WTN.Patch: vBulletin 3.8.6 [faq.php]

Floris

We believe the following should be enough to patch a 3.8.6 board that's vulnerable to the faq.php exploit that a buddy of ours found today and made aware to vBulletin.com

Installation instructions.

Since all you need to do is hook into vBulletin via global.php and delete the phrase from the language, the following should be enough:

Put it in wtn_386_patch.php

Upload to forum directory

Run from browser

Remove from forum directory

And test if you're still vulnerable.

wtn_386_patch.php

PHP Code:


			
<?php // wtn_386_patch.php

error_reporting(E_ALL & ~E_NOTICE & ~8192);

require_once('./global.php');

$db->query_write("DELETE from " . TABLE_PREFIX . "phrase WHERE varname = 'database_ingo'");

echo "Done";

?>

Please note that we're still testing, rebuilding languages might be required, but I don't believe that's needed.

If rebuild is required, perhaps add

require_once(DIR . '/includes/adminfunctions.php');
after require global
and then before echo on a new line
build_options();
build_language(0);
build_language_datastore();

But I haven't had time to test that yet. I got flaky internet tonight and am preparing dinner

Floris · 07:12 PM

Update:

vBulletin's Wayne Luke posted in the (now closed) thread that they will release a new .xml file you could import, as the official "patch".

Update 2:

vBulletin's Steve Machol published the official patch for 3.8.6.

mlx

That's exactly the query I came up with as well.

I don't think that phrases are cached anywhere.

So your patch should be working fine.

Also thanks for the heads up earlier today!

Personally I haven't upgraded to any of those IB releases. They really cannot fix a single bug without introducing 2 new ones. Leaving this phrase in the release is just unbelievable. So if there was any trust in IB left it's most definitely gone now.

BirdOPrey5

How do you test if you're vulnerable?

mlx

Unless that information is available elsewhere yet I don't think that we should start to publish a proof of concept exploit right here. I won't.

BirdOPrey5

The way the instructions were presented I thought the exploit must already be well published... if not maybe it isn't that big a deal.

Floris · 10:52 PM

Feel free to email to contact@wetalknation.net with a request to test your url.

[edit: on the url in your profile, which is a 3.8.6 forum, I could not see any db details, so that url is ok now, if it's patched]

BirdOPrey5 · 02:49 AM

Thanks for the update! Yes that was the forum I was concerned about but didn't want to bother anyone to look. Thanks again.

I changed my db password and username and uploaded a new config.php just in case though... never know if someone used the exploit before it was patched and was sitting on the info. I have a number of tech savy users who have tried to 'take over' the forum before.

Floris

That's very smart. Never hurts to change the details every once in a while anyway

Floris

mlx posted; vBulletin Community Forum