Discuss away!

If you are having a specific problem, please post in the appropriate forum (http://www.vbulletin.com/forum/forumdisplay.php?f=38) rather than using this thread.

Numbuh 1 :D Cool, Nice release. Just wish it came out before I upgraded to RC 2

Numbuh 1 :D Cool, Nice release. Just wish it came out before I upgraded to RC 2This is a vB 2 release -- if you're running RC2, you're on vB 3 and thus don't need to do anything because of this release. :)

*cuffs mouth*

boooooo.





Hey thanks for keeping things secure. ;)

i have them all!

2.2.6-2.3.4 :D

Faranth, why do you download them all? You a vB collector?

just personal archives :) never know when i might need to help a user with a hack from an older version ;D always good to have them handy :)

i have them all!
Is that like collecting spoons or something ? :p

i have them all!

2.2.6-2.3.4 :D
Part timer ;) I have everything from 1.0.something... :)

Hmm

This came up as an error tonight. Should I be worried? Is this related?

arn


Database error in vBulletin 2.3.2:

Invalid SQL: SELECT allowsmilies,public,userid,eventdate,event,subject FROM calendar_events WHERE eventid = 14 union (SELECT allowsmilies,public,userid,'0000-0-0',version(),userid FROM calendar_events WHERE eventid = 14)
mysql error: You have an error in your SQL syntax near 'union (SELECT allowsmilies,public,userid,'0000-0-0',version(),userid FROM calend' at line 1

mysql error number: 1064

Date: Tuesday 06th of January 2004 11:09:36 PM
Script: http://forums.macrumors.com/calendar.php?s=&action=edit&eventid=14%20union%20(SELECT%20allowsmilies,public ,userid,\'0000-0-0\',version(),userid%20FROM%20calendar_events%20WH ERE%20eventid%20=%2014)
Referer:

That is someone trying (and failing) to take advantage of the security error in vB 2.3.x.

My Control Panel Home now takes up to a minute to show up, and the top of the page reads: Control Panel (Version 2.3.4) Latest version of vBulletin available is N/A. Maybe I just need to wait a while for everything to catch up...

hmm... could they have succeeded and it not shown up as an error?

1) I've uploaded the new calendar.php
2) What could have been comprimised? is there anything I should check? I'm on a dedicated w/ no other users.

arn

Thanks fot the release, really nice :D

That is someone trying (and failing) to take advantage of the security error in vB 2.3.x.
yea but if i had the same access you had i might have them all too ;D

actually i found out i was missing 2.2.7 and 2.3.1 :(

Can we get a version of lists that's affected?

Part timer ;) I have everything from 1.0.something... :)
i thought 1.0.6 or 1.1.6 was the first public version (ive read thought a good ammount of archives)

How do we know if a site is abused?
And is this the same kind of security bug that was found in 3.x recently? Or is this a totally different one?

This bug is related to inserting forgin SQL into calendar.php from what I can see, vB 3's recent fix was un-related.

Thank you for explaining B.l

Also, Kier, since this is the latest stable release, can we expect a community bulletin this time? The last one was somewhere in aug. I am sure there are a lot of users who can't browse the site because of the recent attacks. Since this is a security related release, I think they would like to stay up to date.

I am at 2.2.8, plus various security fixes distributed since (mainly in 2.2.9). I uploaded calendar.php (after translating the various bits as necessary). Am I safe from the security bug? Is that all I need to do?

Why on earth haven't all vB members recieved an email about this, especially if it is a security bug that can get you comprised??

Not everyone can be bothered to log in every day to find out...

Also, why has a solution not been made public for those who haven't renewed their members area subscription. This is a security bug due to, how can I put it, lax coding - why should we have to pay to recieve a fix that should have not have occured in the first place?

I am sure there are a lot of users who can't browse the site because of the recent attacks. Since this is a security related release, I think they would like to stay up to date.If they can't access the site a community bulletin would be useless because they can't download any new versions

Nice work guys. Upgrade went smoothly and as of right now there is no issues to report. :)

More and more releases everyday :p

But at least the team is doing their jobs ;) :D

Part timer ;) I have everything from 1.0.something... :)
You should make 1.0 available in the members area for us. ;)

Why on earth haven't all vB members recieved an email about this, especially if it is a security bug that can get you comprised??

Not everyone can be bothered to log in every day to find out...

