Mega exploit in 3.8.6

**Loco.M** · Wed 21 Jul '10, 9:15am

Originally posted by rmwebs

Where did you hear that a fix was being released? The email didnt mention anything of the sort :/

This is really sloppy work on IB's part, and they had the cheek to drop a line in the email to upgrade to vB4. At this point I really do hope they fail. Clearly they don't give a damn about the quality of work.

what email are you talking about?
the only email I've seen in regards to this was from vbseo a few mins ago.

Originally posted by Floris

I was first informed it was introduced into 3.8.5, and carried over to 3.8.6, but only 3.8.6 is affected.

thanks for the clarification.

**yogesh** · Wed 21 Jul '10, 9:21am

+1 to what Loco said

**SecondV** · Wed 21 Jul '10, 9:23am

So, what's the exploit (anyone care to PM)? I'd like to patch manually, and not wait on IB.

**Floris** · Wed 21 Jul '10, 9:26am

I've published a patch, which perhaps works; http://kwn.me/wtn386patch
Back to making dinner

Disclaimer, it's not the official patch of course, it has no protection at all, so:
- backup your forum
- test if it is vulnerable
- upload to forum dir
- run it
- remove file
- test if vulnerable

**rmwebs** · Wed 21 Jul '10, 9:27am

Originally posted by Loco.M

what email are you talking about?
the only email I've seen in regards to this was from vbseo a few mins ago.

thanks for the clarification.

*slaps head* my bad - it was from vBSEO

Where has vB.com said they are fixing it? I saw on twitter that florris has a fix on vbfans.

I'm glad I held off upgrading to 3.8.6....I knew something would crop up the second IB touched that nice stable Jelsoft code!

**Mrd** · Wed 21 Jul '10, 9:33am

Hi,
is this only in 3.8.6 or in other Versions(4.0.3, 4.0.4, 4.0.5) too?

**Loco.M** · Wed 21 Jul '10, 9:34am

Originally posted by rmwebs

Where has vB.com said they are fixing it? I saw on twitter that florris has a fix on vbfans.

one of the "bug scrubbers" posted in this thread, also a staff member posted right here.

The issue only exists in 3.8.6 as far as I am aware, on top of that it would be suicidal for any company to intentionally implement a huge security risk such as this.

A patch is coming, new downloads are already fixed.

**Wayne Luke** · Wed 21 Jul '10, 9:37am

As stated above, the issue is that a debugging phrase was left in the download. The actual faq.php file is not at risk. However since FAQs are indeed phrases, phrases will be parsed. An updated language file will be released shortly. You will then be able to import this and resolve the issue. However if the phrase is added to any version of vBulletin, then you can expose your information. We recommend that you do not do so.

If you redownload vBulletin 3.8.6 and run install/finalupgrade.php, then it should also fix this issue as the download has already been updated.

vBulletin 3 End of Life

Mega exploit in 3.8.6

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment