vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Forum and Server Management (https://vborg.vbsupport.ru/forumdisplay.php?f=232)
-   -   Is Vbulletin safe against RFI? (https://vborg.vbsupport.ru/showthread.php?t=193475)

Amenadiel 10-12-2008 11:51 PM
Is Vbulletin safe against RFI?
 
My site has been hacked. It was my fault because I had weak permissions plus a script that allowed to upload images without any further verification. As a result of this I got a jpg that contained a shell script which got executed via RFI.

As countermeasures I secured the permissions, but I also disallowed any means of image uploading including vbulletin custom avatars, signatures, profilepics and user albums.

Perhaps I'm going too far so I wanted to ask. Are VB img upload scripts secured against gifs containing malicious php code?

Brad 10-12-2008 11:59 PM
If such a bug was reported it would be fixed and a new version would be issued. That's a rather big security hole so I'm sure a patch would come out very quickly.

Dismounted 10-13-2008 05:56 AM
As mentioned, RFI is a very big issue - and I'm sure the devs would have already looked at it. vBulletin itself should not be vulnerabvle to RFI, however, this does not always ring true for modifications.


All times are GMT. The time now is 11:50 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01080 seconds
  • Memory Usage 1,705KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (3)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete