Another vBulletin Security Hole? Not surprising

Another vBulletin Security Hole? Not surprising

First, in the interest of fair disclosure, I am a vBulletin customer for close to 10+ years. While my criticisms may be harsh, there are justified given the level of incompetence I have witnessed in the last few years.

If you missed this article on Brian Krebs’s blog two weeks ago, it details an exploit that targets the installation folder of the vBulletin 4.x and vBulletin 5.x generation with an estimated 35,000 sites affected despite Internet Brands notifying customers.

If you run a forum or site powered by vBulletin, remove the “/install” and/or “/core/install” folders. If your vBulletin site still has those directories installed, check for new administrator accounts and any accounts that may have been whitelisted in config.php as super admins.

Criticism

Regardless of product one uses, Webmasters/Business Owners/Organizations should be employing best practices when it comes to vendor risk management. That includes signing up for their notifications in the event of a security flaws related to their products. Moreover, anyone who did their homework on Internet Brands would clearly know that the product is rubbish. The product is flawed in so many ways its not even funny.

There are even a couple of vBulletin blog sites focused on the nightmare it has become.

Criticism of Internet Brands

First, we can all agree there are a set of industry best practices out there from coding to marketing. From my observations, Internet Brands has pretty much violated every conceivable best practice out there, and is a disaster beyond our imagination. This is the very same company who programmed vBulletin database credential leakage. Your database SQL username, password, server, and database name was revealed to the public if you looked it up at a forum owner’s frequently asked questions.

Yes site owners are responsible or their sites, but Internet Brands has no real concept of risk management, project management or information security. The sole purpose for them is to make money, and they will make money at the expense of your site’s information security. As a customer, I lost faith very quickly and terminated my usage of vBulletin immediately to not expose my sites to potential, and future security issues.

Moreover, their security notices downplayed the security threat. In an email Internet Brands wrote to its customers customers:

A potential exploit vector has been found in the vBulletin 4.1+ and 5.0+ installation directories. Our developers are investigating this issue at this time. If deemed necessary we will release the necessary patches. In order to prevent this issue on your vBulletin sites, you should delete the install directory for your installation. This folder is not required for normal operation of vBulletin.

When one reads the email, the choice of words highlighted in bold leads customers to draw the wrong conclusions, including that the threat is not  confirmed, and that it will be confirmed later. Moreover a customer should expect a confirmation should the security issue was confirmed, however that no immediate action was required. This miscommunication of the flaw was designed to protect Internet Brands however it also in the process the language chosen changed the risk from an actual risk to a potential risk.

Beyond the notification and communications to its customers, Internet Brands itself is responsible for the overall security of their product. That includes elements like the install directory. It is still the responsibility of Internet Brands to ensure that vBulletin is securely coded, using industry best practices to test, audit, and validate, and deliver a product that not only is coded well, but scales well.

Information security starts with your developers, your software vendors and continues with your developers and software vendors. It is (or rather, should be a required) part of software development life cycle. It isn’t easy to do, but the savings and return on investment are ten fold when it is integrated into your processes.

Do your homework on your software vendors. Yes they may claim security is at the top of their list, but I would “trust but verify”. But more so, don’t be cheap on information security. Going for checklist audits and assessments just to say you are secure is being cheap.

Your organization has a reputation to uphold. Information Security is an investment to your organization and welfare. Should you not wish to invest, be prepared for a number of sleepless nights ahead.

 

Summary:

  • Securely Code Your Products
  • Do your homework on your vendors
  • Your organization has a reputation. It can get tarnished for improper information security.
  • Information Security is not cheap. But it is well worth the investment in the long run.