Contacts      About the site
home computer, iron

Watching vBulletin or trying to cache dynamic content. vBulletin snooping or dynamic content caching attempts Immaculate vbulletin

Main advantages:

  • Fast and efficient database based
  • Template interface
  • Powerful search engine
  • Multi-language support
  • User profiles
  • Powerful and user-friendly admin panel
  • Unlimited number of sections/topics/messages
  • Email notifications
  • COPPA Support

Due to the fact that the manufacturer does not provide a forum demo that can be installed, I had to install the left version downloaded from some kind of warez. So the instructions may not exactly match the process of installing a licensed forum. After the installation, the site was removed and was not used for its intended purpose.

To install vBulletin, go to the hosting control panel (the button with a gear next to the hosting order in the billing), go to the "File Manager", go to the "www" directory. Click the "Upload file to current directory" button:

Specify the path to the file on your computer:

Select the archive with vBulletin, unpack it:

We delete files and directories we don’t need, including the directory of our www domain - provided that you don’t have anything you need there. If you do not put it in the root of the site, or there is something necessary in the site directory, you do not need to delete the www directory of the domain:

Select the directory with the vBulletin installer, rename it:

Enter the name of our site as the name of the directory:

Go to the "Databases" section of the hosting control panel:

Create a new MySQL database, and a user with full access rights to it:

Please note that both the user and the database are automatically prefixed with the name of your account on the hosting server:

We go to the main page of our site, we get the following vBulletin error:

We drive in the path to the installer in the address bar, you need to add "install / install.php", after which the vBulletin forum installation program is launched:

The vBulletin installer checks for the files:

The next step is to check the connection to the database, it does not pass - because Incorrect data entered in the forum configuration file:

We return to the hosting control panel, file manager, go to the forum directory, then the "includes" subdirectory. Open the "config.php" file:

We enter the correct data from the database into the configuration file, after which we close it:

We return to the site, to the installer. press "F5", this time everything is fine, the connection to the base has grown together:

The vBulletin installer creates tables in the database:

The vBulletin installer changes the types of some tables:

Entering data into the database:

Imported languages:

Styles are imported:

Help is imported:

We do not touch the default settings, the vBulletin installer correctly determined everything:

Default settings are imported:

Enter vBulletin administrator details:

vBulletin admin added successfully:

vBulletin installation on hosting completed successfully:

Following the last advice of the installer, delete unnecessary files:

You can go to the vBulletin forum to make sure everything works correctly:

You must have seen forums on the vBulletin engine more than once. Forums as such are no longer at the height of fashion, but vBulletin is still one of the most popular engines. In its latest (fifth) version, several vulnerabilities were found that can greatly ruin the life of an administrator. In this article, I'll show you how they work.

The first problem is incorrect filtering of user data. It was reported by an independent security researcher who wished to remain anonymous. The vulnerability, although it has some limitations, has received the status of critical, because it allows reading any files and executing arbitrary code on the target system.

The second vulnerability was found by researchers from TRUEL IT and received the identifier CVE-2017-17672. It is related to the peculiarities of data deserialization in the engine and can be used by an attacker to delete arbitrary files in the system.

Full reports detailing both issues have been published as part of SecuriTeam's Beyond Security program. There are also PoC exploits to demonstrate vulnerabilities. Let's go through all of this in order.

preparations

I used the WAMP distribution as a server.

Reading files, executing commands

So, the reason for the first vulnerability is incorrect logic when processing the routesstring parameter, which allows the attacker to add any file on the disk via include and execute the PHP code that is in it.

Our path begins with the most important file - index.php, where the basic initialization of the application takes place.

/index.php
48: $app = vB5_Frontend_Application::init("config.php"); ... 60: $routing = $app->getRouter(); 61: $method = $routing->getAction(); 62: $template = $routing->getTemplate(); 63: $class = $routing->getControllerClass();

Let's look at the vB5_Frontend_Application::init method.

