Two Critical 0-Day Remote Exploits for vBulletin Forum Disclosed Publicly (Version 5)

[ManagerJosh]

XF passively gains the security fixes of the libraries and frameworks it's built on top of.

A proper search would scan the update history of those 3rdparty components rather possibly misleading about the script's security record compared to its indivodual components'.

Not completely true. yes it gains some security fixes from libraries and frameworks its built upon, but it's largely still dependent on the developers to leverage them. For example, one addon developer we've talked about here on TAZ reinvents the wheels - and consequently - opens ups holes rather than call upon the proper frameworks or connect with the right hooks to gain application security built into XF.

I believe Kier mentioned at one point that XF's security is largely dependent on positive input validation/positive security model.

 

[ManagerJosh]

Which does absolutely no good in an SQL injection attack. They don't have to be registered to do it.

if anything, it's potentially making the problem worse.

 

[Fillip H.]

I dont know why your database search found zero records, I am pretty sure XF have done releases to patch security issues.
The same people who wrote most of the vB code [upto 2008] went on to write XF, so they would learned a lot from those early problems.

The reality of hacking vB5 is that even if you can, your target site count really is quite small.
Xenforo has now taken over from vBulletin [popularity wise] so its likely that hackers will pay more attention to it.

Very important point. It's very similar to how the amount of high profile Mac malware has increased in recent years (I say this without actual statistics to back it up - even if the amount may not have increased, the visibility of them surely will have). There's more Macs out there now than there was 10 years ago.

However, it's also important to highlight the differences in how XenForo and vBulletin (both past and present versions) have been coded. As far as I know, the only 3rd party code in vB is the CKEditor, all other code is written entirely in-house. XenForo, on the other hand, uses a whole bunch of libraries to handle a lot of behind-the-scenes code.

For instance, XenForo 2 uses the "GuzzleHttp" library to deal with HTTP requests (a cURL wrapper, but also much more). Since the library is open source, and used in some of the most popular frameworks like Symfony and Laravel, chances are that any obvious exploits would have been found by now. I'm not saying it's immune to exploits, but it's probably pretty secure.

In other words, by using tried-and-tested libraries to handle the heavy lifting for things like that, short of any actual PHP vulnerabilities like the unserialize() debacle, those parts of the forum's code (and add-ons' code, provided they don't reinvent the wheel like another poster highlighted) will be pretty secure.

Back when Jelsoft was running the show, libraries like this were not very popular (if they existed at all), so it's understandable that vB3 (and to an extent, vB4) didn't use any. I do believe that significant security benefits would be had for vB5 going forward if they considered rewriting some of the core to take advantage of libraries rather than doing everything in-house.

 

[VICE]

Back when Jelsoft was running the show, libraries like this were not very popular (if they existed at all), so it's understandable that vB3 (and to an extent, vB4) didn't use any. I do believe that significant security benefits would be had for vB5 going forward if they considered rewriting some of the core to take advantage of libraries rather than doing everything in-house.

Didn't vB4 use YUI library?

 

[LeadCrow]

Didn't vB4 use YUI library?

An oudated version, and hardly any other usable libraries existed. Maintaining older versions was likely seen as preferable to breaking addon compatibility across updates.

 

[Fillip H.]

Didn't vB4 use YUI library?

JavaScript libraries are not applicable to my point, as it is unlikely a JS library would contain vulnerabilities that could be used to exploit a site. Code that only executes in the browser have a lot fewer vectors of attack compared to code that executes on the server

Also, why does your quotes of my posts have the wrong user name?

 

[VICE]

What will happen when an open source library is abandoned?

 

[doubt]

What will happen when an open source library is abandoned?

Replacing it with another library is an option.(I think that's happened in VB's case)

 

[LeadCrow]

What will happen when an open source library is abandoned?

Projects will use an actively developped one, switching code if necessary.
Its not a tragedy, all code becomes obsolete eventually, superseded by leaner, even more efficient equivalents.

 

[VICE]

IB did not replace the library and instead opted to disable to function associated with it.
Was that a tragedy?

Point is, being highly dependent on third party isn't a wise decision either.

 

[zappaDPJ]

Point is, being highly dependent on third party isn't a wise decision either.

