Announcement

Collapse
No announcement yet.

Mega exploit in 3.8.6

Collapse
This topic is closed.
X
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Mega exploit in 3.8.6

    IB devs introduced a HUGEEEEEEEE oopsie in 3.8.5, which carried over to 3.8.6. (3.8.5 does not seem affected)

    My buddy who made the vBulletin 4 to 3 downgrade script was tweaking his script and noticed the issue and tested it, which spit out the full database details to the 3.8.6 forum, a guest can query it.

    I strongly recommend (if you run 3.8.6) to remove faq.php
    and then change your mysql database details as a precaution.

    Pitch (bug scrubber) was on IRC with us, assigned it to lead developer Kevin, so IB is now aware of it.
    This way (we asked to create bug report), http://tracker.vbulletin.com/browse/VBIII-12798, and this thread, now customers are too.

    Good luck everybody!
    Last edited by Floris; Wed 21st Jul '10, 8:39am.

  • #2
    [provided too much info]

    I'll just say, delete your faq.php immediately

    Comment


    • #3
      Originally posted by Floris View Post
      My buddy who made the vBulletin 4 to 3 downgrade script was tweaking his script and noticed the issue and tested it, which spit out the full database details to the 3.8.6 forum, a guest can query it.
      Lol, may be he is already working on 3.8.6 to 3.8.4 downgrade script
      http://www.vbulletin.com/forum/images/editor/smilie.gif

      Comment


      • #4
        Thanks for the heads up Floris

        so 3.8.5 is okay? or should we remove the faq.php file for it at as well?

        I ask because you said it's an error in .5 and .6, but .5 isn't affected?

        IB devs introduced a HUGEEEEEEEE oopsie in 3.8.5, which carried over to 3.8.6. (3.8.5 does not seem affected)
        Last edited by Loco.M; Wed 21st Jul '10, 9:50am.
        http://brandonsheley.org/services - Webmaster Services

        Comment


        • #5
          big oopsy. Kinda lame that a dev left debug code in there. vB 3.8.6 only fixed like, 10 bugs..
          My Forums: The Geek District - Off Topic Hut
          My Blog: Mikeylicious
          Projects: Shorten URL's with kwn.me

          Comment


          • #6
            Can you not just use the 3.8.5 version of the FAQ script?

            Comment


            • #7
              thanks.

              Comment


              • #8
                I was first informed it was introduced into 3.8.5, and carried over to 3.8.6, but only 3.8.6 is affected.

                Comment


                • #9
                  Originally posted by c0bra View Post
                  Can you not just use the 3.8.5 version of the FAQ script?
                  No, it involves a phrase.

                  A patch will be released very soon

                  vBulletin QA - vBulletin Support French - Lead Project Tools developer

                  Next release? Soon(tm)

                  Comment


                  • #10
                    So this isn't an issue if you're running an older version - like 3.8.4?
                    My vBulletin Forums:
                    cadillac, buick, pontiac, oldsmobile, automotive, freestyle, 80s, lexus, bmw, mercedes, audi, toyota, honda, acura, nissan, infiniti, hyundai genesis, chevy

                    ...can't fit any more...

                    Comment


                    • #11
                      yes, jelsoft uk releases are not affected
                      http://www.vbulletin.com/forum/images/editor/smilie.gif

                      Comment


                      • #12
                        ..or 3.8.5?

                        Comment


                        • #13
                          The phrase is not installed on 3.8.5. So I think it's safe.

                          Comment


                          • #14
                            Originally posted by PitchouneN64ngc View Post
                            No, it involves a phrase.

                            A patch will be released very soon
                            Where did you hear that a fix was being released? The email didnt mention anything of the sort :/

                            This is really sloppy work on IB's part, and they had the cheek to drop a line in the email to upgrade to vB4. At this point I really do hope they fail. Clearly they don't give a damn about the quality of work.

                            Comment


                            • #15
                              Pitch is a bug scrubber, he has access to private bug reports.

                              Comment

                              Working...
                              X