/includes/vb5/frontend/application.php
13: class vB5_Frontend_Application extends vB5_ApplicationAbstract 14: ( 15: public static function init($configFile) 16: ( 17: parent::init($configFile); 18: 19: self::$instance = new vB5_Frontend_Application(); 20: self::$instance->router = new vB5_Frontend_Routing(); 21: self::$instance->router->setRoutes();

Here we are interested in the setRoutes method.

47: public function setRoutes() 48: ( 49: $this->processQueryString(); ... 54: if (isset($_GET["routestring"])) 55: ( 56: $path = $_GET[" routestring"];

The $path variable gets the userdata value from the routestring parameter. You can pass the path to the forum page into it, and it will be loaded.



Let's say we passed /test .

After the variable is assigned, a piece of code follows that gets rid of the slash at the beginning of the line, if it is present.

/includes/vb5/frontend/routing.php
75: if (strlen($path) AND $path(0) == "/") 76: ( 77: $path = substr($path, 1); // $path = "test" 78: )
includes\vb5\frontend\routing.php
83: if (strlen($path) > 2) 84: ( 85: $ext = strtolower(substr($path, -4)) ; 86: if (($ext == ".gif") OR ($ext == ".png") OR ($ext == ".jpg") OR ($ext == ".css") 87: OR (strtolower(substr($path, -3)) == ".js" )) 88: ( 89: header("HTTP/1.0 404 Not Found"); 90: die(""); 91: ) 92: )

As you can see, the check is rather strange. At the very least, the presence of a list of prohibited extensions sewn directly into the code is confusing. And in general, the very fact that the extension is obtained by cutting four characters from the end of the line (line 85) is puzzling. In general, if we try to get a gif, png, jsp, css or js file, the server will return a 404 page and the script will stop running. When all checks are passed, the getRoute method from the vB_Api_Route class is called using callApi . It looks for suitable routes based on the information provided by the user.

Continued available to members only

Option 1. Join the "site" community to read all the materials on the site

Membership in the community during the specified period will give you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score rating!

I have several VPSs in my charge, on which it spins ... in general, it’s not my area of ​​\u200b\u200bresponsibility, and therefore what spins there, slows down moderately, works moderately. And it turned out that a certain forum was spinning on one of them, and the forum began to slow down. And I wanted to figure it out...

Initial
  • Forum under vBulletin 3.8.x
  • Moved to forum.domain.com subdomain
  • Nginx 1.1.13, php 5.3.x (fpm)
  • In addition to the forum on this server, nothing is spinning. ( it is important).
  • Mysql on a separate server, communication via TCP/IP.
background
Lived a forum, did not grieve, showed xm top load in the region of 30-40 percent. And then the “X” hour came and the load jumped to a flat shelf of 90 percent with peaks higher, which, in general, is not buzzing. Suspicion of DDOS was not confirmed. The logs showed normal workload. Well, before stupidly increasing resources, the idea arose to understand what was happening and try to cache everything that was possible.
Investigation. Part One - What the Female Visitor Wants
Since I was not familiar with the ideology and features of this software, I began to study the problem by analyzing logs and traffic between visitors and the server. First of all, I was surprised to find that attachments to messages in the forum are given exclusively by the script attachment.php, while the files themselves can be stored in the database, they can be on a local disk, but the return is only through a script. And nothing else. That is, we get 8-10 extra twitchings of the php-interpreter per message thread with 8-10 photos. And this is for every visitor. Since registration is not required to view attachments on this forum, attachments can be cached, say, for a couple of days. Approximately like this:
location = /attachment.php ( expires max; limit_req zone=lim_req_1s_zone burst=5; fastcgi_pass forum__php_cluster; include /etc/nginx/fastcgi_params; include /etc/nginx/fastcgi_params_php-fpm; fastcgi_cache forum_att__cache; fastcgi_ignore_headers Cache-Control Expires Set-Cookie ; fastcgi_hide_header Set-Cookie; fastcgi_hide_header Pragma; fastcgi_cache_key "$request_method:$http_if_modified_since:$http_if_none_match:$host:$request_uri:"; fastcgi_cache_use_stale updating error timeout invalid_header http_500; fastcgi_cache_lock on; fastcgi_cache_lock_ timeout 2m; fastcgi_cache_valid 2d; ) and somewhere in http section declare forum_att__cache: fastcgi_cache_path /var/cache/nginx/att levels=1:2 keys_zone=forum_att__cache:4m max_size=2g inactive=2d;

