For vBulletin 3.x Boards: Weak Password Hash Decryption Patch

This is an untested (due to lack of documentation available) patch for board owners of the forum software vBulletin versions 3.7.6 and up, and vBulletin 3.8.x and up. Note please that I have not taken a look at the 4.0.x patch, so no clue if this works for 4.0.x board owners with now an expired license who can't upgrade.

Disclaimer: As this is untested, it's also not supported, we do what we can. vBulletin will not support this modification, so be smart: Upgrade via the normal path, and/or patch if possible. And for fuck sake: BACKUP your database AND your files.

The wetalk.network grants distribution of these instructions, pending it was asked first, and that a link back to this thread is included for proper credits.

Original source: For vBulletin 3.x Boards: Weak Password Hash Decryption Patch - vbfans.com
Original announcement from vBulletin.com: Security Fix Releases 3.7.7 and 4.0.2 PL 2

Instructions:

Download: 37_38_security_patch_weak_passwords_hash_decryptio n.txt

There we go I hope that helps a few people patch a security issue with their 3.7 / 3.8 board that decide or can't upgrade and still care about security. But if you ask me, this does NOT fix the actual issue. If they can decrypt the hash, they need the salt, but it shouldn't matter if this is 3 or 30 characters long. They would then already have it. They just need a larger rainbow table to check against.

Special note for vBulletin 4 users who haven't patched or upgraded yet: At this point I would hold off, the define I read in the php file is set to 3 still. I suspect "another" fix to follow soon.