Potential vBulletin Exploit (vBulletin 4.1+, vBulletin 5+)

Are you surprised? I’m not. There are more bugs in vBulletin than a roach motel. Can someone please call the exterminator?

It’s rather amusing Internet Brands does not even know where the vulnerability is in THEIR OWN software. If they can’t even find it when it is pointed out to someone, how do you expect Internet Brands to deliver a bug-free product?

Here is the initial security advisory.

A potential exploit vector has been found in the vBulletin 4.1+ and 5+ installation directories. Our developers are investigating this issue at this time. If deemed necessary we will release the necessary patches. In order to prevent this issue on your vBulletin sites, it is recommended that you delete the install directory for your installation. The directories that should be deleted are:

4.X – /install/
5.X – /core/install

After deleting these directories your sites can not be affected by the issues that we’re currently investigating.

vBulletin 3.X and pre-4.1 would not be affected by these issues. However if you want the best security precautions, you can delete your install directory as well.

Source: vBulletin

Read More

Why I Left vBulletin & Haven’t Looked Back

vbulletin-5-homepagevBulletin is a sinking ship at this point. There is nothing that can save it. @BobBrisco has managed to take an industry leader (and I am talking by a huge margin) and royally fuck it up in a spectacular fashion.

I’ve seen a lot of people move from vBulletin to xenForo but they have also gone on to other software such as Invision Power Board. So all I want from you is to reply in the comments below and tell me why you left vBulletin. You can be as detailed as you want. The more information the better. It would be nice if you could tell us when you left to give us a bit of a time line to see when the acceleration really started. It doesn’t even have to be about the current state of the company. If you left during the good ole days, I’d love to hear why you left and where you ended up.

I am mainly looking for people that have converted from vBulletin to another software and not those that just decided to stop hanging out at vBulletin.com.

My Story

I have been around the forum world since May of 2003. I bought my first hosting package for less than 100 dollars for a year. I don’t even remember the company I bought it from but it was a shared hosting package. There my journey started with phpBB. Fast forward a year or two down the road and I knew I had something good going with my forum. I had a decent member base and we were having fun. phpBB was suffering greatly from security issues. So bad to the point that when a security exploit was revealed it was so easy to exploit it that I was able to do so using the exploit release details. We aren’t talking about complicated exploits but simply appending an SQL statement to a filename in a URL. On top of that I was wanting something a little more professional where updates with new features were happening.

My research lead me to only one solution and that was vBulletin. Everyone was using it. It was the talk of the forum town at the time. If you weren’t using vBulletin, you weren’t cool. You know, peer pressure and all that shit. Well I took the bite at the time. I bought a leased license at the time because it was all I could afford. I was in college and working at Dominos part time to pay what bills I had. Still living at home. The typical still growing up phase of life.

I loved it. It was cutting edge at the time. The developers were having fun and the community was vibrant. I happily continued down the vBulletin path until July 4, 2007. What was significant about that date? That was the date that vBulletin went from a software company developing for their customers first to a software company developing for their newly acquired parent company, Internet Brands. Internet Brands, even back in 2007, was a gigantic company. A huge player in the forum world. They owned high value forums such as MustangForums.com.  They were just beginning their massive spending spree to acquire forums in some of the most lucrative niches available.

I’m not here to tell you that is when I bailed on vBulletin because it isn’t. I was skeptical about the sale but not completely aware of the end goal that Internet Brands was after. I was also 21 at the time and was not really looking toward the future in any aspect of my life. Reading my comments on vBulletin.com now make me cringe. That’s another story though… back to the topic.

Once the takeover was announced the next major release of vBulletin was 3.7. This was not heavily influenced by IB staff but still had some touches of their influence in it. I thought this was a decent release but it was sloppy. It tried to do too much at once with Social Networking and it failed at making it all play together nicely. Concerns were brought up in the forums and we all waited until 3.8 to see if this was fixed so everyone could go on loving vBulletin again.

Then 3.8 came out. This release was 100% Internet Brands influenced as far as features go. This release introduced more social features with Social Groups. It didn’t fix any of the issues of all the other previous social features introduced. User albums? Good luck browsing them. New social group posts? Good luck finding them. New profile posts? Good luck finding them.

