Thread: Help in securing vB 3.0.xx for the CSRF vulnerability
View Single Post
  #4  
Old 05-06-2008, 10:27 AM
GameWizard's Avatar
GameWizard GameWizard is offline
 
Join Date: Apr 2004
Location: Vancouver, BC
Posts: 319
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by sv1cec View Post
I wish I could produce for you a file with all the diffs my code has from the standard 3.0.17 vB code. I do not believe there is a single php file in my installation, which hasn't been changed either little or a lot. I understand that you do not need to touch vB code per se now, with the hooks system (I think that's what they call it), but porting all the mods I have done in my code to the new coding scheme is a herculian task.

When vB went from 3.0.xx to 3.5, I found the new coding method so strange that I completely gave up on it. For example:

In 3.0.xx you knew that $bbuserinfo was an array that contained the user information. Wherever you wanted to use the user id, you used $bbuserinfo[userid]. If you look at 3.6 code, inside php there is $vbulletin->userinfo and in templates there is $bbuserinfo. Why? it didn't make sense for me, so I gave up.

Now, even if I do upgrade to vB 3.7, it would take me months to get all the code I have in my site in "plugins" form and add it again. I understand that Jelsoft doesn't cosnider 3.0.xx as a supported release, but we are not talking about a bug fix here, we are talking about a security issue. Microsoft, even though they are in Vista now, they still issue security updates for XP. I was expecting Jelsoft to do the same, since we are still at the same major release. Unfortunately, they don't. I understand that the majority of vB sites have moved to 3.5/3.6 and now to 3.7, but there are sites out there which are using older versions because they do not need the additional functionality or for their own reasons. Security updates should be available, even if not in the form of a patch, but in the form of clear instructions (in vB 3.0.xx code) on how to close the vulnerability. That's the only reason I was paying Jelsoft money all those years.

Sorry Marco, I guess I am just venting, because of the task in front of me (upgrade) or the decision to live with a potentially hackable site. I like neither routes, but unfortunately I have to select one of them.
Although I understand your frustration, I know how it would feel to be in your shoes. Regardless, a choice like you said needs to be made. Don't take it from me, but the logical course of action here would be to simply perform the upgrade, however long it takes. This can be done in parallel to your live board; simply copy your DB and make an exact copy of your board and start apply all the changes as needed.

You really have 3 options here:
a) Find a way to secure your boards (if this is even possible) and continue running on your current version. The downside, this is inevitably a dead end because you cannot run this version of VB forever, you will need to upgrade eventually. It's inevitable, the sooner you do it, the better.

b) Perform the upgrade as suggested parallel to your live boards. The downside, it won't be easy and will take a while, but in the end it will be truly worth it and your users will thank you for it.

c) Give up now, and jump out a window.

A small suggestion, something I've learned over the years:
However small a change you make, I've learned to keep small records of literally almost every change I make. All the template changes I have made are saved in html files. All my php edits (however little I have) are saved in txt files with specific instructions on how to reapply them (incase of upgrade). And so forth. The more documentation you have of your changes, the easier it will be for you in the future to avoid such a problem you are facing now.

I hope this helps you. Good luck.
Reply With Quote
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01601 seconds
  • Memory Usage 1,780KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_quote
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete