Menu
homeFiles and folders

Cupid vbulletin. Which forum is better vBulletin or PunBB. Disabling the user list

You've probably seen forums on the vBulletin engine many times. Forums as such are no longer in fashion, but vBulletin is still one of the most popular engines. In its latest (fifth) version, several vulnerabilities were found that can greatly ruin the life of an administrator. In this article I will tell you how they are used.

The first problem is incorrect filtering of user data. It was reported by an independent security researcher who wished to remain anonymous. The vulnerability, although it has some limitations, has received critical status because it allows you to read any files and execute arbitrary code on the target system.

The second vulnerability was found by researchers from TRUEL IT and received the identifier CVE-2017-17672. It is related to the features of data deserialization in the engine and can be used by an attacker to delete arbitrary files on the system.

Full reports detailing both issues have been published as part of SecuriTeam's Beyond Security program. There are also PoC exploits to demonstrate vulnerabilities. Let's go through all of this in order.

Preparations

I used the WAMP distribution as a server.

Read files, execute commands

So, the reason for the first vulnerability is incorrect logic when processing the routestring parameter, which allows an attacker to include any file on the disk via include and execute the PHP code that is located in it.

Our path begins with the most important file - index.php, where the basic initialization of the application takes place.

/index.php
48: $app = vB5_Frontend_Application::init("config.php"); ... 60: $routing = $app->getRouter(); 61: $method = $routing->getAction(); 62: $template = $routing->getTemplate(); 63: $class = $routing->getControllerClass();

Let's look at the vB5_Frontend_Application::init method.

/includes/vb5/frontend/application.php
13: class vB5_Frontend_Application extends vB5_ApplicationAbstract 14: ( 15: public static function init($configFile) 16: ( 17: parent::init($configFile); 18: 19: self::$instance = new vB5_Frontend_Application(); 20: self::$instance->router = new vB5_Frontend_Routing(); 21: self::$instance->router->setRoutes();

Here we are interested in the setRoutes method.

47: public function setRoutes() 48: ( 49: $this->processQueryString(); ... 54: if (isset($_GET["routestring"])) 55: ( 56: $path = $_GET[" routestring"];

The $path variable contains the userdata value from the routestring parameter. You can pass the path to the forum page into it, and it will be loaded.



Let's say we passed /test .

After assigning a variable, there is a piece of code that gets rid of the slash at the beginning of the line, if present.

/includes/vb5/frontend/routing.php
75: if (strlen($path) AND $path(0) == "/") 76: ( 77: $path = substr($path, 1); // $path = "test" 78: )
includes\vb5\frontend\routing.php
83: if (strlen($path) > 2) 84: ( 85: $ext = strtolower(substr($path, -4)) ; 86: if (($ext == ".gif") OR ($ext == ".png") OR ($ext == ".jpg") OR ($ext == ".css") 87: OR (strtolower(substr($path, -3)) == ".js" )) 88: ( 89: header("HTTP/1.0 404 Not Found"); 90: die(""); 91: ) 92: )

As you can see, the check is quite strange. At the very least, the presence of a list of prohibited extensions written directly into the code is confusing. And in general, the very fact that the extension is obtained by cutting four characters from the end of the line (line 85) is puzzling. In general, if we try to receive a file with gif, png, jsp, css or js extensions, the server will return a 404 page and the script will stop executing. When all checks are passed, the getRoute method from the vB_Api_Route class is called using callApi. It searches for suitable routes based on the information provided by the user.

Continuation is available only to members

Option 1. Join the “site” community to read all materials on the site

Membership in the community within the specified period will give you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score rating!

Any engine requires certain actions to optimize it for better and faster performance. In our case, we will talk about optimizing Vbulletin 4.

Since our forum engine is constantly updated, I will not write about optimization of earlier versions of Vbulletin, but will start with version 4.1.12. Although, perhaps, I will gradually supplement this article with optimization for previous versions, since not everyone switches to newer ones.