It was clear that they weren’t listening to their user base. At the same time it was also becoming clear to me what Internet Brands was doing. At the time I was running my Ford Mustang website, MustangEvolution.com. The site was becoming larger and larger and I was now making decent money with it. In 2008 I also became a member of a pretty awesome group that now resides at BigBoardAdmin.com. What I started out doing as fun and for a hobby was now making me money. I was amazed that this could be possible. So the journey started to see what all there was to this new money I was finding. Could I really do this for a living? Was that possible?

I had to look no further than the very company that owned the software I was using to realize just how much money was now being invested in forums.

To go back a bit, MustangForums.com used to use an ASP based software. I had always wanted the domain name because it was so appealing. A top level domain for its niche. Well one day I woke up and opened up MustangForums.com and noticed something different at the bottom. The Internet Brands logo. Then I noticed it was no longer an ASP based board but was running vBulletin now! I was confused and started digging. It took me a few minutes to process that. Then things just started firing in my head. Internet Brands is now the owner of a website that directly competes with me for members. That sucks. They have a pile of money. Wait… oh shit. Internet Brands also happens to own vBulletin software. Fuck. Now this site was running the same software as me and the company had complete control over that software.

That is when things started unraveling for me. I started to realize long before Internet Brands actually fucked up the vBulletin software that Internet Brands was not looking out for my best interest when coding vBulletin. Their entire intention was to buy up the top branded forum software in the world and keep it in their grasp while they built their forum empire.

Bob Brisco is a smart business man. A completely shitty software company owner but a smart man. He won big at the sake of all the vBulletin customers. He used the money he had with Internet Brands to make smart web property purchases via online forums. He did fail magnificently at running a software company though. He managed to destroy a trusted brand. The sad part is he won’t ever feel the pain of doing that. Only the customers will. Bob will still be floating high in a year or two when the hedge fund that took IB from a public company to a private company breaks apart IB into smaller sections and has a fire sale. So it was at that time I started making plans to move away from vBulletin. I sold my Ford Mustang site to a friend of mine at Social Knowledge last year and along with it went the last site I ever messed with vBulletin with. Any other sites I buy with vBulletin software immediately start the process of being converted to xenForo. Most of the time I don’t even want the licenses. I actually try to sell the licenses to other people before they transfer them to me due to their one transfer policy.

So that is my story and reasoning. I don’t expect you to go into that detail, though I will be kind of impressed to see if Disqus will even allow it!

So if you see me on an admin forum and I don’t have anything nice to say about vBulletin, now you have a little background on why. I prefer to look toward the future now though and that simply doesn’t exist with vBulletin and hasn’t for many years now.

So, what is your story or reasoning?

 

Originally Posted on BamaStangGuy.com

Read More

Don’t Buy! vBulletin is not what it use to be..

Internet Brands operates communities for anyone to speak. But more importantly, are they truly listening to their customers and what they are saying?
Internet Brands operates communities for anyone to speak. But more importantly, are they truly listening to their customers and what they are saying?

vBulletin was a great product 3-4 years ago but it’s filled with bugs and dated code now. The current version “vBulletin 5” really just needs to be completely rewritten. There are literally 100’s of reported bugs that the developers know about as well as major missing functions from the vBulletin 4 series like the CMS. This was pushed hard in the vBulletin 4 sales days as the more expensive vBulletin Suite package. I have around 100 active clients right now that all run vBulletin 3 or 4. I’ve had a few that have been interested in upgrading so we’ll setup a development site. I put countless hours into upgrading vBulletin 3 or 4 to the current version vBulletin suggest (5.x) and then I let them play with it for a week or two. I’ve yet to get any positive feedback; it’s too slow, error messages all over the place and missing integral functions from previous versions.
It’s sad really; vBulletin was once a flagship company, but that all left in late 2009 when it was bought out by Internet Brands. The lead developers got fired or left within a few months and there has been a LOT of turnover since then as far as project managers and those in charge of development.

If you have money to blow and want to see what $300 will get you, go for it. If you want to do a little research on forums other than vBulletin.com (unlicensed members don’t see the feedback forum) you’ll see that there are a lot of longtime forum owners out there that have tried to switch to vBulletin 5 because the promo emails were saying it’s so great and then realized it was a complete disaster. You see large threads from the members complaining about browser issue, slow load time and missing functions that they had been used to.

