The Arcive of Official vBulletin Modifications Site.

nguahoang · #1 04-11-2009, 02:18 AM

Hi,

I'd like to buy a license for our forum using vBulletin. But, before making decision, I want to know which support services we could have with this licence, and how about the possibilities of protection of our site from hacker attacks?

Thank you.

Dismounted · #2 04-11-2009, 06:26 AM

The onus for protecting your server is on you. If your machine is compromised at the system level, there is nothing you can do to vBulletin to stop this.

What "attacks" are you considering?

nguahoang · #3 04-11-2009, 10:26 AM

Quote:

Originally Posted by Dismounted

The onus for protecting your server is on you. If your machine is compromised at the system level, there is nothing you can do to vBulletin to stop this.

What "attacks" are you considering?

There're two levels of protection. On the server, it's our hosting service provider who take care of this. But if we use vBulletin, it's on this product level that the security settings must be made. I've some friends using vBulletin and their site were attacked by some hackers, using some shells installed via files/images upload way. With these shells the hackers can take admins' passwords, or replace the index files, etc. Does it mean some product apertures? So, I'd like to know if, when I buy your license, you've got methods for protection from this way of attack, or are there no such apertures in your official products...

Thank you.

#4 04-11-2009, 11:28 AM

Quote:

I've some friends using vBulletin and their site were attacked by some hackers, using some shells installed via files/images upload way.

this is impossible via vBulletin. for any image uploaded via vBulletin, the server reprocess the image via GD or ImageMagik (your choice), so if it's not a real image, it is rejected. it's not based on a filename, but the content of the file. impossible to cheat.

there will always have some hacker cracking a website. there will always have situations where it's the admin fault if something wrong occur. and when it's the software which is in cause, the guys at Jelsoft are making sure it wont happen again but updating their software with the fix.

Dismounted · #5 04-11-2009, 11:50 AM

Quote:

Originally Posted by nguahoang

I've some friends using vBulletin and their site were attacked by some hackers, using some shells installed via files/images upload way.

This is caused by a modification installed, not vBulletin itself. Nothing can really help you then, as the code is not Jelsoft controlled - it is controlled by the modification author. If there are security holes within vBulletin itself, the Jelsoft team aims to provide a patch within 24 hours of them being aware of it.

Andreas · #6 04-11-2009, 01:17 PM

Many modifications allowing you to upload files/images are unfortunately vulnerable to manipulated images.

If you are using such modifications, check if they are using the vBulletin classes for handling uploads and image processing - if not you should very very carefully check the code.

nguahoang · #7 04-12-2009, 01:05 AM

Many thanks for your clarifications. Maybe my friends had used some hacked MOD and so there were the holes in the code after these modifications.

Thank you so much.

lt. chewit · #8 04-14-2009, 05:01 PM

DoS attack can still happen.

But no major damages

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.04524 seconds Memory Usage 2,223KB Queries Executed 11 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (3)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (8)post_thanks_box (8)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (8)post_thanks_postbit_info (8)postbit (7)postbit_onlinestatus (8)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!