Cold-blooded vbulletin. Which forum is better vBulletin or PunBB

You must have seen forums on the vBulletin engine more than once. Forums as such are no longer at the height of fashion, but vBulletin is still one of the most popular engines. In its latest (fifth) version, several vulnerabilities were found that can greatly ruin the life of an administrator. In this article, I'll show you how they work.

The first problem is incorrect filtering of user data. It was reported by an independent security researcher who wished to remain anonymous. The vulnerability, although it has some limitations, has received the status of critical, because it allows reading any files and executing arbitrary code on the target system.

The second vulnerability was found by researchers from TRUEL IT and received the identifier CVE-2017-17672. It is related to the features of data deserialization in the engine and can be used by an attacker to delete arbitrary files in the system.

Full reports detailing both issues have been published as part of SecuriTeam's Beyond Security program. There are also PoC exploits to demonstrate vulnerabilities. Let's go through all of this in order.

preparations

I used the WAMP distribution as a server.

Reading files, executing commands

So, the reason for the first vulnerability is incorrect logic when processing the routesstring parameter, which allows the attacker to add any file on the disk via include and execute the PHP code that is in it.

Our path begins with the most important file - index.php, where the basic initialization of the application takes place.

/index.php

48: $app = vB5_Frontend_Application::init("config.php"); ... 60: $routing = $app->getRouter(); 61: $method = $routing->getAction(); 62: $template = $routing->getTemplate(); 63: $class = $routing->getControllerClass();

Let's look at the vB5_Frontend_Application::init method.

/includes/vb5/frontend/application.php

13: class vB5_Frontend_Application extends vB5_ApplicationAbstract 14: ( 15: public static function init($configFile) 16: ( 17: parent::init($configFile); 18: 19: self::$instance = new vB5_Frontend_Application(); 20: self::$instance->router = new vB5_Frontend_Routing(); 21: self::$instance->router->setRoutes();

Here we are interested in the setRoutes method.

47: public function setRoutes() 48: ( 49: $this->processQueryString(); ... 54: if (isset($_GET["routestring"])) 55: ( 56: $path = $_GET[" routestring"];

The $path variable gets the userdata value from the routestring parameter. You can pass the path to the forum page into it, and it will be loaded.

Let's say we passed /test .

After the variable is assigned, a piece of code follows that gets rid of the slash at the beginning of the line, if it is present.

/includes/vb5/frontend/routing.php

75: if (strlen($path) AND $path(0) == "/") 76: ( 77: $path = substr($path, 1); // $path = "test" 78: )

includes\vb5\frontend\routing.php

83: if (strlen($path) > 2) 84: ( 85: $ext = strtolower(substr($path, -4)) ; 86: if (($ext == ".gif") OR ($ext == ".png") OR ($ext == ".jpg") OR ($ext == ".css") 87: OR (strtolower(substr($path, -3)) == ".js" )) 88: ( 89: header("HTTP/1.0 404 Not Found"); 90: die(""); 91: ) 92: )

As you can see, the check is rather strange. At the very least, the presence of a list of prohibited extensions sewn directly into the code is confusing. And in general, the very fact that the extension is obtained by cutting four characters from the end of the line (line 85) is puzzling. In general, if we try to get a file with the extensions gif, png, jsp, css or js, then the server will return a 404 page and the script will stop running. When all checks are passed, the getRoute method from the vB_Api_Route class is called using callApi . It looks for suitable routes based on the information provided by the user.

Continued available to members only

Option 1. Join the "site" community to read all the materials on the site

Membership in the community during the specified period will give you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score rating!

For informational purposes only. The administration is not responsible for its content. Free download .

vBulletin Connect v5.3.3 is a powerful, scalable and fully customizable forum package for your site.

Version: 5.3.3 (Nulled by vBSupport.org)

Minimum requirements php 5.6
Compatibility with php 7.1
On a fresh installation, you need to rename the htaccess.txt file to .htaccess
When updating, delete the fonts folder (before starting the update).

New opportunities:
New UI with extensive social integration;
Optimized for mobile devices;
Simplified installation, management and configuration;
New database architecture for improved search and better performance;
Convenient dynamic content change;
Extended for video and image sharing;
Full integration with VigLink;
More than 100 other new features and improvements;

Embedded Applications:
Discussion forum
Groups
Polls
Blog

Search Engine Optimization:
SEO Friendly URLs
Custom keyword/description META tag

Flexibility:
Expandable user profiles
URL rewriting
Interface localization
metadata

Compliance standards:
Syndicate content (RSS)
Content syndication: RSS, Atom, XML
PHP v5.4 compatible

Non-breaking integrated system:
Single login involved
The only permission system
The only admin control panel
Create a continuous Style/Theme via Articles, Blogs, Forum

Control panels for each role:
Administrative controls
Moderator control panel
User Control Panel
Joint Permit System
Power template engine for advanced customization