Here I will give some examples to make your Vbulletin forum faster and better (starting with the simplest things and moving on to more complex ones). Please keep in mind that what works for me will not necessarily work for you. Therefore, you make all changes at your own peril and risk.

Disabling the user list.

There is an easy way to simply disable the feature in AdminCP. (Settings -> Options -> User Listing Options)

This is not global, of course, and you can skip it and not do it, just ask yourself the question, do you need it? Since having a list, users can sort it, see who has more messages, reputation, and so on. Are your users using this? Probably not... when was the last time you yourself used this list?

As for me, it seems to me that these lists only benefit spammers, since this is the easiest way to collect all the names of Vbulletin 4 forum participants for sending spam in private messages.

In addition, the query required to generate a list of users is terrible for database servers and can lead to a large server load.

Increased speed when processing a list of personal messages.

If you have never imported private messages from external sources using Impex or other means, you can safely rely on ID sorting for private messages. Sorting by ID will make it so that your database server doesn't have to dump private messages into a temporary table to perform the sort (making the query much faster).

To do this, you need to register a small module with a location in private_messagelist_filter and write the following in it:

If ($sortfield == "pmtext.dateline") $sortfield = "pm.pmid";

And that's it, you've just made private.php ~20% faster.


We set up a more efficient search for the latest messages from the user.

We go to FTP, look for the file includes /class_userprofile.php, and replace the data in it as follows, look for:

$getlastposts = $this->registry->db->query_read_slave(" SELECT thread.title, thread.threadid, thread.forumid, thread.postuserid, post.postid, post.dateline FROM " . TABLE_PREFIX . "post AS post INNER JOIN " . TABLE_PREFIX . "thread AS thread USING (threadid) WHERE thread.visible = 1 AND post.userid = " . $this->userinfo["userid"] . " AND post.visible = 1 ORDER BY post.dateline DESC LIMIT 20 ");

and replace it with this (more specifically ORDER BY):

$getlastposts = $this->registry->db->query_read_slave(" SELECT thread.title, thread.threadid, thread.forumid, thread.postuserid, post.postid, post.dateline FROM " . TABLE_PREFIX . "post AS post INNER JOIN " . TABLE_PREFIX . "thread AS thread USING (threadid) WHERE thread.visible = 1 AND post.userid = " . $this->userinfo["userid"] . " AND post.visible = 1 ORDER BY post.postid DESC LIMIT 20 ");

This makes the request a little more correct than it already is. This way you won't have to sort into a temporary table. For users with more than 1000 messages, the initial request would take about 10 seconds, in our case much less. This primarily applies to the Vbulletin 4 user profile to display recent posts.

Checking the topic index.

If your forums have a default sort order that is set without changes like we did above, make sure that all your indexes are in their tables. There were cases when indexes overlapped for reasons unknown to me and some forums did not open.

I propose that the default sorting be in date form (the column that uses this data is called “dateline”), and to implement this, let’s run the query:

ALTER TABLE thread ADD INDEX forumid2_dp (forumid, visible, sticky, dateline)

This request applies to me specifically, in your case forumid2_dp should have your name. Use at your own risk.

Be careful when installing add-ons.

Just because someone makes modules and hacks doesn't mean they're made just for you, worked on the big Vbulletin 4 forums, and are bug-free. An excellent example is the reports of mass hacks through one hack or another.

Of course, we can assume that the developers cannot take everything into account, and sift through all the hacks so that they do not conflict, but... Make sure that the Vbulletin module does not cause large database loads, make sure that the hack has the potential to protect against SQL injections or XSS . Unfortunately, there are thousands of applications and modifications, and it’s simply not possible to check everything. It will be better if you write all the hacks yourself, or order from someone else. Specifically tailored to you and your tasks.

Don't use tables in InnoDB.

Here, of course, they can spit in my face, since this topic has already been discussed a million times, but from my own experience I can say that I work 100% on MyISAM tables for any action. Sometimes I process 1000 requests per second.

