Sythe.org — A Virtual Goods Trading Hub

#1 06-21-2009, 07:13 AM

I mean we're running on 3.6.4 and the newest version is 3.8.3.
Also 4.0 is coming out soon so that would be nice to see.

It only costs $60 to upgrade, so come on already.

Quote:

Originally Posted by Sephiroth878

It needs to be updated... OR you know we could just inject SQL all day lol....

vBulletin <= 3.6.4 inlinemod.php "postids" sql injection / privilege
escalation by session hijacking exploit

Code:

vulnerable code in inlinemod.php near lines 185-209:

...
    case 'docopyposts':

        $vbulletin->input->clean_array_gpc('p', array(
            'postids' => TYPE_STR,
        ));

        $postids = explode(',', $vbulletin->GPC['postids']);
        foreach ($postids AS $index => $postid)
        {
            if ($postids["$index"] != intval($postid))
            {
                unset($postids["$index"]);
            }
        }

        if (empty($postids))
        {
            eval(standard_error(fetch_error('no_applicable_posts_selected')));
        }

        if (count($postids) > $postlimit)
        {
            eval(standard_error(fetch_error('you_are_limited_to_working_with_x_posts', $postlimit)));
        }
        break;
...
when an element of $postids array is not an integer, it fails to unset() the proper value.


the result is sql injection near lines 3792-3800:

...
    $posts = $db->query_read_slave("
        SELECT post.postid, post.threadid, post.visible, post.title, post.username, post.dateline, post.parentid, post.userid,
            thread.forumid, thread.title AS thread_title, thread.postuserid, thread.visible AS thread_visible, thread.firstpostid,
            thread.sticky, thread.open, thread.iconid
        FROM " . TABLE_PREFIX . "post AS post
        LEFT JOIN " . TABLE_PREFIX . "thread AS thread USING (threadid)
        WHERE postid IN (" . implode(',', $postids) . ")
        ORDER BY post.dateline
    ");
...

this exploit extract various session hashes from the database
to authenticate as admin and to change the privileges of a registered user
I could not find a way to see results inside html, so this asks true/false
questions to the database, copying posts around threads

possible patch, replace:
foreach ($postids AS $index => $postid)
        {
               if ($postids["$index"] != intval($postid))
            {
                unset($postids["$index"]);
            }
        }

with:

foreach ($postids AS $index => $postid)
        {
           $postids["$index"]=(int)$postids["$index"];
        }


and, some line before:

foreach ($threadids AS $index => $threadid)
        {
            if ($threadids["$index"] != intval($threadid))
            {
                unset($threadids["$index"]);
            }
        }

with:

foreach ($threadids AS $index => $threadid)
        {
           $threadids["$index"]=(int)$threadids["$index"];
        }

You see 3.6.4 has its issues lol.

User banned for infractions can post and custom title 'banned' stuck after infractions expiration. Compatibility problems with IE...

I say Upgrade

D M S Rawrs *BANNED* · #2 06-21-2009, 07:17 AM

I agree. But keep the www.sythe.org as the site. I think we need a new upgrade its been the same for a few years now.

deathbal sam *BANNED* · #3 06-21-2009, 07:22 AM

Cant you just update for free if you have a liscence

ChamilliTarY *BANNED* · #4 06-21-2009, 07:23 AM

Wellllll not sure because the new ones have alot of exploits and bugs and such atm so idk this one is fine does what it needs to do

EDIT: and yes deathbal that is true.

#5 06-21-2009, 07:24 AM

Quote:

Originally Posted by D M S Rawrs

I agree. But keep the www.sythe.org as the site. I think we need a new upgrade its been the same for a few years now.

There's a new skin, but nobody uses it.

ChamilliTarY *BANNED* · #6 06-21-2009, 07:29 AM

Quote:

Originally Posted by [N]ick

There's a new skin, but nobody uses it.

i use it its just a little buggy.

soccertj · #7 06-21-2009, 07:30 AM

Actually Grave,
When vBulletin 4.0.0 comes out, as long as you have an existing license you don't need to pay anything extra.
Also,
The vBulletin 3.6.x series had 10 times the amount of exploits, and errors than the current 3.8.x series does.

This site would be better off to upgrade.

deathbal sam *BANNED* · #8 06-21-2009, 07:35 AM

Quote:

Originally Posted by soccertj

Actually Grave,
When vBulletin 4.0.0 comes out, as long as you have an existing license you don't need to pay anything extra.
Also,
The vBulletin 3.6.x series had 10 times the amount of exploits, and errors than the current 3.8.x series does.

This site would be better off to upgrade.

U sure that 3.6.x has more exploits cause i have seen alot more forums get hacked that have the latest VBulliten

#9 06-21-2009, 07:46 AM

Quote:

Originally Posted by D M S Rawrs

I agree. But keep the www.sythe.org as the site. I think we need a new upgrade its been the same for a few years now.