User control:
Multi-user system with unlimited roles and powers
Groups involved
Security
Granular Powers
Problem Notification
Compatible SSL
Captcha
Email verification
Administrator control panel news editor
Login "strike" system
Email and Password changes require current password
Compatible with Children's Online Privacy Protection Act (COPPA) 1998

1. Go to the administrator control panel:
Languages & Phrases - Download / Upload Languages.
2. In the "EITHER upload the XML file from your computer" field, enter the path to
vbulletin-language_ru.xml file on your computer.
3. In the "Overwrite Language" option, select "Create New Language"
4. In the "Title for Uploaded Language" field, enter the name of the language.
In the absence of the entered data, the language will be called "Russian (RU)"
5. Set "Yes" to "Ignore Language Version"
6. Set "Yes" to "Read Charset from XML File"
7. Click on the "Import" button and wait for the download process to complete.
7A If desired, you can make the new language the "Default" language,
by clicking the "Default" button next to it.

From:
Registered: 2014.07.07
Posts: 3,825
I just like PunBB:
5 years, 8 months, 20 days,
Likes: 480

Topic: Which forum is better vBulletin or PunBB

VBulletin (Vobla or Bulka, as we like to call it) is one of the oldest commercial forum engines written using PHP and MySQL technologies. Since the release of the very first version in 2000, tremendous work has been done to improve the functionality, which allowed VB to get into the list of the best software products.

The VBulletin license will cost you around $250. Do not hesitate, this is a completely justified waste and will certainly pay for itself by saving working time and nerve cells. Most of this money goes to developers and programmers, who will later use it to refine the functionality and release patches and add-ons (yes, all updates will be delivered to you for free during the year).

2 Reply by PunBB

From: Moscow, Sovkhoznay 3, apt. 98
Registered: 2014.07.07
Posts: 3,825
I just like PunBB:
5 years, 8 months, 20 days,
Likes: 480

It makes no sense to enumerate all the functions of VBulletin. They implemented almost everything that forum administrators might need. Podcasting, multiquoting support, division into social groups and communities, rating system (reputation). The basic package can be supplemented with third-party extensions.

The VBulletin forum engine creates a serious load on the server, especially if third-party add-ons and scripts are installed. In order to avoid problems with loading pages in the future, you will have to fork out for a normal hosting. Especially if you predict a lot of traffic to your resource in the future.

3 Reply by PunBB

From: Moscow, Sovkhoznay 3, apt. 98
Registered: 2014.07.07
Posts: 3,825
I just like PunBB:
5 years, 8 months, 20 days,
Likes: 480

Re: Which forum is better vBulletin or PunBB

VBulletin, due to its extreme resistance to hacking and spam bots, is recommended for use in large, serious projects. In addition, the default settings and configuration files can be easily changed to your own taste, achieving even greater effect. There are many instructions and guides on the Internet from craftsmen, though not all of them should be trusted.

VBulletin, implements large-scale ideas in the best possible way. Constant updates, high-quality service, additional extensions and reliable security mechanisms - all this fully justifies the money spent on the product.

4 Reply by PunBB

From: Moscow, Sovkhoznay 3, apt. 98
Registered: 2014.07.07
Posts: 3,825
I just like PunBB:
5 years, 8 months, 20 days,
Likes: 480

Re: Which forum is better vBulletin or PunBB

It makes no sense to list all the functions - it (or in additions) implements almost everything that an administrator may need to create a forum. There is also multiquoting, and support for podcasting, and user communities, and social groups, and a flexible reputation system, and much more.

Of course, vBulletin has a large number of add-ons and user communities, so there will be no maintenance problems, especially since there is an official support service. The disadvantage of vBulletin, albeit not very big, is the paid add-ons, for example, for user blogs.

By and large, the forum has no shortcomings. It can be recommended for large serious projects precisely because of its reliability and resistance to all kinds of attacks. As a result, it creates a significant load on the server, especially with add-ons installed, but for serious projects, serious servers and serious administrators are usually used.

Any engine requires certain actions to optimize it for better and faster performance. In our case, we will talk about Vbulletin 4 optimization.

Since the engine of our forum is constantly updated, I will not write about the optimization of earlier versions of Vbulletin, but I will start with version 4.1.12. Although it is possible, I will gradually supplement this article with optimizations for previous versions, since not everyone is switching to newer ones.

Here I will give some examples to make your Vbulletin forum faster and better (starting with the simplest things, moving on to the more complex ones). Please keep in mind that things that work for me may not necessarily work for you. Therefore, you make all changes at your own peril and risk.

Disable the user list.

There is an easy way, just disable the feature in the AdminCP. (Settings -> Options -> User Listing Options)

It's not global of course, and you can skip it and not do it, just ask yourself if you need it? Since having a list, users can sort it, see who has more messages, reputation, and so on. Are your users using it? Probably not… when was the last time you yourself used this list?