The second “revelation” for me was that there are archives on the forum, and they not only exist, but almost half of the requests fall on them. The appearance of pages also allows you to cache their content:
location /archive/ ( expires 10d; limit_req zone=lim_req_1s_zone burst=2; location ~ \.css$ ( expires max; ) fastcgi_pass forum__php_cluster; fastcgi_index index.php; include /etc/nginx/fastcgi_params; include /etc/nginx/fastcgi_params_php -fpm; fastcgi_param SCRIPT_FILENAME $document_root/archive/index.php; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_cache forum_arc__cache; fastcgi_hide_header Set-Cookie; fastcgi_ignore_headers Cache-Control Expires Set-Cookie; fastcgi_cache_key "$request_meth od:$http_if_modified_since:$http_if_none_match:$host: $request_uri:"; fastcgi_cache_use_stale updating error timeout invalid_header http_500; fastcgi_cache_valid 2d; ) and to the http section: fastcgi_cache_path /var/cache/nginx/arc levels=1:2 keys_zone=forum_arc__cache:4m max_size=2g inactive=2d; At the same time, we secure ourselves against DDOS attacks: limit_req_zone "$psUID" zone=lim_req_1s_zone:2m rate=1r/s;
I will tell about the formation of the "$psUID" key further.

Investigation. Part two - authorization in vBulletin
From the point of view of a forum visitor, a visitor can be either a registered user or a guest. But a completely different situation develops if we observe the situation “came, looked like, logged in, looked like, logged out, looked like” from the point of view of the appearance and disappearance of cookies in the browser. So, we clear cookies for the domain and its subdomains, open HTTPfox and observe what happens:
HTTP/1.1 200 OK Set-Cookie: PHPSESSID=cdme9rrptft67tbo97p4t1cua5; expires=Wed, 22-Feb-2012 15:04:12 GMT; path=/; domain=.domain.com Set-Cookie: bblastvisit=1329059052; expires=Mon, 11-Feb-2013 15:04:12 GMT; path=/; domain=.domain.com Set-Cookie: bblastactivity=0; expires=Mon, 11-Feb-2013 15:04:12 GMT; path=/; domain=.domain.com Set-Cookie: uid=XCuiGU831OyC8VLqAx/QAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=.domain.com; path=/
WITH id And PHPSESSID everything is clear - these are the machinations of nginx "a and the php interpreter with the option set session.auto_start, but the rest are monitors of activity on the forum. But the main session cookie vBulletin is not observed yet. Looking ahead, I’ll say that vBulletin does not use the standard php session (more precisely, ALMOST does not use it), but maintains its own, the ID of which is stored in the cookie bbsessionhash. So, the user is logged in, but there is no session - that is, he is anonymous without a session. At the same time, links to the forum can then have two types (meaning all links on the page, and not one like this, but another like that):
forum.domain.com/forumdisplay.php?s=12b66e447be52ebc84ab16d3f39626fb&f=69
forum.domain.com/forumdisplay.php?f=69
And if you follow the link of the first type, then the session cookie will come as the next response from the forum, and if the link of the second type is not. If the cookie didn’t come from the session with the second response, then you can wander around the forum sessionless and restless until you run into a link of the first type (I couldn’t identify the pattern of their appearance), or you want to log in. With a successful login, the session cookie will come in any way. If before login the guest was anonymous-with-session, then the session will be replaced. It looks like this:
HTTP/1.1 200 OK Set-Cookie: bbsessionhash=85745bc6110db5221e159087bf037f24; path=/; domain=.domain.com; HttpOnly
After login, the session is “stable” and there is no mess with links. The logout procedure is not original - all existing forum cookies are deleted (even those that were not set) and a new ("anonymous") session cookie is written:
HTTP/1.1 200 OK Set-Cookie: bbsessionhash=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.domain.com Set-Cookie: bblastvisit=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.domain.com Set-Cookie: bblastactivity=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.domain.com Set-Cookie: bbthread_lastview=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.domain.com Set-Cookie: bbreferrerid=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.domain.com Set-Cookie: bbuserid=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.domain.com Set-Cookie: bbpassword=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.domain.com Set-Cookie: bbthreadedmode=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.domain.com Set-Cookie: bbstyleid=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.domain.com Set-Cookie: bblanguageid=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.domain.com Set-Cookie: bbsessionhash=3d0bdc5dbe8dabae361deebe8f6048d2; path=/; domain=.domain.com; HttpOnly
That is, at the output we get an anonymous (guest), but one hundred percent having a session.
As a result, from the point of view of the forum software AND HTTP headers we have three types of users: guest without session, guest with session, logged in visitor. Moreover, at the nginx "a level, it is extremely problematic to distinguish the second from the third.