If you are already starting to freak out where everything hangs during queries, especially in the new Vbulletin search, change the InnoDB tables to MyISAM. MyISAM responds faster to individual requests because you don't have to manage individual record locking. InnoDB is faster overall, but only because it allows queries to run concurrently. If your queries are already running fast under MyISAM, there is no need to switch to InnoDB. IMHO.

Article rating

0%

Rating

User Rating: 0.35 (1 votes)

  • From:
  • Registered: 2014.07.07
  • Posts: 3,825
  • I just like PunBB:
  • 5 years, 8 months, 20 days,
  • Likes: 480

Topic: Which forum is better vBulletin or PunBB

VBulletin (Vobla or Bulka, as we like to call it) is one of the oldest commercial forum engines written using PHP and MySQL technologies. Since the release of the very first version in 2000, a tremendous amount of work has been done to improve functionality, which allowed VB to be included in the list of the best software products.

A VBulletin license will cost you around $250. Rest assured, this is a completely justified expenditure and will certainly pay for itself by saving working time and nerve cells. Most of this money goes to developers and programmers, who will later use it to improve functionality and release patches and additions (yes, all updates will be delivered to you for free throughout the year).

2 Reply by PunBB

  • From: Moscow, Sovkhoznay 3, apt. 98
  • Registered: 2014.07.07
  • Posts: 3,825
  • I just like PunBB:
  • 5 years, 8 months, 20 days,
  • Likes: 480

There is no point in listing all VBulletin functions. They implemented almost everything that forum administrators might need. Podcasting, multi-citation support, division into social groups and communities, rating system (reputation). The basic package can be supplemented with third-party extensions.

The VBulletin forum engine creates a serious load on the server, especially if third-party add-ons and scripts are installed. To avoid problems with loading pages in the future, you will have to fork out for normal hosting. Especially if you predict more traffic for your resource in the future.

3 Reply by PunBB

  • From: Moscow, Sovkhoznay 3, apt. 98
  • Registered: 2014.07.07
  • Posts: 3,825
  • I just like PunBB:
  • 5 years, 8 months, 20 days,
  • Likes: 480

Re: Which forum is better vBulletin or PunBB

VBulletin, due to its extreme resistance to hacking and spambots, is recommended for use in large serious projects. In addition, standard settings and configuration files can be easily changed in your own way, achieving even greater effect. There are many instructions and guides from folk craftsmen on the Internet, although not all of them should be trusted.

VBulletin implements large-scale ideas in the best possible way. Constant updates, high-quality service, additional extensions and reliable security mechanisms - all this fully justifies the money spent on the product.

4 Reply by PunBB

  • From: Moscow, Sovkhoznay 3, apt. 98
  • Registered: 2014.07.07
  • Posts: 3,825
  • I just like PunBB:
  • 5 years, 8 months, 20 days,
  • Likes: 480

Re: Which forum is better vBulletin or PunBB

There is no point in listing all the functions - it (or the add-ons) implements almost everything that an administrator might need to create a forum. There is multi-citation, support for podcasting, user communities, social groups, a flexible reputation system and much more.

Of course, vBulletin has a large number of add-ons and user communities, so there will be no problems with maintenance, especially since there is an official support team. The disadvantage of vBulletin, although not very big, is the paid additions, for example, for user blogs.

By and large, the forum has no shortcomings. It can be recommended for large serious projects precisely because of its reliability and resistance to all kinds of attacks. As a result, it creates a significant load on the server, especially with installed add-ons, but for serious projects they usually use serious servers and serious administrators.

Main advantages:

  • Fast and efficient database framework
  • Interface consisting of templates
  • Powerful search engine
  • Multi-language support
  • User Profiles
  • Powerful and convenient admin panel
  • Unlimited number of sections/topics/messages
  • Notifications by email
  • COPPA support

Due to the fact that the manufacturer does not provide a demo of the forum that can be installed, I had to install the left version, downloaded from some Vareznik. So the instructions may not completely correspond to the installation process of the licensing forum. After installation, the site was deleted and was not used for its intended purpose.

