vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin Pre-Sales Questions (https://vborg.vbsupport.ru/forumdisplay.php?f=26)
-   -   Can licenced vBulletin forum be protected from hacker? (https://vborg.vbsupport.ru/showthread.php?t=210898)

nguahoang 04-11-2009 02:18 AM
Can licenced vBulletin forum be protected from hacker?
 
Hi,

I'd like to buy a license for our forum using vBulletin. But, before making decision, I want to know which support services we could have with this licence, and how about the possibilities of protection of our site from hacker attacks?

Thank you.

Dismounted 04-11-2009 06:26 AM
The onus for protecting your server is on you. If your machine is compromised at the system level, there is nothing you can do to vBulletin to stop this.

What "attacks" are you considering?

nguahoang 04-11-2009 10:26 AM
Quote:
Originally Posted by Dismounted (Post 1788711)
The onus for protecting your server is on you. If your machine is compromised at the system level, there is nothing you can do to vBulletin to stop this.

What "attacks" are you considering?
There're two levels of protection. On the server, it's our hosting service provider who take care of this. But if we use vBulletin, it's on this product level that the security settings must be made. I've some friends using vBulletin and their site were attacked by some hackers, using some shells installed via files/images upload way. With these shells the hackers can take admins' passwords, or replace the index files, etc. Does it mean some product apertures? So, I'd like to know if, when I buy your license, you've got methods for protection from this way of attack, or are there no such apertures in your official products...

Thank you.

nexialys 04-11-2009 11:28 AM
Quote:
I've some friends using vBulletin and their site were attacked by some hackers, using some shells installed via files/images upload way.
this is impossible via vBulletin. for any image uploaded via vBulletin, the server reprocess the image via GD or ImageMagik (your choice), so if it's not a real image, it is rejected. it's not based on a filename, but the content of the file. impossible to cheat.

there will always have some hacker cracking a website. there will always have situations where it's the admin fault if something wrong occur. and when it's the software which is in cause, the guys at Jelsoft are making sure it wont happen again but updating their software with the fix.

Dismounted 04-11-2009 11:50 AM
Quote:
Originally Posted by nguahoang (Post 1788803)
I've some friends using vBulletin and their site were attacked by some hackers, using some shells installed via files/images upload way.
This is caused by a modification installed, not vBulletin itself. Nothing can really help you then, as the code is not Jelsoft controlled - it is controlled by the modification author. If there are security holes within vBulletin itself, the Jelsoft team aims to provide a patch within 24 hours of them being aware of it.

Andreas 04-11-2009 01:17 PM
Many modifications allowing you to upload files/images are unfortunately vulnerable to manipulated images.

If you are using such modifications, check if they are using the vBulletin classes for handling uploads and image processing - if not you should very very carefully check the code.

nguahoang 04-12-2009 01:05 AM
Many thanks for your clarifications. Maybe my friends had used some hacked MOD and so there were the holes in the code after these modifications.

Thank you so much.

lt. chewit 04-14-2009 05:01 PM
DoS attack can still happen.

But no major damages :)


All times are GMT. The time now is 08:31 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01057 seconds
  • Memory Usage 1,726KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (3)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (8)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete