security bug report Unassigned/Unconfirmed for >1 week (vb3/vb4)

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • lim (x³-7x²) = ∞
    Senior Member
    • Apr 2008
    • 634
    • 3.0.0 Gamma
    #1

    security bug report Unassigned/Unconfirmed for >1 week (vb3/vb4)

    vBulletin Issue Tracker
    http://tracker.vbulletin.com/browse/VBIII-12799
    The bug genie, friendly issue tracking


    I reported this problem 1 year ago on forum
    Recently, because of this problem too many real admin passwords (not just hashes) leaked after faq.php incident (via phpmyadmin)
    I reported this problem again on previous week on bug tracker, and it is still Unassigned/Unconfirmed for more then 7 days.

    Problem in short: anyone with database read access (hoster, forum admins, admins of other websites on shared hosting, or hackers, like in case of faq.php incidents) will be able to decode easily very high percent of real passwords (not just hashes), because password protecting hashing feature not doing its work
    http://www.vbulletin.com/forum/images/editor/smilie.gif
    Tags: None
    • GameFreak2009
      Senior Member
      • Sep 2009
      • 214
      #2
      This is pretty serious if I hear you saying it. Never thought about it though...

      I hope the team sees this pretty soon.

        Comment

        • smiggy
          Senior Member
          • Jul 2007
          • 175
          • 3.8.x
          #3
          How can a security bug like this be missed?

            Comment

            • feldon23
              Senior Member
              • Nov 2001
              • 11291
              • 3.7.x
              #4
              It's not a bug. It's not a vulnerability. It's a situation. How do you "bug report" a situation?

              I do not know a completely impervious encryption or hashing system for passwords.

              The "solution" I see to this is to tell every vb3.8 site admin to post an announcement on their forums suggesting that users change their passwords because there is a 1/9586342964538643 chance that someone could put in enough effort to crack their password.

              I do understand the issues that most users use the same password on every site, from forums to banking accounts.

              Once access to your MySQL database has been acquired, you're pretty much screwed. This has been this way for 10 years now. I remember when passwords in vBulletin went from plaintext to hashed (around vB 2.2).

                Comment

                • Steve Machol
                  Former Customer Support Manager
                  • Jul 2000
                  • 154488
                  #5
                  The salt was increased from 3 characters to 30 characters in 3.7.7, 3.8.5, 4.0.2 and all subsequent versions as per this announcement:

                  Security Fix Releases 3.7.7 and 4.0.2 PL 2 - vBulletin Community Forum
                  http://www.vbulletin.com/forum/showthread.php?346486-Security-Fix-Releases-3.7.7-and-4.0.2-PL-2


                  Also brute force attacks are easily thwarted by enabling the strikes system.
                  Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                  Change CKEditor Colors to Match Style (for 4.1.4 and above)

                  Steve Machol Photography

                  Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                    Comment

                    • hornstar6969
                      Senior Member
                      • Aug 2005
                      • 1818
                      • 3.8.x
                      #6
                      I use the strikes system on only my staff usergroups. But many of them hate it lol. But it is indeed a useful feature in this event.
                      Selling my BigBoard GamerzNeeds.net/forums Threads: 193 502, Posts: 1 540 045, Members: 718 566 It is listed here http://forums.digitalpoint.com/showt...3#post18297060

                        Comment

                        • Lizard King
                          Banned
                          • Mar 2004
                          • 1891
                          • 3.6.x
                          #7
                          This is not a security issue imo.

                            Comment

                            • compwhizii
                              Senior Member
                              • Jul 2009
                              • 131
                              • 4.0.x
                              #8
                              This is not some dire situation like you make it out to be.

                                Comment

                                • Yves R.
                                  vBulletin QA
                                  • Nov 2003
                                  • 3862
                                  • 5.6.X
                                  #9
                                  And bug scrubbers are seeing bugs for 4.x only, not 3.x.
                                  vBulletin QA - vBulletin Support French - Lead Project Tools developer

                                  Next release? Soon(tm)

                                    Comment

                                    Previous template Next
                                    widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                    Working...