http://www.axivo.com/forum/ This is a discussion forum related to latest products and services offered by Axivo Inc. en Thu, 09 Sep 2010 16:33:37 GMT vBulletin 60 http://www.axivo.com/forum/images/misc/rss.jpg http://www.axivo.com/forum/ http://www.axivo.com/forum/showthread.php?t=138&goto=newpost Sat, 04 Sep 2010 21:40:54 GMT Following on from an exploit created by an Iranian Security group, it would appear that *any* vBulletin version below 3.8.6 PL1 is vulnerable, not... Following on from an exploit created by an Iranian Security group, it would appear that any vBulletin version below 3.8.6 PL1 is vulnerable, not just the ones listed in the exploit documentation.

Basically, if I'm an administrator (Floren uid 1), the hacker can generate a registered user (Floren uid 3856).

If you allow the Registered Users group to change their user title, the hacker can impersonate any admin and start posting fake announcements, or simply emulate your posting behavior like replying to public threads, etc. The group permissions still apply, so no direct abuse can be inflicted to forum. However, since the impersonator's username is identical to yours, he/she will start receiving your PM's also, gaining privacy control over all data sent to you.

The only fix available is to filter your usernames and allow only alphanumeric characters, when a guest tries to register.
Go to vBulletin Options and select the User Registration Options menu.
Into Username Regular Expression field, enter:
^[a-zA-Z0-9@\._ ]+$

This regular expression will allow new usernames to contain only alphanumeric characters, as well the @, dot, underscore and space symbols. You can add other symbols, if you like. The regex is used to stop a guest registering an username containing the & and # characters. The exploit use those characters to generate a fake username identical to an existing forum member. Unfortunately, the regex fix will affect all forums who allow unicode characters into usernames.

I recommend you to apply the modification, as soon as possible. ]]> Tutorials and Reviews Floren http://www.axivo.com/forum/showthread.php?t=138 http://www.axivo.com/forum/showthread.php?t=133&goto=newpost Tue, 31 Aug 2010 18:42:04 GMT Floren, Finally installed at automotiveforums.com - the search is awesome. However, while any keyword search is blazing fast (~0.2 seconds).... Floren,

Finally installed at automotiveforums.com - the search is awesome.

However, while any keyword search is blazing fast (~0.2 seconds).
search.php?do=getdaily and getnew for some reason take well over 3 seconds every time.

Are the settings incorrect somewhere? Is there an explanation for this? I am wondering if Searchlight is being used for these queries.

Thanks!

Igor ]]> General Discussions igor@af http://www.axivo.com/forum/showthread.php?t=133