Now, having understood which cookies and how they run between the visitor and the server, we can approach the issue of caching dynamic content. As you know, the fastcgi backend response caching functionality in nginx is built into the ngx_http_fastcgi_module module. To do this, you need to specify a caching zone globally in the http section, and a key in the desired location "e. And if for conditionally static content (images, archives) the URI with minor additions could be considered the key for caching, then for caching the dynamics must also be taken into account and user.It would seem that a rule like
fastcgi_cache_key "$request_method:$http_if_modified_since:$http_if_none_match:$host:$request_uri:$cookie_bbsessionhash:";
could satisfy both guests and logged-in users, but in practice, visitors began to receive the contents of someone else's cache. Caching of "true" dynamics had to be disabled. I hope the verdict is not final.

However, this information is not useless. Based on it, we can generate a key to limit the frequency of requests based not only on the IP address of the visitor, but also on his status.
set $psUID "anon"; set $psUCL "anon"; if ($cookie_bbsessionhash) ( set $psUID "$cookie_bbsessionhash"; set $psUCL "user"; ) if ($psUCL = "anon") ( set $psUID "anon:$remote_addr"; )
We place this config fragment in the server section of the nginx config before describing all locations. As a result, we get the original key for a user who has a session and a key based on the IP address for session visitors who do not have a session (for example, for search crawlers).

results
As a result of the efforts made, the overall load on the virtual machine decreased from the shelf by 90 percent to the saw by 40 with bursts up to 80 percent.

VBulletin offers everything a forum administrator might need. Podcasting, multiquoting support, division into communities and groups, user reputation - all this is available in the basic package, which can be expanded by installing third-party extensions.

The engine creates a high load on the server, especially after installing add-ons and third-party scripts. Therefore, for normal operation, you will have to buy a normal hosting - forget about free offers and lower rates for a penny, on which even a business card site slows down. The higher the traffic, the greater the load on the server, so you need to take the bandwidth with a margin. Preferably unlimited.

You can’t save on hosting because Vbulletin is designed to create large projects. The engine is resistant to hacking and spam attacks, so visitors can feel safe. A moderator will be needed, but not to clear the branches of advertising posts, but to manage discussions.

You can use the built-in page builder for basic customization of the appearance, adding and modifying pages. To go to it, you need to log in to the site under an administrator account. There is a switch next to the username that should be set to On. After re-entering the password, the site will open in design mode.

In the constructor, you can add a page, transfer elements to it, and then add a link to the page in the main menu of the site. All this is done as simply as in the visual designer. But for global customization of the interface, you will need programming skills that can be applied in the admin panel.

For users who do not want to interact with the server infrastructure, the developers offer the vBulletin Cloud solution. With it, you can get a fully working forum with all administrative functions, bypassing the stages of downloading, installing and configuring the engine. In fact, after purchasing the tariff, you just have to customize the site to your needs before launching visitors to it.

Design

On the official website of the engine, you can download themes for the basic design. They are easily installed on the site and can be changed in accordance with the wishes of the webmaster. To manage styles in the administrative panel there is an Advertising section. In it you can:

  • Change or add a site background.
  • Add an image instead of a background.
  • Edit style file.