Also, why has a solution not been made public for those who haven't renewed their members area subscription. This is a security bug due to, how can I put it, lax coding - why should we have to pay to recieve a fix that should have not have occured in the first place?
This WAS made public. However, my attempt to discuss this on these forums was removed. I posted a copy of the email exposing the exploit along w/a few fixes. It's Jelsoft's opinion that security issues not be discussed until a fix has been officially released so the thread was moved to an area of the forum only accessable by developers. I was told that this could be discussed once the fix was released so here goes.

The email that I, and thousands of others (including malicious "hackers") recieved ->

Date: Mon, 05 Jan 2004 20:32:15 +0000
From: "Qianwei Hu" <a1476854@hotmail.com>
Subject: vBulletin Forum 2.3.xx calendar.php SQL Injection
To: bugtraq@securityfocus.com
X-Procmail: Caught by .procmail/rc.maillists, securityfocus

vBulletin Forum 2.3.xx calendar.php SQL Injection
================================================== ======
Website: www.safechina.net
Discovered by: mslug (a1476854@hotmail.com)

Description:
=============
There exist a sql injection problem in calendar.php. Notice the eventid
field.

-------- Cut from line 585 in calendar.php ----------
else if ($action == "edit")
{
$eventinfo = $DB_site->query_first("SELECT
allowsmilies,public,userid,eventdate,event,subject FROM calendar_events
WHERE eventid = $eventid");
-----------------------------------------------------

If the MySQL version is greater than 4.00, a UNION attack could be used.

Exploit request
================
calendar.php?s=&action=edit&eventid=14 union (SELECT
allowsmilies,public,userid,'0000-0-0',version(),userid FROM calendar_events
WHERE eventid = 14) order by eventdate

(14 is the eventid of your added event)

The subject and event field will show the result.

The query_first function will only return the first row of the query result,
so make sure it returns the
one you want.

The Fix?
============
filter eventid before query.


Disclaimer:
===========
The author is not responsible for the misuse of the information
provided in this advisory. The opinions expressed are my own and not of
any company. In no event shall the author be liable for any damages
whatsoever arising out of or in connection with the use or spread of this
advisory. Any use of the information is at the user's own risk.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

__________________________________________________ _______________
Protect your PC - get McAfee.com VirusScan Online
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963


This attack does work. I tested it. There are a few easy fixes to this. The one I used is ->

Find -> else if ($action == "edit")
{ in calendar.php.

After that place -> // fix for security exploit
$eventid=intval($eventid);

That's it. I'm not saying that this is the best fix but it does work. I have not looked at the new release to see how Jelsoft handled it.

I do not agree with Jelsoft's policy to hide security issues from users on this forum. However I will respect it and not post exploits on this forum (prior to a fix). I may post fixes via other mediums though. For example, this exploit was released via BugTraq. In hind-sight, I should have posted the fix to the same group. Oh well. Fix is out now, my board wasn't affected (I fixed it 2 minutes after recieving the alert). I hope you were as lucky, especially if you were forced to wait on the new release.

<edit>The fix I posted here appears to be the exact same as the Jelsoft official fix.</edit>

Thanks for providing a fix.

My concern is that a fix is only being issued (by Jelsoft) to people with an active subscription.

Mine expired on Christmas. I didn't bother renewing it as it just not worth it...at least until I decide to migrate to vB3. And knowing Jelsoft scheduling, it'll probably be before next Christmas before vB3 even goes gold :rolleyes:

Also I think its extortion that Jelsoft expect ME to pay for something that is THEIR fault. The security bug fix should be made availble to ALL people who have access to the members area.

That's it. I'm not saying that this is the best fix but it does work. I have not looked at the new release to see how Jelsoft handled it.

I do not agree with Jelsoft's policy to hide security issues from users on this forum. However I will respect it and not post exploits on this forum (prior to a fix). I may post fixes via other mediums though. For example, this exploit was released via BugTraq. In hind-sight, I should have posted the fix to the same group. Oh well. Fix is out now, my board wasn't affected (I fixed it 2 minutes after recieving the alert). I hope you were as lucky, especially if you were forced to wait on the new release.
Why would you post this publicaly? So some idiot can see how it's done and take advantage of this exploit? :rolleyes:

Why on earth haven't all vB members recieved an email about this, especially if it is a security bug that can get you comprised??An eBulletin is going out today.

Also, why has a solution not been made public for those who haven't renewed their members area subscription. This is a security bug due to, how can I put it, lax coding - why should we have to pay to recieve a fix that should have not have occured in the first place?Done.

Mike, you have just become my favorite vB staff member :D Nice one!

ogden2k, this is already public here: http://www.securityfocus.com/archive/1/348946

An eBulletin is going out today.