If you read this a year from now then it may have given vBulletin enough time to fix everything and it may be a stable product, that’s what happened with vBulletin 4. Sales were pushed hard (just like vb5) and the script was sold as gold, about 18 months before it was ready. The difference this time is it’s the public’s job to report bugs in the software. You have to use the jira ticketing system which is complicated for the average Joe to figure out. You’re actually paying $300 for a basic forum script, and then you have to spend your time reporting all the bugs while your forum runs at a crawl.. go figure.

Originally posted at TrustPilot.com

Read More

The vBulletin 5 Fiasco

fgBU2Some of the latest testimonials about vBulletin 5 from license holders. Summary, do not buy!

You may have noticed today (August 8th) we attempted to give you users some much wanted change to the forums. What better way than to get you guys the latest and greatest: vBulletin 5!

Boy was I wrong. After purchasing and then slaving away at getting it up and running (it took me 8 straight hours through the night to get it up) all it did was give us troubles. vBulletin 5 is so poorly coded that we were forced to revert back to the current forum you’re on this very moment.

I wanted it to work, I truly did. However the staff and I decided that it was just impossible. vBulletin 5 is riddled with bugs and poor coding, everywhere we looked there was something going wrong or something missing, it was truly horrific. I was genuinely upset that I put the forum in this position, I felt like I was screwing everyone over even though at my heart I was trying to just give some change.

But we’re back! And I managed to keep the damage to a minimum. All we lost was essentially a couple of posts from the vBulletin 5 version of the site, which were basically all complaints anyway.

If something is wrong with your account please let me know as soon as possible, I’m pretty sure I recovered everything correctly but, as we learned with vb5, you just never know what’s going to happen.

Thanks for sticking through it, and hey! Modio was only down for like 10 minutes anyway, so that’s a plus!

Love,
Bran

Source: Game-Tuts.com

Read More

vBulletin 5.0 – It’s Crap.

Have you tried using vBulletin 5? It’s the worst written piece of crap I have ever seen in my life.

I have seen my fair share of poorly written applications in my lifetime, but this by far is the worst I’ve seen. This blunder makes vBulletin 4.0 look extremely well thought out. I would rather recommend an open source application that’s bug infested over vBulletin 5.

To name a few small problems:

  • Performance – What the hell is going on? It’s slower than molasses. It is so slow even Internet Brands’s very own vBulletin staff have started complaining that the performance is pathetic.
  • Comments – Were the idiots even thinking when they implemented this? It is a black plague to communities. It will disrupt and destroy communities. It is also one of the worst possible implemented posts.
  • Bugs – vBulletin 5 is worst than a infestation of bed bugs.

Don’t buy it. Save your money. Save your pain. Save your frustration. Save your headaches.

If you wanted your money back, you could not get it back. People learned the hard way. Don’t let this happen to you.

 

vBulletin 5 is crap. Pure Utter Crap.

Read More

Happy New Year and Letter to the Editor

Happy New Year from Chronos and myself.

We’ve been both busy, but we have not stopped watching the disaster that is known as Internet Brands. If you have not played with their 25, 26, or whatever beta for the fifth generation vBulletin, don’t bother.

It was painful. Torture. It should be considered as cruel and unusual punishment to use vBulletin 5.

It’s sluggish. It’s counter intuitive. It’s disorganized. It’s a nuisance. It’s a blight to the internet. It should be condemned.

 

Letters to the Editor

We received this email to our inbox a while back. We decided to protect the identity of the individual and wait before publishing the email. However, sufficient time has since passed to allow us to publish the email without allowing Internet Brands to identify the individual.

 

From John Doe:

I resigned yesterday after (several) crappy months at the hellhole that is IB, and wanted to say thanks for putting up your blog, which I came across today. It’s made for good reading.

If it makes you feel any better, I don’t know if I’ve ever seen more concentrated incompetence than in my time at IB.

 

Well John, I would say since sending in your email, Internet Brands has made incompetence an art form.

Read More

My Faith in vBulletin – Gone

vBulletin today is only a shadow of its former self. The best part that’s left of it is its name. Gone are the days of being an industry trendsetter. Gone are the days of producing quality programming code and architecture. Gone are the days of quality product development.

