Announcement

Collapse
No announcement yet.

vBulletin Security Issues

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • vBulletin Security Issues

    Reported over 60 days ago. Is this going to be addressed or fixed???

    An image decompression bomb vulnerability exists when vBulletin Options > Message Attachment Options > Resize Images = Yes and ImageMagick is in use.

    An image decompression bomb vulnerability exists when allowing user uploads for avatars and profile pictures. To protect your site, change your forum's permissions so that users cannot upload custom avatars or profile pics if the above conditions are met.
    1. An image decompression bomb vulnerability exists when using ImageMagick for images and allowing uploads. Currently known issues are for PDFs and TIFFs; however, because the filename of the incoming upload is not trustworthy, removing entries from the Attachment Manager or changing Attachment Permissions are not viable options. The following mitigation options exist:
      • Change vBulletin Options > Image Settings > Image Processing Library = GD
      • Options > Message Attachment Options > Resize Images = No
      • Change your forum's permissions so that no users can upload anything.

  • #2
    We do not currently consider PDFs or TIFFs to be image files. They are not resized in vBulletin. We do not rely on the filename to determine the filetype and have not done so since vBulletin 3. Files with a mismatched filename are considered security risks and the user is told so via the software.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud customization and demonstration site.
    vBulletin 5 Documentation - Updated every Friday. Report issues here.
    vBulletin 5 API - Full / Mobile
    Vote for your most annoying bugs.
    I am not currently available for vB Messenger Chats.

    Comment


    • #3
      Understood however the issue was first reported by us by vBulletin support over 60 days ago. Is this being recanted?

      Comment


      • #4
        I don't think I said that. The issue isn't of significant priority to warrant an immediate fix. Technically it is a bug in ImageMagick that you're asking us to work around. The issue has been reviewed and assigned appropriately based on that.

        And to be clear, I am speaking about fixing the issue in vBulletin 5.X. vBulletin 4.x is no longer under development.
        Translations provided by Google.

        Wayne Luke
        The Rabid Badger - a vBulletin Cloud customization and demonstration site.
        vBulletin 5 Documentation - Updated every Friday. Report issues here.
        vBulletin 5 API - Full / Mobile
        Vote for your most annoying bugs.
        I am not currently available for vB Messenger Chats.

        Comment


        • #5
          You best off staying clear of ImageMagick and sticking to GD, I suppose.
          http://img443.imageshack.us/img443/958/18286.png

          Comment

          Working...
          X