Basic changes can be made through the constructor. For example, to change the logo, you need to open the Header tab and upload the appropriate file. On the Navigation Bar tab, you can manage the main menu of the site: add and remove links to other pages, change the order of their location, assign names.

This does not require programming skills, that is, even a novice webmaster who has never worked with forum engines can perform basic appearance settings.

Search Engine Optimization (SEO)

CMS vBulletin does not have a special module for search engine optimization. However, this does not mean that the forum does not need work. The requirements for the obligatory presence of the H1 tag are applicable to sites, according to which the robot determines the theme of the page. To set up indexing, you need to edit the robots.txt file - advice on its proper design can be found on the forums dedicated to sites on vBulletin.

Search engine optimization is largely tied to the inclusion or deactivation of individual functions. For example, you need to disable the quick navigation menu to save code. There are a lot of such trifles, you can find them only on specialized forums - there is nothing like this in the vBulletin help.

SEO plugins are available to add new features. The most famous is VBSEO. With it, you can optimize the forum for the requirements of search engines: set up redirects, remove duplicates, exclude individual pages from indexing. The main disadvantage is that VBSEO creates an additional load on the server, which is rather big for CMS.

Rates

A lifetime license with updates for a year will cost $250. For this money, all the features of the engine are available:

  • Built-in applications: forum, groups, polls, blog.
  • Search engine optimization tools.
  • Professional support.
  • Flexible interface settings.
  • Control panels for all participants: administrator, moderator, user.
  • User management tools.

$250 is not the final price. For this money, you acquire only the right to use the engine for life.

  • To continue receiving updates, you must pay $209 each year. Developers also offer paid addons:
  • Site-wide footer branding removal - $169 one-time fee.
  • Additional phone or ticket support is $49/month or $329/year.
  • Professional installation or engine upgrade - one-time payment of $149.

If you want the forum to look good on smaller screens, you can buy the Mobile Pack. The license will cost $399 and renewals will cost $359 annually. Separately, the mobile version costs $199. Without it, the forum can only be used normally on a computer.

When choosing vBulletin Cloud, three plans are available: Bronze, Silver, and Gold. All of them offer:

  • Automatic update to the current version of the system.
  • Using servers optimized for vBulletin.
  • Change the available disk space according to your needs.
  • Automatic backups.

The minimum plan is $19.95 per month ($14.99 if billed annually). It offers 25 GB bandwidth, free support, and a free domain. This is a great solution for small forums with low traffic.

Silver is already $39.95 per month ($29.99 if billed annually) and comes with 75 GB of bandwidth and ticket support. This tariff is suitable for growing communities with medium traffic.

The maximum plan is Gold for $74.95 per month ($59.99 if billed annually). 200 GB bandwidth, free phone support. The optimal solution for large forums.

Advantages and disadvantages

VBulletin has been around for a very long time, so it has a developed user community, detailed documentation, and a lot of related materials: themes, templates, extensions. Among other advantages, we note:

  • A large number of themes.
  • The ability to expand functionality by installing plugins and modules, of which there are already more than 1000.
  • Simple tools for content creation and site management.
  • Simplified design customization.
  • Quick publication of photos and videos by users.
  • Optimization for mobile devices with the purchase of the corresponding package.

If you have used another forum engine before, it will take you a long time to get used to the VBulletin admin panel. It's not bad - just unusual and in some moments uncomfortable.

VBulletin has always had a high server load, especially when installing multiple extensions. This should be taken into account when choosing a hosting and included in the budget in order to buy a tariff with more power. The costs are very high, and you definitely won’t be able to save money - this is fraught with the fact that the forum will “fall” with the influx of visitors.

After changing the development team, many questions arise about the security of the engine. The most stable version remains 3.8. The fourth and fifth versions are constantly receiving security updates, which indicate that developers are patching holes after the release of the product.

Share with friends or save for yourself:

Loading...
Recommended related articles
We repair MagSafe L-type (G-type)
We repair MagSafe L-type (G-type)
Change username in Mac OS
Change username in Mac OS
Sync data between iPhone and MAC
Sync data between iPhone and MAC