My recommendation to anyone who still follows this blog: Leave Internet Brands. Leave vBulletin. Get out now.

It’s clear that the great and mighty empire known as vBulletin is sinking. It’s taking on water so quickly it’s sinking faster than any one person can fix it. Where are the days of where staff were actually were civil, professional and respectful? Gone. I watch quietly from the sideline as vBulletin Developer advocates, such as Paul M, make snide, belligerent, condescending, disrespectful and unprofessional comments day in and day out to customers who disapprove or are concerned about the development path vBulletin is taking. As an IT auditor, I would be fired on the spot for making any comment that is less than professional to any prospective or existing client.

These remarks serve as a gauge, a reflection on the confidence of the product Internet Brands is building. Simply put: the staff has no faith in the product. They fear the customer. They fear customer’s voting with their wallet. They FEAR YOU. They know what you probably don’t suspect. Internet Brands is bleeding money and the more we speak up, customers are paying heed to what’s out there. There are a multitude of excellent alternatives out there that exceed the capabilities of vBulletin 4 and vBulletin 5 Connect. Customers are leaving in droves to alternative solutions whether it be XenForo, Invision Power Board, or alternative solutions. Many former mega vBulletin customers are finally leaving quietly and taking their entire sites away from vBulletin. Take a look at AppleInsider.com. They once ran a vBulletin forum. It is now powered by Invision Power Board.

For those of you who want to stay, take care of yourselves. Internet Brands has recently taken on a campaign to censor what customers are able to say. Gone are the days where you have the free speech of a republic. Instead what you see is Internet Brands brutality with customers and posts mysteriously disappearing. It is a police state. A regime that terrorizes its own customers. Take a look at the level of censure that’s happening behind the scenes.

Customers standing up for themselves and a product they passionately want to see succeed are being punished. The level of discontent is rising. The pressure is now being applied to Internet Brands. Goodwill, faith, and trust are commodities that are not respected.

Stop being sheep vBulletin customers. Internet Brands’ is completely in denial. Don’t be in denial too.

Read More

Renewed vBulletin License, But Left Feeling Very Cold… by Detomah

I’ve been using vb4.x since it came out and was never really very happy using that software, I much prefered vb3.x as it felt much more like forum software, self contained, it essentially did as it was meant to, giving me room to do all the other bits like CMSs, article scripts, galleries, etc myself should I need or want them. Version 4 always felt too much like it was trying to be something more than it actually was, trying to be too big and too clever, blogs, CMSs, Groups, changable profiles, etc, etc, way too much, not done well enough and for the most part, extremely confusing for the average visitor, just wanting to join, have a chat, get the information they want and general simple stuff like that, not need to read a manual before they could get started and that’s what it has felt like using vb4.x…. To me, vB4.x has struggled, it has never been the completed product and it has never felt like it has reached anywhere near the level it should have. I remember the jump from vb2 to vb3, now that was exciting, that was a real step forward, that saw FORUM software improve, become more usable, offer more to the end user and simply continue being what it was, but better, vb4.x besides using newer coding practices felt like a massive step backwards, sure it offered more functionality and bits of AJAX to make things feel smoother, but it has been a real let down….

So…. Moving on to vB5 which I know is just a “beta” version at the moment, but seriously, i’m gobsmacked… It should not even be at alpha stage looking at it, never mind showing as a demo version and available for customers to buy, download and install… But my biggest gripe, is that it simply does not look, feel or act like forum software any more. It feels like a poor clone of Facebook and no amount of beta versions is going to change that, because it looks like that is the way it has been designed.

I’d love to give feedback on all of the features, but there’s next to nothing to cover. I’ve installed a completely fresh copy onto my server and have had a good look around the back end, the admincp, the settings, etc, etc and it just feels and acts horribly. I’ve used SMF which is free and that feels more professional than this release. It simply should never have been put anywhere near the public and I feel that I have completely wasted money, because no matter how long I wait, I don’t want a bolt on for Facebook, a Facebook clone, or just some other random clunky social network… If I wanted that, I could have gone to one of the many specific social network clone scripts that are out there. vBulletin is supposed to be forum software and sadly in my mind, you have killed it and that will become very apparant as customers run to the other forum software providers, who actually do as their customers want, instead of providing what you demand the customers use. Loyalty only goes so far…

Suffice to say… I’ll be uninstalling vb5 and it will sit there gathering dust, until such time as it becomes a proper functional forum solution, which sadly I suspect will never happen, as it has gone too far down the social network path now… Such a shame, this used to be a fantastic bit of software, but now it is just a shell of it’s former self.