It's upgrading the vBulletin, not changing the website.

Quote:

Originally Posted by deathbal sam

Cant you just update for free if you have a liscence

Nope. Licenses only come with one year of updates.

Quote:

Originally Posted by ChamilliTarY

Wellllll not sure because the new ones have alot of exploits and bugs and such atm so idk this one is fine does what it needs to do

EDIT: and yes deathbal that is true.

No, it's not true.

Quote:

Originally Posted by [N]ick

There's a new skin, but nobody uses it.

A new skin doesn't mean it's a new version of vBulletin.

Quote:

Originally Posted by soccertj

Actually Grave,
When vBulletin 4.0.0 comes out, as long as you have an existing license you don't need to pay anything extra.
Also,
The vBulletin 3.6.x series had 10 times the amount of exploits, and errors than the current 3.8.x series does.

This site would be better off to upgrade.

Yes, you need to pay for the upgrade if your license was purchased over a year before the update.

Quote:

Originally Posted by deathbal sam

U sure that 3.6.x has more exploits cause i have seen alot more forums get hacked that have the latest VBulliten

They're basically the same coding. I think vBulletin 4 was rewritten though.

D M S Rawrs *BANNED* · #10 06-21-2009, 07:53 AM

What exploits are we talking about here? You mean DDOS attacks?

soccertj · #11 06-21-2009, 07:53 AM

Quote:

Originally Posted by grave

Yes, you need to pay for the upgrade if your license was purchased over a year before the update.

Nope,
Any current customers don't have to pay. As long as the license is active, it is eligible for the update to vBulletin 4.x.x

Don't argue, I know this shit

I demand an upgrade

Edit:
About the post above mine:
hacking exploits, there are alot of ways to get backdoor access to the cPanel.

#12 06-21-2009, 08:05 AM

Quote:

Originally Posted by soccertj

Nope,
Any current customers don't have to pay. As long as the license is active, it is eligible for the update to vBulletin 4.x.x

Don't argue, I know this shit

I demand an upgrade

Edit:
About the post above mine:
hacking exploits, there are alot of ways to get backdoor access to the cPanel.

Why would they require you to pay for minor updates and then give vB4 for free? Ehh.

Right now I'm not sure whether I should get vB4 or IPB3 for my website.

Benwise · #13 06-21-2009, 08:08 AM

Wouldn't transferring massive amounts of data to a new vB take a long ass time?

deathbal sam *BANNED* · #14 06-21-2009, 08:24 AM

Grave if you have bought a full liscense not a leased one and these are like $180 then you get free upgrades for life from what i know

soccertj · #15 06-21-2009, 08:29 AM

To Grave:
No, they figure that since you are already a paying customer, they shouldn't charge you for the new files.
You can read this on vBulletin.com

To BenWise90:
Nope, you just upload the new vBulletin Files.
Then go to:
http://sythe.org/install/upgrade.php from there it's a pretty step by step process.

To Deathbal Sam:
You are partially correct,
A lifetime license does indeed cost $180, but you only get support and access to the vBulletin.org modification's site for that year. You do get access to the vBulletin.com Members Area (Where you download the vBulletin Files) for the life of the license

biliyad1 · #16 06-21-2009, 08:34 AM

Correct, updating would not take very long at all.
The base member/post files stay the same.

soccertj · #17 06-21-2009, 08:37 AM

Quote:

Originally Posted by biliyad1

Correct, updating would not take very long at all.
The base member/post files stay the same.

Wrong,
When you upgrade from vBulletin 3.6.x to vBulletin 3.8.x the entire postbit, and member.php files get redone, that's just part of the updates

Also,
It takes a maximum of 5 minutes to remove the old files, put up a temp index.php, and upload the new ones

#18 06-21-2009, 08:47 AM

Quote:

Originally Posted by benwise90

Wouldn't transferring massive amounts of data to a new vB take a long ass time?

I don't think you transfer the data to the new vB.
You simply update the vB files.

Btw, I just bought an IPB license

soccertj · #19 06-21-2009, 08:53 AM

Quote:

Originally Posted by grave

I don't think you transfer the data to the new vB.
You simply update the vB files.

Btw, I just bought an IPB license

Bah, I already explained it.
You just upload the new vB files OVERWRITING the old ones
Run http://sythe.org/install/upgrade.php
Then done.

Gratz on IPB, I don't like IPB personally :P

Cfrey *BANNED* · #20 06-21-2009, 08:56 AM

It really doesn't matter.

Sythe.org — A Virtual Goods Trading Hub

Take me to

Runescape Markets

Other Game Markets

Support Center

Register an Account