Re: UPDATE vBulletin Version 3.5.4 exploit

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: UPDATE vBulletin Version 3.5.4 exploit
From: scott@xxxxxxxxxxxxx
Date: 18 Aug 2006 20:40:11 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

If you have the CAPTCHA enabled then the registrations won?t even go through. 
This can be enabled via the Admin Control Panel. It's not enabled by default 
due to extra module requirements in PHP.

The option for CAPTCHA exists in all versions of vBulletin and the majority of 
customers enable it almost immediately.

Though if you are talking about the flood being allowed in the first place then 
surely this is something that should be handled at the server level by modules 
such as mod_evasive.

Scott MacVicar
Development Team, vBulletin

Prev by Date: Re: Concurrency-related vulnerabilities in browsers - expect problems
Next by Date: Joomla MamboWiki Component <= 0.9.4 (MamboLogin.php) Remote File Inclusion Vulnerability
Previous by thread: UPDATE vBulletin Version 3.5.4 exploit
Next by thread: Registration Now Open!: 3rd Annual US OWASP AppSec Conference - Oct 16-18 2006 - Seattle, WA
Index(es):
- Date
- Thread