Announcement

Collapse
No announcement yet.

How safe is vBulletin?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • How safe is vBulletin?

    Hello there,Can anyone tell me how safe vbulletin is? How many times have vbulletin boards been hacked?I used PHPBB forums in the past and I got hacked quite alot. I will be coming to vbulletin if its safer than other forums.I have heard its safe but not confirmed by anyone from vbulletin.Please reply as soon as possible, thank you.

  • #2
    We take security very seriously and do the best we can to ensure that vBulletin has no security holes. As part of this effort to ensure the security of vBulletin, our developers work diligently to make sure that incoming data is sanitized and from approved sources. This is their number one concern.

    Some of the tools we include are:
    - Using to protect data is to use a double MD5 hashed password with a randomly generated salt to prevent dictionary or rainbow table attacks on a database.
    - A login strike's system that disables an IP addresses for a period of time after 5 wrong guesses.
    - Password expiration and History to force users to change their passwords regularly
    - Not transmitting plaintext passwords during login (requires javascript to be enabled in the user's browser)
    - The ability to log invalid attempts to log into the Admin Control Center.
    - Incoming data can be restricted to specific domains.
    - Data sanitization to specific variable types as needed
    - And more...

    If a vulnerability is discovered, it is forwarded to the developers and they investigate it as the highest priority. If it is a valid issue, then a fix is released as soon as possible, usually within 24 hours of discovery.

    Unfortunately security issues are a fact of life with online software. While we work hard to avoid and eliminate security issues, we cannot guarantee that our software is completely free from bugs or security issues.

    However as our record shows, we aggressively track and fix any security issues as soon as they become known to us.
    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
    Change CKEditor Colors to Match Style (for 4.1.4 and above)

    Steve Machol Photography


    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


    Comment


    • #3
      It's pretty safe so long as you keep it well fed. There are no acknowledged reports of it turning on it's owners, but once it tastes human blood, the game is up!

      Comment


      • #4
        Originally posted by Foax_199 View Post
        Hello there,Can anyone tell me how safe vbulletin is? How many times have vbulletin boards been hacked?I used PHPBB forums in the past and I got hacked quite alot. I will be coming to vbulletin if its safer than other forums.I have heard its safe but not confirmed by anyone from vbulletin.Please reply as soon as possible, thank you.
        its pretty safe if you don't mind having to fight through massive spam registrations that the forum software does nothing about.

        Comment


        • #5
          Originally posted by saggerpance View Post
          its pretty safe if you don't mind having to fight through massive spam registrations that the forum software does nothing about.
          Not to hijack this thread, but what security settings do you have in place?
          CHIMPIE | SKYWARN | EMTLIFE

          Comment


          • #6
            Originally posted by saggerpance View Post
            its pretty safe if you don't mind having to fight through massive spam registrations that the forum software does nothing about.
            This is only something from the last 48 hours, when a new version of software written to break captcha was released. Plus, 3.7.3 pl1 which is the current stable has a human verification library option: question/answer, which - when used properly - will stop the bot floods.

            Comment


            • #7
              Originally posted by Foax_199 View Post
              Hello there,Can anyone tell me how safe vbulletin is? How many times have vbulletin boards been hacked?I used PHPBB forums in the past and I got hacked quite alot. I will be coming to vbulletin if its safer than other forums.I have heard its safe but not confirmed by anyone from vbulletin.Please reply as soon as possible, thank you.
              VB is good software I just bought it it take time to get use to, but it secure.

              I had Phpbb before and it was hacked so many times it was kind of like screw it.

              so now I got VB.

              secret.

              try their demo it give you idea on how software works.

              Comment


              • #8
                http://www.vBulletin.com/admindemo.php

                Comment


                • #9
                  Originally posted by Steve Machol View Post
                  We take security very seriously and do the best we can to ensure that vBulletin has no security holes.
                  That you know about yes!!

                  And yes VB is far safer than all of their competitors I have tried but VB has got too big really and thus is now the No.1 target for hackers and spammers...