I agree dependences can bring additional problems but I think to argue that it's not wise is debatable. For example the majority of forum software relies on third party editors. I'd say the benefits that brings generally negates any problems that might occur. It keeps costs down and you would hope the editor development team have a greater level of expertise in that particular area.

 

[Paul M]

Point is, being highly dependent on third party isn't a wise decision either.

I think the developers of Xenforo might disagree with you on that, since its built around 3rd party products.

 

[VICE]

I was referring to open source products, abandonment is their major characteristic.

 

[LeadCrow]

A small pool of volunteer developpers affects opensource and proprietary projects the same.

Rather than reliance on libraries being risky, its betting the farm on unpaid labour. Important contributors need to be retained but projects without backing or a commercial service usually lack the means to do so.

 

[Chris D]

I think the developers of Xenforo might disagree with you on that, since its built around 3rd party products.

That's really quite a misnomer. It's built around entirely our own framework, with some third party components being used where it makes sense to. This is even more true now with XF2 which no longer relies on a specific vendor though even with XF1, the amount of the Zend Framework we actually used was probably less than 10%.

There's a few options if for some reason a library becomes unsupported or insecure. Though this is unlikely as generally we use hugely popular ones like SwiftMailer for email and Guzzle as a HTTP client, and a few nice Symfony components. But if it happened we could swap them out for a different library. If another library wasn't suitable, and the license agreement permitted (which generally it would) then we would maintain our own fork of the library with our own fixes.

So really, it's not the end of the world if something goes awry, while it also has the benefit of us not having to be too concerned about the security and stability of the project that's already in use as part of thousands of existing applications.

 

[VICE]

A small pool of volunteer developpers affects opensource and proprietary projects the same.

Rather than reliance on libraries being risky, its betting the farm on unpaid labour. Important contributors need to be retained but projects without backing or a commercial service usually lack the means to do so.

Just because something is commercial doesn't mean it's professional. Xenforo third party developers is the best example. I've never find anything on Github that amount to vacationing in Zimbabwe or prolonged husband's pregnancy (and these are paid software!). Typically, an open source developer left because new job opportunity or finishing his education.

 

[LeadCrow]

Freelancers were always risky providers of services, Foss or proprietary, paid or free makes no difference.

An individual can have trouble delivering and your only recourse could be a refund, unlike with a more established company or group with the ability to deliver to your satisfaction without excuses. Few outfits have this much stability though, other than classic media agencies since their revenues are generally more diversified. with realworld clients.

 

[Pete]

Just because something is commercial doesn't mean it's professional. Xenforo third party developers is the best example. I've never find anything on Github that amount to vacationing in Zimbabwe or prolonged husband's pregnancy (and these are paid software!). Typically, an open source developer left because new job opportunity or finishing his education.

The only reason you don't hear about it on GitHub is because they have no obligation to tell you why they left or why there are delays. There are more abandoned projects on GitHub than I think you realise. With a paid deal there is at least some expectation around it.

Also, just last week we had to tell a customer that their work was delayed due to the relevant people being on holiday, so it happens in other places and environments too...

 

[VICE]

With a paid deal there is at least some expectation around it.

Of course, expect a holiday.

Also, just last week we had to tell a customer that their work was delayed due to the relevant people being on holiday, so it happens in other places and environments too...

And a holiday indeed!

I learned several stories about silicon valley developers working 18 hours a day to reach deadlines and how some of them committed suicide due to the pressure. I'm not demanding even 1/10 of such dedication. Just common sense, why the F should I care about your holiday? People can say anything they like about vBulletin but I never read anything from them that amount to "yeah, sorry for the delay in progress, some of our staff are on holiday".

 

[Pete]

Of course, expect a holiday.


And a holiday indeed!

I learned several stories about silicon valley developers working 18 hours a day to reach deadlines and how some of them committed suicide due to the pressure. I'm not demanding even 1/10 of such dedication. Just common sense, why the F should I care about your holiday? People can say anything they like about vBulletin but I never read anything from them that amount to "yeah, sorry for the delay in progress, some of our staff are on holiday".

They have a bigger team and can soak up that time. If you have a dev team of one and he goes on holiday, that's the entire team on holiday and therefore a problem, and telling you is therefore reasonable!