Still safe, I think?

[Melbourne]

If I understand this correctly, http://legalhackers.com/advisories/vBulletin-SSRF-Vulnerability-Exploit.txt
… it means that we aren’t affected because posting of pictures is disabled on this board:

“vBulletin allows forum users to share media files by uploading them to the
remote server. Some pages allow users to specify a URL to a media file
that a user wants to share which will then be retrieved by vBulletin.
The user-provided links are validated to make sure that users can only access
resources from HTTP/HTTPS protocols and that connections are not allowed in to
the localhost.”

[gnoitall]

Melbourne:

If I understand this correctly, http://legalhackers.com/advisories/vBulletin-SSRF-Vulnerability-Exploit.txt
… it means that we aren’t affected because posting of pictures is disabled on this board:

Well, except for in the Marketplace forum. So the danger space is limited, and Marketplace posters have to be paying subscribers.

Gary Robson sticky:

**Putting images in your posts **

Unlike the rest of the SDMB, the Marketplace forum allows images in your posts (but only in your own threads–please do not add images to someone else’s threads).
Including pictures is straightforward. Just copy the web address (URL) of the picture, and paste it between IMG tags.

From Marketplace run rules sticky

Practically speaking, that means that a bad actor has to go to the trouble of registering and paying for a subscription, and the malware being served up would be explicitly tied to their on-board identity. It’s probably easier and more effective to just put malspam on an advertising provider. Not like that ever happens or anything. :rolleyes:

[voltaire]

Sounds like it would NOT affect posts in the Marketplace forum, or any other; it’s limited to specially crafted links placed in the the attacker’s profile.

HTTP redirects are also prohibited however there is one place in the vBulletin codebase that accepts redirects from the target server specified in a user-provided link. The code is used to upload media files within a logged-in user’s profile and can normally be accessed under a path similar to: http://forum/vBulletin522/member/1-mike/media By specifying a link to a malicious server that returns a 301 HTTP redirect to the URL of http://localhost:3306 for example, an attacker could easily bypass the restrictions presented above and make a connection to mysql/3306 service listening on the localhost. This introduces a Server Side Request Forgery (SSRF) vulnerability.

I haven’t read all the details, but it might be a good idea to disable the posting of links in profiles. (Sorry, avatar script users!)

[voltaire]

gnoitall:

Well, except for in the Marketplace forum. So the danger space is limited, and Marketplace posters have to be paying subscribers.
From Marketplace run rules sticky

Practically speaking, that means that a bad actor has to go to the trouble of registering and paying for a subscription, and the malware being served up would be explicitly tied to their on-board identity. It’s probably easier and more effective to just put malspam on an advertising provider. Not like that ever happens or anything. :rolleyes:

“Malspam on an advertising provider” would generally be targeting us users. This thing would be targeting the board itself.