idea?

Also, could you please enter your license info into your user profile? See my sig for details. Thanks! :)

waaaaaaaaaaaaaaaaaaaaaaaay back when, in the beta 1.0.0 this was the case when you logged in. your user id and encrypted password were displayed when you logged in. This was fixed before the first public release in April of 2000.

your information is very outdated, unless your intent was to advertise for Ikonboard. I don't think Matt would appreciate that very much.

Hi,

First off sorry for my harsh language, English is not my first language :(

As a host I don't have much say on what any webmaster uses, I just translate for some of them and try to help in solveing their problems. I will not even put a free plug for my site here - let alone a VB competitor. I really ment no ofense - I was just a bit too angry, it's been a year.

Here is what I'm talking about:

If you have stats on your site - that show what link your visitors followed - you will see the URL plus the user ID and the encrypted password, of any VB link out to your site. Of any user who clicks it - even the admin or a moderator.

Cut and paste the URL with the ID and encrypted password from your stats into your browser - and you are logged into the VB with that user's ID. You can access all his info private messages and post in his/her name.

Please Martin and smachol try it - and call me a liar if does not work, I would really apreciate it.

If it works - please explain in it better than me in English?

Best Regards
Azooz

Hmm, I think he means the log files of the referring URLS to your site which actually can only be seen by the site admin. I'm just checking it @ my site.


It's not the encrypted username and password you see there. It's actually the session value you see. You can't hack into the board that way...

What vB version are you running, and what is the URL to your board?

I've done as you said and there is no such User ID and Password in any of the URLs. I think Orca is right - what you are seeing is the Session ID, and there is no confidential information in that.

Once again, please enter your license info into your user profile. Thanks! :)

Peace

I'm really glad no one called me a liar :)

Sorry Steve - I am a host and have no VB on my site, but I do host some none English webmestars who do. They update their VBs at their own pace - so I'm talking mnay VB versions here and have no idea about VB really. I can ask one of them to send me his/her licence info if it's needed?

I do not know how the VB ID stealing is done really - but I'll ask one of my none English speeking webmaster friends to send me a link for you to click?

Orca - Log files it is, thanks - do you see the VB URLs refering to your site? Not the sescion ID - the actual VB URLs? - Do they have the user ID and encrypted password in them - or not?

Best Regards
Azooz

As was said many times before....

The newer versions of vBulletin do not do this. The only time is was done was in the 1.1.X series when someone logged in, not in every link.

In the 2.0.0 series, the userid and password are never passed in a URL... You can see this for yourself just by looking at this board. Do you see your userid and password in the address box?

Your clients are putting your server at risk by using outdated and unsecure software. As the host it is your responsibility to provide security for all your customers. If you feel one is not behaving in a secure manner you need to take measures to make sure it is secure.

In the future please do a little research in the software your customers are running if you feel they are unsecure. In the last year there have been 9 betas and 4 versions released of the 2.0.0 series of vBulletin.

Hi wluke.

Thanks for the hosting advise - In 2 years I have never lost a single customer and it's servers not server :)

>> In the 2.0.0 series, the userid and password are never
>>passed in a URL...

Please forgive me - just listen and understand? Be smarter than me? I have nothing against VB - I promise this is a true bug and none of my customers are useing VB 1.x - all are into 2 - all licenced,.

My webmasters all know of this bug - but they can't speak here - this is an English only site :(

There is only one script my customers use that is insecure - that is VB - and I really do not want to offend VB but it has been over a year!!! :(

>>In the future please do a little research in the software
I am trying wluke, really I am - but it is so hard to explain.

Just please try to help me get this VB bug fixed?

Best Regards
Azooz

Azzoz,

With all due respect no one here can duplicate this 'bug'. What you are describing just doesn't happen on any of our forums.

I'm afraid you're going to have to give us an actual URL as an example.

Originally posted by Azooz

Orca - Log files it is, thanks - do you see the VB URLs refering to your site? Not the sescion ID - the actual VB URLs? - Do they have the user ID and encrypted password in them - or not?

Best Regards
Azooz

I see the URLS but not the encrypted passwords and usernames. I only see the Session ID. After clicking on one of this links I actually get to the VB board (of course) but I'm not logged in as that user. So, there's no harm.

Steve, I think Azooz means that the session ID are the encrypted password and username. But it doesn't work to login as another user with that, of course.

The only security hole I can think of is if you can click that link before the session expires.

I'm guessing that the 'host' field in the session table is used to pair IPs to sessions. That way a session can only be used by the IP that the session was started for. (thus preventing the session from being stolen by links in ICQ or whatnot) Is this right?

I believe that what Azooz is trying to say, is that the session id is present in the Referrer field when you click on external links (if you are not using cookies to browse the forum).

If the session id is the only thing you need to be authenticated, then it is trivial to hijack user sessions while they are still open. If there is more info needed (like an autentication cookie), that hijacking is not possible.

Ok, you see that thing after ?s=...? That's the encrypted session hash. All it is(if I remember correctly) is the unix timestamp encrypted. This is used in tandom with the sessions table in the MySQL database to identify a user. The username and/or password are not given out in this, and even if they were, MD5 password encryption is a one way encryption, therefore this can never(practically, it is possible(I think) but extremely hard:)) be decrypted.

Thanks guys - and I think Max got it.

Originally posted by Max Albert

I'm guessing that the 'host' field in the session table is used to pair IPs to sessions. That way a session can only be used by the IP that the session was started for. (thus preventing the session from being stolen by links in ICQ or whatnot) Is this right?

Right - I think - ICQ - yup, MS messenger actualy

They send each other MS messenger links - click then ID's gone.

I'll translat this and see what happens.