[thincom2000]

Regarding the "MySQL has gone away" errors and register.php requests being tied up for 2 minutes or more...

The CURL timeout in the plugin code is 5 seconds as far as I can tell.

I think the problem is that CURL has a connection error during that 5 seconds where it can't connect to stopforumspam.com


When this happens, it is treated as a normal CURL error and falls back to file_get_contents(url), which I don't think has a timeout. file_get_contents also has trouble connecting and waits a very long time to give up (until after the MySQL link is auto-closed).

If an attacker can detect this situation on your site, they would be able to perform an attack like Slow Loris against a vBulletin forum that uses this mod. It's actually easy to "detect" this situation. SFS limits you to 20,000 API lookups per 24 hours, then blocks your IP which will also cause a CURL connection error. Using only 14 requests per minute (so not really detectable by DOS prevention), an attacker can leverage this limit and trigger file_get_contents for every registration attempt after 20,000. Since your IP is blocked, every request will wait until PHP times out. You will run out of PHP child processes, and your forum will be inaccessible. To protect yourself, you should make the following change.

In includes/functions_vbsfs.php, find and remove all of these:

Code:

if (!($pageContent = @file_get_contents($url)))

I would suggest that the author of this mod also makes this change to prevent Slow Loris attacks, or implements stream wrappers with an appropriate timeout set if support for file_get_contents(url) is still needed.