Shout to HL2.net Mods

The article said they can get the raw username and password of the database user, not the administrator account (unless Im missing something). Luckily most sites are set up so you can't get to the database outside of the local machines unless otherwise specified. I don't see how they could steal the password of the administrator account since those passwords are hashed using MD5 which makes them virtually impossible to crack unless the password was a simple dictionary word.
 
Well, my interpretation is much different
The flaw in a specific version of the vBulletin software allows anyone to easily access the main administrator username and password for a site.

This would also allow hackers to access data, such as e-mail addresses, and edit the site at will.
Click to expand...
They can get the main administrator username password. Then they can get every users email and any other personal information they have given (for example, birthdate).

The flaw affects version 3.8.6 of the software, which was released on 13 July.
Click to expand...

The simple hack, which the BBC has confirmed, allows even unskilled people to access many websites.

With a few key strokes the person can obtain the administrator's username and password for the website.

This can be used to log in to the site and modify and delete elements at will.

David Ross, founder of Hexus.net, a technology news and reviews website, said the flaw was a "potential nightmare".

"It could allow someone to access all of the user accounts for the site," he said.

This would be useful to a hacker, he said, because it was "good quality information" that had already been verified.
Click to expand...

Internet Brands announced a patch for the problem at 1900 BST on 21 July on its website.

It also sent e-mails to its customers and sent out a message that appeared on the main control panels of individual customers' software.
Click to expand...
I don't think there is anything to worry about, unless Munro or Pi hasn't been here to see the notice.
 
But how do they get the admin username and password when the password is hashed using MD5?
 
No Limit said:
The article said they can get the raw username and password of the database user, not the administrator account (unless Im missing something)
Click to expand...

You're missing the second paragraph.

The flaw in a specific version of the vBulletin software allows anyone to easily access the main administrator username and password for a site.
Click to expand...
 
No Limit said:
But how do they get the admin username and password when the password is hashed using MD5?
Click to expand...
You're asking the wrong person.

Maybe you know too much about this stuff, and that's your problem. I'll give you the benefit of the doubt. But you're overthinking this. It wouldn't be a vulnerability if there wasn't a vulnerability.

It has come to our attention that 3.8.6 contains a security exploit related to the FAQ
Click to expand...
 
Pi's just chatted to me on Steamchat and said it was alright.
 
Yup, reading more on this it's a database credentials exploit, not an exploit for the administrator password. I'm not suprised BBC would over recact to this.

The only time this would be a problem is if for some crazy reason Munro had the SQL server set up so anyone could connect to it, by default the SQL server will only communicate with the local machine. The only other time this would be a problem is if for some reason the database password was the same as the hosting account password which would be insane to do anyway.

So yeah, the BBC is full of shit. And I'm not saying this isn't a vulnerability, ofcourse it is. But it is in no way what the BBC tried to make it out to be.

Krynn72 said:
You're missing the second paragraph.
Click to expand...

I saw that, the problem is the article contradicts itself:

"The exploit allows a malicious user to retrieve a forum's database credentials."
Click to expand...
 
I know nothing about this stuff; I'll take your word for it, bro.

The BBC article was pretty alarming.
 
This type of thing just kind of pisses me off. Their so called "technology reporter" can't get a few simple facts right. Anyone that has ever written any kind of software knows that bugs and exploits happen. There are those people that understand that and allow you to fix the problem without giving you too much grief then there are the people such as this "technology reporter" from the BBC that blow a gasket and act like the world is about to end. Yet they can't be bothered to get a few more details about the problem before losing their shit.
 
"The flaw affects version 3.8.6 of the software, which was released on 13 July."

It's ok. Pi and Munro would never keep the forum code that up to date.
 
Is this how Pi took over the forum? I mean sure he had power... but now he has ULTIMATE power.

I haven't seen Munro around lately. Probably just Pi in disguise now.
 
ríomhaire said:
"The flaw affects version 3.8.6 of the software, which was released on 13 July."

It's ok. Pi and Munro would never keep the forum code that up to date.
Click to expand...

It'd be funny if it wasn't so tragically true.
 
Wow, the sensationalism of that article is totally insane.
 
You'll have noticed you needed to log in again today, all your cookies were stolen from the cookie jar by the cookie monster.

And also Munro installed the security patch.
 
Is it just me or are cookies not being set correctly? Seems like I have to log back in each time.
 
There's a warm feeling inside that I may have averted a potential disaster for this forum :)
 
Bump...any one else having the problem of it not keeping you logged in? want to make sure before I clear all my cookies which is a total pain in the ass because of how my bank's login system is set up.
 
Mine was acting up at some point last week, and theres a thread in the hl2.net feedback section about it, so you're not alone. Though its been working fine for the past few days for me.
 
Thanks, I usually miss threads up there. I think I found a fix, posted it there.
 
You must log in or register to reply here.

Similar threads

Krynn72
You guys, what the **** is up.
Replies
11
Views
2K
Tollbooth Willie
Tollbooth Willie
Tollbooth Willie
HL2.NET HORROR SLAP
Replies
7
Views
2K
Tollbooth Willie
Tollbooth Willie
Tollbooth Willie
To Those That Stand, Those That Fell
Replies
6
Views
2K
Tollbooth Willie
Tollbooth Willie
bbson john
Hi everyone. I am new to this forum!
Replies
11
Views
6K
Tollbooth Willie
Tollbooth Willie
B
Valve offers more core virtual reality technologies to device manufacturers
Replies
0
Views
23K
Barnz
B
Back
Top