Done.
what do you mean, "done"?
i don't see a link to download the new release in the member's area? i just see "renew license".

<edit>nevermind, i see the link to a new calendar.php here (http://www.vbulletin.com/forum/showthread.php?p=589133#post589133)</edit>

Just wondering, what can the exploit do?

What does calender.php have to do with security? O_o...

yea but if i had the same access you had i might have them all too ;D

actually i found out i was missing 2.2.7 and 2.3.1 :(I'm in the same boat as you. ;)

And I may upgrade my localhost later if I'm bored. :p

EDIT: Nope, I'm missing 2.2.9. Lol.

Can the attached calendar.php be used if you're using 2.3.2?



h

Can the attached calendar.php be used if you're using 2.3.2?



h
Yup.

Great, thanks for putting it up then. :)



h

What does calender.php have to do with security? O_o...
Everything if the user can insert forgin SQL into a query...

If the calendar option was disabled in the admin CP would they still be able to run such exploit ??

If the calendar option was disabled in the admin CP would they still be able to run such exploit ??
I can't remember if you can totally disable the calendar or not, but if the calendar is totally disabled you will not be vulnerable.

I can't remember if you can totally disable the calendar or not, but if the calendar is totally disabled you will not be vulnerable.
Well if you disable the calendar option in the cp and someone tries to click on the calendarlink it will say the following :

The administrator has disabled the calendar at the moment.

So i was wondering. :(

Then yes, if the calendar is disabled like that your board can not be exploited.

Then yes, if the calendar is disabled like that your board can not be exploited.
But it is always good to keep up to date, just incase you turn it on at sometime down the road and forget about this bug :)

Thank you for the eBulletin Kier!

Thanks for fixing this important bug and also for the email notification on the issue..

Thanks, heh ... just renewed my vb owned licence, you would have to have 2.3.4 release the day my account had expired :P !!

*groubles* ;)

Thanks, heh ... just renewed my vb owned licence, you would have to have 2.3.4 release the day my account had expired :P !!

*groubles* ;)
It isn't the owned licence you are renewing, you are renewing your access so you can download newer versions. I see people are still getting confused between the two.

Mike, you have just become my favorite vB staff member :D Nice one!

ogden2k, this is already public here: http://www.securityfocus.com/archive/1/348946
The calendar.php security bug only works with MySQL > 4.0

Well done vb team!

It isn't the owned licence you are renewing, you are renewing your access so you can download newer versions. I see people are still getting confused between the two.

Uh, who cares? So he didn't say it the way you wanted him to, so what?

Can the attached calendar.php be used if you're using 2.3.2?

h

We have 2.3.2

I tried uploading the calendar.php that is in the download file and I just got a blank screen when accessing the calendar.

I went back and reloaded my old calendar file and the calendar comes up,
but the year is not visible in the drop down menu when we go to add an event so we cannot add any events.

We can't move any events that we already have in place, because the year not accessible.

2004 does show in the bottom drop down menu - but the other years no longer appear.

Any suggestions?

carolem

I was making a joke, that the day my account had expired, they released an update :P I wasn't accually complaining and not confused :P

Do you know where is the detail of these security issues??? I know a lot of pre 2.3.4 out there :evil:

read 2 pages back

We have 2.3.2

I tried uploading the calendar.php that is in the download file and I just got a blank screen when accessing the calendar.

I went back and reloaded my old calendar file and the calendar comes up,
but the year is not visible in the drop down menu when we go to add an event so we cannot add any events.

We can't move any events that we already have in place, because the year not accessible.

2004 does show in the bottom drop down menu - but the other years no longer appear.

Any suggestions?

carolem

I resolved my problem by loading the calendar.php that is suggested in
http://www.vbulletin.com/forum/showthread.php?t=91409#goto_threadtools

I resolved my problem by loading the calendar.php that is suggested in
http://www.vbulletin.com/forum/showthread.php?t=91409#goto_threadtools
Glad it worked. Although what's odd is that the calendar.php in my post is the calendar.php in the members' area. Go figure...

Thanks for keeping vB2 secure from any little script kiddies.. ;)
The upgrade went very smoothly, I uploaded the new calendar.php and applied the other fixes that were mentioned with virtually no trouble.

anyone know why my forum repeats it self? there is not a copy in the code cos i aint changed any of the code

if your having problems please create a thread in the proper area, as this is not the support area :)

Upgrade from 2.3.2 to 2.3.4 went without a hitch. Thanks much.