SitePoint Sponsor

User Tag List

Results 1 to 10 of 10
  1. #1
    SitePoint Addict bronze trophy
    Join Date
    Apr 2013
    Location
    Ithaca
    Posts
    351
    Mentioned
    6 Post(s)
    Tagged
    1 Thread(s)

    VB3.8.7 showthread.php has security flaws?

    Well I received an email from my webhost saying that they've received complaints about my dedicated server sending spammails. Its weird as I'd never do such thing myself, it also would not benefit me at all. As I've investigated further, I was able to track down the spammer's info from this:

    X-Mailer: vBulletin Mail via PHP
    Date: Tue, 3 Sep 2013 13:02:12 -0700
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - srv1.******.com
    X-AntiAbuse: Original Domain - lycos.com
    X-AntiAbuse: Originator/Caller UID/GID - [500 32007] / [47 12]
    X-AntiAbuse: Sender Address Domain - srv1.******.com
    X-Get-Message-Sender-Via: srv1.******.com: authenticated_id: ******/from_h
    X-Source: /usr/bin/php
    X-Source-Args: /usr/bin/php /home/******/forum/showthread.php
    X-Source-Dir: ******.com:/public_html/******/forum

    This is a message from Ann Curtis ( mailto: ) from the ****** Forum ( http://www.******.com/forum/ ).

    The message is as follows:

    .



    Dearest Energy User,


    A POWERFUL invention from 1927 that secretly powered the famous Col. Charle=
    s Lindbergh's aircraft on his voyage to be the first to cross the atlantic =
    by airplane without stopping.

    The same invention has already helped thousands of energy users by SLASHING=
    their Electric Bill up to almost 100 percent.

    See this page to see the video: http://payspree.com/12855/ann

    Have a good one.


    Ann Curtis
    So apparently this 'Ann Curtis' from payspree.com(actually techville,net) was able to send spammails by impersonating my server through Vbulletin's showthread.php page. I've heard that in the earliest days of VB3 there was a XSS security flaw within VB3.0.7, but this is VB3.8.7(patch lv.3) already and I doubt if such XSS vulnerability still exists. It could also be session hijacking, I have no idea what it is.

    This problem caught my attention since I had a similar experience back in July, and I was able to persuade my webhost to continue to run my forum as the spammer left after the webhost suspended my account for about 2-3 days. So its technically the second time that my vbulletin forum's showthread page vulnerability is being abused, I wonder if anyone else is experiencing an issue similar to this? If so, how do you fix it? Please lemme know if you know anything about it. Thx.
    Last edited by Mittineague; Sep 6, 2013 at 10:19. Reason: delinking quote

  2. #2
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,127
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    I did a few searches and came across this (not sure if it helps you or not)
    http://www.vbulletin.org/forum/showthread.php?t=296277

  3. #3
    SitePoint Addict bronze trophy
    Join Date
    Apr 2013
    Location
    Ithaca
    Posts
    351
    Mentioned
    6 Post(s)
    Tagged
    1 Thread(s)
    Oh thats a very helpful clue, thank you so much. I will see if I can confirm that its indeed the same issue as the user Smitty was encountering. Thx.

  4. #4
    SitePoint Addict bronze trophy
    Join Date
    Apr 2013
    Location
    Ithaca
    Posts
    351
    Mentioned
    6 Post(s)
    Tagged
    1 Thread(s)
    And it just happened again, my webhost is so annoying that it threatens to suspend my account if I cant resolve the issue. The problem is, it is NOT my fault...

    Anyway I find that the email always contain url address 'http://payspree.com/12855/ann'. Is there a way to modify the showthread.php such that it rejects the email from being sent whenever it detects this specific url from user-submitted data? VB 3.8 is a third party script with thousands of lines of code, it's all procedural code and takes forever for me to even read through the script file. *sigh*

  5. #5
    From space with love silver trophy
    SpacePhoenix's Avatar
    Join Date
    May 2007
    Location
    Poole, UK
    Posts
    5,014
    Mentioned
    103 Post(s)
    Tagged
    0 Thread(s)
    You might want to consider either upgrading to version 4 (version 3 is probably not supported any more) or migrate over to another forum software. What sort of size is the forum (number of users, number of threads and number of posts)? What sort of weekly traffic levels does it get?

    You should run anti-virus and anti-malware/spyware scans on both the server (if you have the rights/permissions to) and on any PC you use to use ftp to access the file structure. If they come up clean, change your ftp password (making sure the new one is a very strong one) just in case anyone has guessed your ftp password
    Community Team Advisor
    Forum Guidelines: Posting FAQ Signatures FAQ Self Promotion FAQ
    Help the Mods: What's Fluff? Report Fluff/Spam to a Moderator

  6. #6
    SitePoint Addict bronze trophy
    Join Date
    Apr 2013
    Location
    Ithaca
    Posts
    351
    Mentioned
    6 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by SpacePhoenix View Post
    You might want to consider either upgrading to version 4 (version 3 is probably not supported any more) or migrate over to another forum software. What sort of size is the forum (number of users, number of threads and number of posts)? What sort of weekly traffic levels does it get?

    You should run anti-virus and anti-malware/spyware scans on both the server (if you have the rights/permissions to) and on any PC you use to use ftp to access the file structure. If they come up clean, change your ftp password (making sure the new one is a very strong one) just in case anyone has guessed your ftp password
    Nope, not a single chance. VB3.8 >>> VB4, its a downgrade if I choose to 'upgrade' my VB. After all, Sitepoint, DevShed, Theadminzone , Webhostingtalk all use VB3, theres a good reason for that. You dont upgrade for the sake of increasing the version number, when VB4 has never ever been better than VB3 in terms of functionality and quality.

    Its not a very active forum, it has 10-20 registered users every day but thats about it. I do receive a lot more guests though, but the forum is able to block most of the spammers trying to register. This spammail issue apparently was sent by an un-registered user, showthread.php seems to be the script with XSS vulnerability. I have disabled every usergroup to send email to friend option, except for the admins/mods. Not sure how this is gonna help.

  7. #7
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,127
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Hall of Famer View Post
    After all, Sitepoint, DevShed, Theadminzone , Webhostingtalk all use VB3, theres a good reason for that
    That's definitely true, except for Sitepoint. Sitepoint is not using VB3

  8. #8
    SitePoint Addict bronze trophy
    Join Date
    Apr 2013
    Location
    Ithaca
    Posts
    351
    Mentioned
    6 Post(s)
    Tagged
    1 Thread(s)
    I see, but whatever... I'd use VB3 unless I decide to move to another platform like IPB or Xenforo. I will try anything possible to fix this XSS issue, except for this so-called upgrading which is in fact a downgrade considering VB 3.8.7 is still by far the best version of VB ever produced.

  9. #9
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,127
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Hall of Famer View Post
    I see, but whatever... I'd use VB3 unless I decide to move to another platform like IPB or Xenforo. I will try anything possible to fix this XSS issue, except for this so-called upgrading which is in fact a downgrade considering VB 3.8.7 is still by far the best version of VB ever produced.
    I can't speak to that as I've been out of the vBulletin world for years. So I'll just politely respect your decision to stay away from VB4/5.

  10. #10
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,127
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    Just curious, have you tried denying the IP address that is sending the spam in an .htaccess file? At least so they have to either change their IP to make use of the attack again?


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •