SPamm explot in GBG 2.51

attroll · February 14th, 2012, 04:33 PM

My server is spamming through VBGallery 2.51. I am 100% sure that this is the case. Let me explain all that has gone on to prove this.

I was on another server that I have since left and move this site to a new server. The only site hosted on this server is the one I am referring to now. The reason I left was partly because of this spamming going on that is was sending out.

If I go into my ADMINCP plugins and turn off the VBGallery plugin then the spamming stops.

If I turn it back on it starts back up in a day or two. I have left the plugin turned off for almost two weeks and the server never sent out any spam. But as soon as it gets turned back on the spam starts getting sent out from my server again.

Here is another link that help me isolate it down to VBGallery. There is another user by thew name of beishe8 that also brings up that he had this same problem and how he narrowed it down to Photopost vBGallery misc.php. You can find his results on page two of this thread.
https://www.vbulletin.com/forum/show...mail-log/page2

Chuck can you verify this and put out a fix for it ASAP?

Chuck S · February 14th, 2012, 05:20 PM

Turn off the email to a friend feature if you do not want users to email people links sure they can post spam there much like anyone registered can post spam on the vb forum much like they do here.

Once a spammer registers they can use the features of the software. There is no concievable check to determine what is a spam post or spam email. Checks are only done to ensure a post or email is valid not spam.

attroll · February 14th, 2012, 09:39 PM

No, I think you have misunderstood me. This is not getting posted to the forums it is going directly out through email straight off the server.
The person can use VBG to send a mass email to over 765 emails at one time and this is not users that are registered on the web site. This is any email address they paste in.

The person has found a way to use VBGallery as a mass emailing feature on a servers with VBG installed. They are using the server through VBG to send 765 email and more at a time through the server.

You say to Turn off the email to a friend feature. That is a vBulletin feature and not a VBG feature if I am correct, right? Please explain a little bit about turning this off as I cannot seem to find that feature in the VBG Admin section.

Here is a link I found tonight that might also have something to do with this
Exploit in VB Gallery 2.5.1

Chuck S · February 15th, 2012, 08:02 AM

You can check that thread I posted something that might help but your talking about someone directly accessing a mail command.

attroll · February 15th, 2012, 03:47 PM

I think we have taken care of this for now, time will tell. We removed the ability to send email and e-cards out of the /gallery/misc.php.

You made the statement in another post in the other thread that this is a VB thing. I find it hard to believe it is a VB thing. If it was a VB thing then are they only going through the gallery/misc.php file to execute mass spamming? If it was a VB thing then they would also be able to do it with the gallery disabled. Also if it was a VB thing then they would be able to do it without the gallery installed wouldn't they? Maybe I am just not understanding this right.

Chuck S · February 15th, 2012, 07:05 PM

well the altered function I posted should prevent emails from being sent out if they do not have permission.

attroll · February 15th, 2012, 07:54 PM

No disrespect intended here when I say this so don't take this wrong.
If this is a know issue with VBG then why wasn't this put out in a update or make a VBG 2.51.1 release?

Chuck S · February 15th, 2012, 08:26 PM

This is a brand new issue that has only been discussed the past 2 weeks and investigated and I posted what my suggestion on a resolution would be. Really your talking about basically a bot bypassing permissions by doing straight to the mailer. what I posted should stop any mail.

attroll · February 15th, 2012, 08:46 PM

I do appreciate your help and all you do and have done and will continue to do.
It is going straight through the mailer via /gallery/misc.php. What I am saying and maybe I am wrong but it is not a VB issue. There should be an announcement and maybe a update put out by VBG before to many others run into this issue that some have already.

OK, I will shut up now. No since beating a dead horse.

Thank you

Chuck S · February 16th, 2012, 07:26 AM

They do not do updates for one issue. They may fix the build so no new customer would have the issue but basically once they get a few issues they do a dot release. That is normally how it works.

attroll · February 16th, 2012, 11:59 AM

Great, then you should be doing a dot release soon, now that you know about this.
Thank you. I will be checking back here periodically for the new dot release.

Chuck S · February 16th, 2012, 12:58 PM

Well if other issues are reported I am sure although I beleive no more active development is going into the vb3 product line. I know the vb4 vbgallery should be going into beta now that PP8 is out.

attroll · February 16th, 2012, 06:50 PM

I give up.