The biggest shame for me is this:

The vBulletin 3.8 forums will remain active for use for the foreseeable future for support purposes. However please note that vBulletin 3.8 is considered end of life. This means that it will not have further bug-fix release or new functionality added and may not have any future security patches. We will evaluate security issues if they are received.

As that means I have to continue version 4, or run the risk of security holes being found and exploited.

Extremly dissapointing, expected better, should have known.

 

Update: Suffice to say, I have now looked closely at Beta 11, but I am still feeling very cold about the product. This feels like the biggest step backwards of any script i’ve ever handed over money for.

I really hope that you guys plan on supporting vb4 with security patches for the next few years, because there’s no chance in hell of me installing vb5 in the state it is and I still seriously doubt that going from beta 11 to gold is going to change that view, even though i’ve already handed over more than £200 to renew the licences for the lifetime of vb5.

Read More

vBulletin 5 (Code) Review by Rafio

Reposted from AdminExtra.com

So I looked into PHP errorlog then into its files and I saw… I dunno how to call it? Massive pile of dung?

It looks to me that vB5 code has been writen by guys who only just recently started learning PHP. No matter which file I open, I am suprised by some poor code that was written by amateour who had no idea, experience or knowledge of solution of problem at hand. IPB 2.0 that was released back in 2004 is years ahead of vBulletin 5 code.

Centralised input processing in vB5 is non-existant. Every sane application has some middleware between your application and request’s GET and POST variables… but this is not sane application. This is “write boilerplate(boilerplate($_REQUEST[‘meh’]), boilerplate, boilerplate::boilerplate(boilerplate->boilerplate())) every time you process request” type of application.

Their way of calling model?

$response = $api->callApi('content_attach', 'upload', array('file' => $_FILES['file']));

What about $api->get(‘content_attach’)->upload($_FILES[‘file’])? Oh… right, I forgot that knowledge of PHP and design patterns.

Dependency Injection?


$api = Api_InterfaceAbstract::instance();
$config = vB5_Config::instance();

How about service container?

phpDoc, php standard for documenting code by comments?

/**Upload a photo. Return an edit block and the photo URL.
*
**/

Notexistant.

Unified coding standard?

/**Upload a photo. Return an edit block and the photo URL.
*
**/

/** This method uploads an image and sets it as the logo in one step **/

/**
* @static
* When current lang charset isn’t the one in http content_type header
* this method will convert All Ajax $_POST data into current language charset
*/
None. *(and btw, last one is not correct phpDoc method documentation)

Tons of testing code commented out?

//echo "Logged into facebook
\n";

//$returnValue = array(‘error’ => ‘Invalid AJAX method called’);

// $page[‘searchJSON’] = $info[‘searchJSON’];
// $page[‘searchJSONStructure’] = $info[‘searchJSONStructure’];
// $page[‘error’] = $info[‘searchJSONStructure’][‘error’];
Present!

Routing-aware links builder?

header('Location: ' . vB5_Config::instance()->baseurl . '/register');
And to think Django is seven years old now and has this feature since beginning.

Separation between business logic and presentation?


if ($storecssasfile)
{
foreach($this->pending as $css)
{
$replace .= '\n";
}
}
else
{
$joinChar = (strpos($vbcsspath, '?') === false) ? '?' : '&';
$replace .= 'pending)) . "{$joinChar}ts=$cssdate \" />\n";
}

This code could be allright if it was html version aware… which its not, it generates XHTML.

Lots of evals?


eval(standard_error(fetch_error('searchnoresults', $displayCommon)));

eval(‘$faq[\’text\’] = “‘ . replace_template_variables($text) . ‘”;’);

Lots’a evals.

Modern object-oriented code?

(This one would require me to overstep bounds of quote to prove to those who dont have access to vBulletin code so you have to give me credit of trust.)

vBulletin 5 codebase is neither modern or object-oriented. Best way to descibe this code is to call it php 4 without reference assigment (“&=”) operator. Code in “include” directory is object-oriented (it even follows PSR-0 standard!), however majority of it looks more like set of functions that were put together in single container for easier access via autoloading than real objects. On opposide side of spectrum you have “core” directory which is procedural. Why? Who the hell writes “MVC” code (I am generous here) then goes “screw it, we will keep busines logic in procedural files”?

From reading their code I am getting idea that it was writen by people who adressed programming issues by mimicking other people code. They wanted “smart” way of handling data manipulation so they propably took idea from IPB’s 2.3 API’s. They wanted smart autoloading so they propably looked up xF’s (and by proxy Zend Framework) PSR-0 implementation. They wanted to write OOP code, but they didnt know what that really means so they packed their functions together in classess. They didnt had time to learn of flaws in PHP string manipulation functions which would force them to write input middleware and sanitize it for stuff like null bytes. They didnt know php5 has mb_string as standard lib for working on multibyte strings to they writed their own vb5_String class. Everybody has Auth class but they couldnt understand why one uses auth class in code so they made their own vb5_Auth which does nothing besides setting cookies on user’s sign-in and returning redirect link after successful sign-in. There is no logic in this class.

I see no greater scheme of things in vBulletin 5. By looks of code I can say that it was writen by group of programmers who had no workflow organisation, project plan and very different (usually low) skill levels. Lots of code was writen in hopes for best and without any backup plan. In many places they are using $_REQUEST variables without checking if those exist. If they do, its great. If not… well, depending on your php.ini and error_reporting PHP wont complain… unless its to php error log which eventually will be flooded with interpreter notices.

If I was to use vBulletin 5 code as benchmark of IB capabilities, I would make sure this company never gets any money from me and would stay off from their products. Internet Brands is network counterpart of ’96s Bethesda software (Google Buggerfall if you care). I see no care about product quality in IB work, only rush to people wallets packed in corporate marketing.

Finally this code also makes IB claims that xF “stands on the shoulders of more than a decade of development by Jelsoft” laughtable. Decade of development and best you could do is this pile of crap? You really have balls to rip people off like that.

Really, vBulletin 5 feels like aftertime project of some amateur who was using old PHP tutorials as source of knowledge, NOT corporation-backed product aimed to compete on market… and this is happening in 2012,l five years after Zend Framework 1.0 was made avaiable to the public.

What a disaster, I cant even find a words to describe this situation.

rafio

Read More

Internet Brands operates communities for anyone to speak. But more importantly, are they truly listening to their customers and what they are saying?

Attention Deficit Disorder – Internet Brands’ Direction?

Internet Brands acquires ForumRunner. But they also have competing products.

Well if you have not been observing the news, Internet Brands acquires mobile app developer Forum Runner.

Don’t get me wrong here, it’s definitely a win in the direction for Internet Brands, if you count also the additional bloat they now add to your forums, as well as maybe mediocre coding, dismal corporate culture, and did we forget competing products? Ooops?

The problem I see here is Internet Brands is bleeding. No, correction, they are hemorrhaging money like no other.

They’re barely getting their act together thanks to Allen Lin, however, they don’t know what to do! They’re caught, frozen, like deer in headlights. They have no sense of direction. They have no vision, no goals except money money money.

Plus they buy another application that while it adds to their portfolio, it also cannibalizes their own time, effort and energy at developing their products. It does not complement their products in anyway. There is no strategy. There is no corporate “synergy.”

Oh and don’t get me started on the pricing. They are raping customers wallets. Why? Because they don’t know how to spend it wisely. They are running up the credit cards to pay for the timeless strategy of throwing everything on the wall and hoping it sticks.

 

Well wake up Internet Brands. Wake up Hellman & Friedman. This is gross mismanagement. Any first year auditor would write this organization’s senior management up for this level incompetence.

Let’s face it. vBulletin has no shape. It is like this piece of liquid ooze, spreading all over the place trying to be good at everything. The reality is they suck at everything. They should be focusing on being excellent, superb at a few things, rather than be mediocre (which they have not attained mediocrity yet).

Read More