                  What we need is rapid response to key issues i.e. spam etc not a new release several months down the line!...

                  Sorry, in a crappy mood with all these spammers around!

                  Comment


                  • #10
                    Indeed, as soon as we hear there's a security issue we work on this to confirm it, find a fix. Check our branches. Etc. And within hours available to use we have a patch ready, and depending on the complexity of the issue (like, how much code needs rewritten, what's the best way to release this particular PL, etc), it can take a tad longer. But within 24 hours there is at least a free patch for license holders to download. And a full upgrade for active license holders who desire a full upgrade.

                    Other softwares take a day, or skip the weekend, and some open source projects require you to wait until there's a new release or there's developers available that can fix it.

                    Comment


                    • #11
                      Originally posted by Steve Machol View Post
                      - Using to protect data is to use a double MD5 hashed password with a randomly generated salt to prevent dictionary or rainbow table attacks on a database.
                      Running a string through a hashing algorithm repeatedly will increase the risk of a hash collision seeing as the range of the function is smaller than its domain. In this particular matter, the output of MD5 will always be a 32 digit long hexadecimal number. This means that if you run the output through MD5 again then you'll have decreased the domain while the range remains the same, i.e. more strings will have to share the same hash. This means that the fact that you run passwords through MD5 twice will actually decrease the security, not increase it.

                      The by far best way is to use strong salting. This will decrease the chance of the hash being part of a reverse lookup dictionary and it will mean that brute-forcing it will take considerably longer time. Alternating the salt position (e.g. on a per-install basis) would also increase the security considering that if the salt is somehow retrieved (e.g. from a db dump) then it will be rendered useless if the position of the salt is already known.

                      Comment


                      • #12
                        vbulletin does it per domain, per user, per hash, twice.
                        md5(md5(md5('password') . user.salt) . licensenumber)

                        Comment


                        • #13
                          Originally posted by saggerpance View Post
                          its pretty safe if you don't mind having to fight through massive spam registrations that the forum software does nothing about.
                          I think you're wrong.

                          My board has been up and running since February and I have had only 4 spam registrations/postings ever. And it isn't because of "lack of exposure", because my forum is very exposed in terms of crawlers, search engines, etc.
                          There are many security measures you can take to prevent spam bots, and it has worked for me quite well.

                          vBulletin is not to blame.
                          Regards,
                          Nick

                          Comment


                          • #14
                            Spam is not a security issue. It's an abuse of a completely normal feature (you do want new members and more posts, do you?)
                            If you keep a level head, don't freak, don't waste your time with discussions with or about vBulletin and apply the proposed solutions, the annoyance either stops or becomes minimal.
                            And, no, I have no connection to vBulletin other than as a user.

                            As for the integral security of vBulletin, first ask yourself these questions:

                            How secure is your server ? A compromised server allows full access to all the applications on it.

                            How secure is your mysql ? Is it patched against all known security breaches ?

                            How secure is your webserver? Patched ?

                            What's your password policy ? Is it susceptible to social engineering ? Your Admin CP password is something like this : ie83รง+KH_( , is it not ?
                            Visit www.discussionworldforum.com

                            Comment


                            • #15
                              Originally posted by bkpaul View Post
                              That you know about yes!!

                              And yes VB is far safer than all of their competitors I have tried but VB has got too big really and thus is now the No.1 target for hackers and spammers...

                              What we need is rapid response to key issues i.e. spam etc not a new release several months down the line!...

                              Sorry, in a crappy mood with all these spammers around!
                              I would suggest going into your admin panel and going to: vBulletin Options > Human Verification Manger and selecting the reCaptcha option. To get your keys, go here:

                              http://recaptcha.net/api/getkey?app=vBulletin

                              It's a free service and a breeze to install, and elminated my issues (I was getting 100+ registrations per day, which was a pain because I moderate all new members). Plus, I also received an e-mail from a blind person who had been trying to register and was glad that I implemented this feature.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X