Announcement

Collapse
No announcement yet.

vBulletin UnHaxorable??

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • vBulletin UnHaxorable??

    ive read many people say that vBulleting software is unhackable. is this true??

    anyone had their boards violated?

  • #2
    Nothing is unhackable.

    However, vBulletin IS as secure as possible, providing you keep up-to-date on software.
    Congratulations on the death of vBulletin, Internet Brands.

    Comment


    • #3
      The only issues we've had of recent are those outside our control.

      PHP Flaws and IE Flaws that we felt obliged to fix for those not willing to keep them up to date.

      We've had our share of flaws with 3.0.x but the new GPC system in 3.5.0 has helped a lot.
      Scott MacVicar

      My Blog | Twitter

      Comment


      • #4
        Originally posted by Scott MacVicar
        The only issues we've had of recent are those outside our control.

        PHP Flaws and IE Flaws that we felt obliged to fix for those not willing to keep them up to date.

        We've had our share of flaws with 3.0.x but the new GPC system in 3.5.0 has helped a lot.
        Can you expand on what GPC is, Scott? Or someone?
        Congratulations on the death of vBulletin, Internet Brands.

        Comment


        • #5
          GET / POST / Cookie, its the type of incomming requests.

          Its filter based where we have to identify exactly what we want and the data type we need. Its still vulnerable if a developer selects the wrong datatype that the variable should be but we're hoping thats not going to happen.
          Scott MacVicar

          My Blog | Twitter

          Comment


          • #6
            Originally posted by Scott MacVicar
            GET / POST / Cookie, its the type of incomming requests.

            Its filter based where we have to identify exactly what we want and the data type we need. Its still vulnerable if a developer selects the wrong datatype that the variable should be but we're hoping thats not going to happen.
            Can you go into more deatails please, this sounds interesting.

            Comment


            • #7
              Originally posted by 0ptima
              Can you go into more deatails please, this sounds interesting.
              Scott pretty much explained it there.
              Dean Clatworthy - Web Developer/Designer

              Comment


              • #8
                $vbulletin->GPC is an empty array until you identify what variables it should contain and thet ype and it then makes a reference to the appropriate array after its changed the data type.

                $vbulletin->input->clean_array_gpc('r', array(
                'redirect' => TYPE_STR,
                'nojs' => TYPE_BOOL,
                ));

                Would take the $_REQUEST array with values 'redirect' and 'nojs'. It would trim redirect and nojs would be made sure its either true / false.
                Scott MacVicar

                My Blog | Twitter

                Comment


                • #9
                  Originally posted by Scott MacVicar
                  GET / POST / Cookie, its the type of incomming requests.

                  Its filter based where we have to identify exactly what we want and the data type we need. Its still vulnerable if a developer selects the wrong datatype that the variable should be but we're hoping thats not going to happen.
                  In other words everyone, stops the usage of dynamic scripting (XSS, PoC, etc.) By filtering GPC, you can remove dangerous characters from their HEX and ASCII values. This also stops penetration via SQL Injection, where by a hacker can insert SQL values in to a vulnerable POST form (ie. username/pass forms, lost password, etc.) and basically gain any information he/she would need to do malicious damage.

                  Comment


                  • #10
                    Ahh so that is how you guys make it so people can't use their one codes when they are not supposed to?

                    IE: < = &lt;

                    Comment


                    • #11
                      Yep, that's pretty much how it is now. Safety first.

                      Comment

                      widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                      Working...
                      X