Asher Kelman
OPF Owner/Editor-in-Chief
The last thing we want to do is turn off even for an hour. We were down for 8 hours from 2 am until 10:04 Pacific time! The extreme step was taken as a precautionary measure.
We were shocked to learn via the BBC online news service, here of a simple entrance to the administrators functions in vbulletin.
This shocking news occurred at the same time a suspicious post from Russia replying to Dougs 2009 thread on "Fourrier Transforms" used in MTF specifications of lenses, (often calculated and not measured, but considered critical in choice of lenses for specific work). I discovered that the poster, likey a BOT had hooked on to the words "Excel and spreadsheet" to add a response with a link to a likely malware site where they could send folk what ever they wished or take over their computers. There was no damage or evidence of penetration of OPF structure or content except that the Fourrier Transform thread mysteriously vanished after the BOT or fellow was banned. (Doug will repost that interesting article.)
With these two incidents I realized we did not need a door open to hackers here and that the risk was too great.
Unfortunately one cannot simply telephone vBulletin and speak to tech support! Our notice from vBulletin referred to a patch level one needed for version 3.8.6. We have at the moment 3.8.4 with patch level 2. They didn't make it clear as to whether the doorway to hackers was open also to other versions. I asked other administrators with more technical knowledge than I have and was advised to employ the patch. Just to be certain and not ruin our database, I set up an urgent ticket in their support area and asked vBulletin support. Obviously they were flooded with similar requests as this is the one soft ware that the vast majority of forums around the world use. and they didn't reply until 10:04 am today indicating there were no vulnerabilities to OPF as our version didn't have the flaw!
I wish there would communicate in a clear unambiguous way! The patch is designed to be uploaded in a very easy fashion. The instructions should match that!
My apologies for any inconvenience by being off the air! We just want OPF to be the safest venue and so I guess safe is betty than sorry!
Asher
We were shocked to learn via the BBC online news service, here of a simple entrance to the administrators functions in vbulletin.
A serious flaw in software widely used to power online discussion sites could allow hackers to harvest reams of personal data, the BBC has learned.
The flaw in a specific version of the vBulletin software allows anyone to easily access the main administrator username and password for a site.
Photo: BBC: The flaw could allow a hacker to access forum user's personal data
This would also allow hackers to access data, such as e-mail addresses, and edit the site at will.
....The simple hack, which the BBC has confirmed, allows even unskilled people to access many websites.
With a few key strokes the person can obtain the administrator's username and password for the website.
This can be used to log in to the site and modify and delete elements at will.
David Ross, founder of Hexus.net, a technology news and reviews website, said the flaw was a "potential nightmare".
"It could allow someone to access all of the user accounts for the site," he said.
This would be useful to a hacker, he said, because it was "good quality information" that had already been verified.
The flaw in a specific version of the vBulletin software allows anyone to easily access the main administrator username and password for a site.
Photo: BBC: The flaw could allow a hacker to access forum user's personal data
This would also allow hackers to access data, such as e-mail addresses, and edit the site at will.
....The simple hack, which the BBC has confirmed, allows even unskilled people to access many websites.
With a few key strokes the person can obtain the administrator's username and password for the website.
This can be used to log in to the site and modify and delete elements at will.
David Ross, founder of Hexus.net, a technology news and reviews website, said the flaw was a "potential nightmare".
"It could allow someone to access all of the user accounts for the site," he said.
This would be useful to a hacker, he said, because it was "good quality information" that had already been verified.
This shocking news occurred at the same time a suspicious post from Russia replying to Dougs 2009 thread on "Fourrier Transforms" used in MTF specifications of lenses, (often calculated and not measured, but considered critical in choice of lenses for specific work). I discovered that the poster, likey a BOT had hooked on to the words "Excel and spreadsheet" to add a response with a link to a likely malware site where they could send folk what ever they wished or take over their computers. There was no damage or evidence of penetration of OPF structure or content except that the Fourrier Transform thread mysteriously vanished after the BOT or fellow was banned. (Doug will repost that interesting article.)
With these two incidents I realized we did not need a door open to hackers here and that the risk was too great.
Unfortunately one cannot simply telephone vBulletin and speak to tech support! Our notice from vBulletin referred to a patch level one needed for version 3.8.6. We have at the moment 3.8.4 with patch level 2. They didn't make it clear as to whether the doorway to hackers was open also to other versions. I asked other administrators with more technical knowledge than I have and was advised to employ the patch. Just to be certain and not ruin our database, I set up an urgent ticket in their support area and asked vBulletin support. Obviously they were flooded with similar requests as this is the one soft ware that the vast majority of forums around the world use. and they didn't reply until 10:04 am today indicating there were no vulnerabilities to OPF as our version didn't have the flaw!
I wish there would communicate in a clear unambiguous way! The patch is designed to be uploaded in a very easy fashion. The instructions should match that!
My apologies for any inconvenience by being off the air! We just want OPF to be the safest venue and so I guess safe is betty than sorry!
Asher
Last edited: