On Wednesday, January 08, 2014 02:22:28 AM Carlos E. R. wrote:
On 2014-01-08 02:12, John Andersen wrote:
The article, which may not be accurate, says OpenSuse was not running the most current version of vBulletin. It might be fixed already in later versions.
Not in the updated version. Most probably developer will need to review the authetication and validation processes to move it away.
No, the page says: «Another important claim by the hacker that vBulletin 5.0.5 latest version is also vulnerable to his zero-day exploit and there is no patch yet available to fix it.»
That's right. Nor the last update or upgrade are able to fix it. The core flaw seems to be on vBulletin itself. Since that point of view. There is a bad path to validate admin user or weak path to handle authentication. So software will need better control points to work among layers before grant access. -- Ricardo Chung | Member openSUSE Projects -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org