As for me, it seems to me that these lists are only for the benefit of spammers, since this is the easiest way to collect all the names of the members of the Vbulletin 4 forum for spamming in private messages.

In addition, the query that is required to generate a list of users is terrible for database servers and can lead to a heavy load on the server.

Increased speed when processing a list of private messages.

If you have never imported private messages from external sources using Impex or other means, you can safely rely on sorting by ID for private messages. Sorting by ID will make sure that your database server doesn't have to dump private messages into a temporary table to perform the sort (making the query much faster).

To do this, you need to write a small module with a location in private_messagelist_filter and write the following in it:

If ($sortfield == "pmtext.dateline") $sortfield = "pm.pmid";

And that's it, you just made private.php ~20% faster.

We configure a more efficient search for the latest messages from the user.

We go to ftp, look for the includes / class_userprofile.php file, and replace the data in it as follows, look for:

$getlastposts = $this->registry->db->query_read_slave(" SELECT thread.title, thread.threadid, thread.forumid, thread.postuserid, post.postid, post.dateline FROM " . TABLE_PREFIX . "post AS post INNER JOIN " . TABLE_PREFIX . "thread AS thread USING (threadid) WHERE thread.visible = 1 AND post.userid = " . $this->userinfo["userid"] . " AND post.visible = 1 ORDER BY post.dateline DESC LIMIT 20");

and replace it with this (more specifically ORDER BY):

This makes the query a little more correct than it currently is. Thus, you do not have to sort into a temporary table. For users who have more than 1000 messages, the initial request would take about 10 seconds, in our case much less. This primarily applies to the Vbulletin 4 user profile to display the latest posts.

Topic index check.

If your forums have a default sort order, and are set unchanged, such as we did above, make sure all your indexes are in their tables. there were cases when the indexes, for reasons unknown to me, intersected and some forums did not open.

My suggestion is to make the default sorting be date (the column that uses this data is called "dateline"), and to implement this, we execute the query:

ALTER TABLE thread ADD INDEX forumid2_dp (forumid, visible, sticky, dateline)

This request applies to me specifically, in your case forumid2_dp should be your name. Use at your own risk.

Be careful when installing add-ons.

Just because someone makes modules and hacks doesn't mean they're made just for you, worked on the big Vbulletin 4 forums, and don't have bugs. An excellent example is the reports of massive hacks, through this or that hack.

Of course, one can assume that the developers can't account for everything and shovel all the hacks so that they don't conflict, but... Make sure the Vbulletin module doesn't cause heavy database loads, make sure the hack has the potential to protect against SQL injection or XSS . Unfortunately, there are thousands of applications and modifications, and it's simply not realistic to check everything. It would be better if you write all the hacks yourself, or order from someone. Specifically for you and your tasks.

Don't use tables in InnoDB.

Here, of course, they can spit in my face, since this topic has already been discussed a million times, but from my own experience I can say that I work 100% on MyISAM tables for any action. Sometimes I process 1000 requests per second.

If you are already starting to freak out where everything hangs when you query, especially in the new Vbulletin search, change the InnoDB tables in MyISAM. MyISAM responds faster to individual requests because there is no need to manage locking on individual records. InnoDB is faster in general, but only because it allows queries to run concurrently. if your queries are already running fast under MyISAM, there is no need to switch to InnoDB. IMHO.

Article Rating

0%

Rating

user rating: 0.35 (1 votes)

Main advantages:

Fast and efficient database based
Template interface
Powerful search engine
Multi-language support
User profiles
Powerful and user-friendly admin panel
Unlimited number of sections/topics/messages
Email notifications
COPPA Support

Due to the fact that the manufacturer does not provide a forum demo that can be installed, I had to install the left version downloaded from some kind of warez. So the instructions may not exactly match the process of installing a licensed forum. After the installation, the site was removed and was not used for its intended purpose.

To install vBulletin, go to the hosting control panel (the button with a gear next to the hosting order in the billing), go to the "File Manager", go to the "www" directory. Click the "Upload file to current directory" button:

Specify the path to the file on your computer:

Select the archive with vBulletin, unpack it:

We delete files and directories we don’t need, including the directory of our www domain - provided that you don’t have anything you need there. If you do not put it in the root of the site, or there is something necessary in the site directory, you do not need to delete the www directory of the domain:

Select the directory with the vBulletin installer, rename it:

Enter the name of our site as the name of the directory:

Go to the "Databases" section of the hosting control panel:

Create a new MySQL database, and a user with full access rights to it:

Please note that both the user and the database are automatically prefixed with the name of your account on the hosting server:

We go to the main page of our site, we get the following vBulletin error:

We drive in the path to the installer in the address bar, you need to add "install / install.php", after which the vBulletin forum installation program is launched: