Meanwhile, two MEEELION Dota 2 users leaked … from vBulletin forum
Steam’s Dota 2 forums have leaked a couple of million user names with MD5-hashed passwords, which at least serves as a salutary reminder that since there’s a patch out, get patching.
The patches cover server-side request forgery bugs in vBulletin 3.8.9, 3.8.10 beta, 4.2.3, 4.2.4 beta, and 5.2.3. Attackers could exploit the bug to get access to services such as email, the memory cache, and other services.

In this advisory, Dawid Golunski who found the bug means an “unauthenticated attacker could perform a port scan of the internal services as well as execute arbitrary system commands on a target vBulletin host with a locally installed Zabbix Agent monitoring service.”
The problem is in how vBulletin lets forum users upload media files: while the software tries to prevent posters from using HTTP redirects, “there is one place in the vBulletin codebase that accepts redirects from the target server specified in a user-provided link.”
The advisory includes proof-of-concept code.
That patch comes as warned about the breach of the Dota 2 forums.
That breach was based on a simple SQL injection attack, and there looks to be a serious failure about how the Dota 2 forums were configured.
Passwords were stored as MD5 hashes, and claims it’s already converted 80 per cent of the more than 1.9 million passwords back to their plaintext.
The advisory is here, along with the ability to search for your name in the list. If you’re there, and you’ve reused that password, you know what to do. ®
Sponsored: Global DDoS threat landscape report

Leave a Reply