To install vBulletin, go to the hosting control panel (the button with a gear next to the hosting order in billing), there in the “File Manager”, in it we go to the “www” directory. Click the "Upload file to current directory" button:

Specify the path to the file on your computer:

Select the archive with vBulletin and unpack it:

We delete files and directories that we don’t need, including the directory of our www domain - provided that you don’t have anything you need there. If you do not put it at the root of the site, or there is something needed in the site directory, you do not need to delete the www domain directory:

Select the directory with the vBulletin installer and rename it:

Enter the name of our site as the directory name:

Go to the "Databases" section of the hosting control panel:

Create a new MySQL database and a user with full access rights to it:

Please note that both the user and the database automatically received a prefix based on the name of your account on the hosting server:

We go to the main page of our site and receive the following vBulletin error:

We enter the path to the installer in the address bar, add “install/install.php”, after which the vBulletin forum installation program starts:

The vBulletin installer checks for the presence of the following files:

The next step is to check the connection to the database, it does not pass - because... The forum configuration file contains incorrect data:

We return to the hosting control panel, file manager, go to the directory with the forum, then the “includes” subdirectory. Open the file "config.php":

We enter the correct data from the database into the configuration file, after which we close it:

We return to the site, to the installer. press “F5”, this time everything is fine, the connection to the database has grown together:

The vBulletin installer creates tables in the database:

The vBulletin installer changes the types of some tables:

Data is entered into the database:

Imported languages:

Styles are imported:

Help is imported:

We do not touch the default settings; the vBulletin installation program determined everything correctly:

Default settings are imported:

Enter the vBulletin administrator information:

The vBulletin administrator has been successfully added:

Installation of vBulletin on hosting has been successfully completed:

Following the installer's last advice, delete unnecessary files:

You can go to the vBulletin forum to make sure everything is working correctly:

For informational purposes only. The administration is not responsible for its contents.


Download for free .

vBulletin Connect v5.3.3 is a powerful, scalable and fully customizable forum package for your website. Version:

5.3.3 (Nulled by vBSupport.org)
Minimum requirements php 5.6
Compatible with php 7.1
For a new installation, you must rename the htaccess.txt file to .htaccess

When updating, delete the fonts folder (before starting the update).
New opportunities:
New UI with extensive social integration;
Optimized for mobile devices;
Simplified installation, management and configuration;
New database architecture for improved search and better performance;
Convenient dynamic content change;
Advanced for video and image sharing;
More than 100 other new features and improvements;

Built-in applications:
Discussion forum
Groups
Polls
Blog

Search Engine Optimization:
SEO friendly URLs
Custom Keyword/Description META Tag

Flexibility:
Extensible user profiles
URL rewriting
Interface localization
Metadata

Compliance with standards:
Content Syndication (RSS)
Content syndication: RSS, Atom, XML
PHP v5.4 compatible

Non-breaking integrated system:
The only login involved
Single resolution system
The only admin control panel
Create a continuous Style/Theme through Articles, Blogs, Forum

Dashboards for each role:
Administrative controls
Moderator Control Panel
Custom Control Panel
Unified Resolution System
Power template engine for advanced customization

User Control:
Multi-user system with unlimited roles and powers
Groups involved
Safety
Granular powers
Problem notification
Compatible SSL
Captcha
Email address confirmation
Administrative Control Panel News Editor
Login "strike" system
Email and Password changes require the current password
Compliant with Children's Online Privacy Protection Act (COPPA) 1998

1. Go to the administrator control panel:
Languages ​​& Phrases - Download / Upload Languages.
2. In the "EITHER upload the XML file from your computer" field, enter the path to
the vbulletin-language_ru.xml file on your computer.
3. In the "Overwrite Language" option, select "Create New Language"
4. In the "Title for Uploaded Language" field, enter the name of the language.
If there is no entered data, the language will be called "Russian (RU)"
5. Set "Yes" to "Ignore Language Version"
6. Set "Yes" to "Read Charset from XML File"
7. Click on the "Import" button and wait for the download process to complete.
7A If desired, you can make the new language the “Default” language,
by clicking the "Default" / "Default Value" button next to it.