Problem with patch recommended for vB Gallery 2.4.2

[c0bra]

I am dealing with the security issue for a client.

In this message:
Security Notice: Update for vBGallery v2.5

You say we have to patch "profile_start.php" in /forums/includes/vbgallery/ but the file doesn't exist on the sites I am managing for a client?

Does this vulnerability only exist in this file? Therefore if the file is not on the server, they are immune to the threat?

[Chuck S]

Actually in the thread we announced there are two downloads.

1. There is a text file that releases php file in older versions

2. There is a plugin txt file to replace the contents of the profile_start plugin for vbgallery

So you would use whichever one is for your version. You are going to have a file or a plugin

[c0bra]

I know the plugin doesn't exist in 2.4.2. Your advisory says its for 2.5+.

I can't find the file you are telling us to patch in any 2.4.2 installations either.

[Chuck S]

Potential SQL Injection

The download thread was attached in the email. I beleive Michael has explained which is the plugin and which is the php file there.

[c0bra]

I have fully understood the information Michael presented. What I don't understand, is why our 2.4.2 installs are missing the apparently vulnerable profile_start.php file. Was this an optional component? Or was it included by default in all installs/upgrades?

And if we don't have the file on our server, and the profile_start plugin is also not present on our site, are we safe from this attack?

[Ramses]

Checked an old 2.4.2 folder and there isn't indeed a profile_start.php file. Than there shouldn't be a risk for you?

[c0bra]

Quote:

Originally Posted by Ramses

Checked an old 2.4.2 folder and there isn't indeed a profile_start.php file. Than there shouldn't be a risk for you?

Thanks. That's what I am trying to figure out. Either the risk isn't present in 2.4.2, or the code is lurking somewhere else.

[Chuck S]

well not a problem in 2.42 I think everything is a plugin so you download the plugin not the php file.

[c0bra]

Quote:

Originally Posted by Chuck S

well not a problem in 2.42 I think everything is a plugin so you download the plugin not the php file.

There is no profile_start plugin in 2.4.2 either though. Could you clarify with developers the situation? Maybe the advistory is wrong and 2.4.2 is not affected by this vulnerability. It would be good to get some clarification.

[Luciano]

Quote:

Originally Posted by c0bra

There is no profile_start plugin in 2.4.2 either though. Could you clarify with developers the situation? Maybe the advistory is wrong and 2.4.2 is not affected by this vulnerability. It would be good to get some clarification.

Well in the advisory there is a link:
Original Advisory
http://archives.neohapsis.com/archives/bugtraq/2010-03/0236.html

there you find:

Quote:

Versions
---------
Affected Version(s): 2.5
Not affected Versions: Versions prior to 2.5

this is not quite correct...
affected are 2.43 and 2.5 (that is why michael posted 2 fixes)
because that was when vbulletin introduced the tabbed profile..
versions prior to 2.43 | i.e. 2.42 for vbulletin 3.6 are NOT affected because they do not have this plugin.

Luc

[c0bra]

Luciano,

Yep I read the Bugtraq announcement.

But Michael announced:

Quote:

Attached is a new profile_start.php script for versions 2.0-2.4.X.

2.0-2.4.X implies that every release since version 2.0 is affected. But thanks for clarifying what I assumed was correct.

[Luciano]

That was said because only vbgallery 2.0-2.43 had plugins as files...
the version above have plugins as code...
Luc