I wanted to test an old vbulletin installation i got left from a friend ages ago, i don`t use it btw. After searching for any exploits for it (i was just bored and wanted to see what i could do) i found a exploit published here: http://www.xatrix.org/article2034.html the version is 2.2.5 btw.

Anyway i did what it said and got the sessionid, and password hash, but they were encrypted, so i don`t see the reason in my patching it because it's encrypted anyway, so no one can get into it.

Also, it's not like the exploit gave my username or password away at all, so even if attackers saw what i did they couldn`t do anything.

Am i just reading this all wrong and infact it's giving away alot of detail with which someone could hack my bbs? if so, please explain cos i don`t understand the benefits of patching this paticular exploit.

Password crackers can do it very fast once they have the hashes. (Relatively fast).

- Noia

The exploit i listed is a stupid one, it requires the `target' which was me, to be not logged in, so i`d have to follow the malicious link, (without being logged in), then i`d somehow be taken to a login page (which would be suspicious) then i`d have to login, and then i`d have to go back twice in the browser in order to execute the malicious code.

Anyway thanks, I think I'll go make a md5 decryptor now.

I think I'll go make a md5 decryptor now


If you succeed in its creation. Please, send it to me.
It would be a good way to become popular. :D