| 7:36 pm on Jul 22, 2010 (gmt 0)|
A clarification is in order, it can only "hack a site" if the entire site is a vBulletin forum. The vulnerability is only in the forum, not an entire site. Seems trivial, but many will see "site" and think otherwise.
| 9:22 pm on Jul 22, 2010 (gmt 0)|
It seems like it's all over the news now...
| 7:52 pm on Jul 23, 2010 (gmt 0)|
A security patch was released on July 21, and can be downloaded by registered users:
| 2:51 am on Jul 24, 2010 (gmt 0)|
I feel fortunate not to have upgraded yet from 3.8.5. That is a hideous vulnerability to leave open. I would have expected a bit more of a mea culpa from Internet Brands.
| 2:29 pm on Jul 24, 2010 (gmt 0)|
Vbulletin development has been mess since Internet Brands bought Jelsoft (for more detail read the page about vbulletin on wikipedia). So personally I'm looking for a way out, whilst secretly hoping the the original team might start a new project, failing that i might consider vbulletin 5 if IB have a handle on it by then...
| 10:50 pm on Jul 24, 2010 (gmt 0)|
| 7:28 am on Jul 25, 2010 (gmt 0)|
Are there better alternatives to vBulletin? I was about to buy it.
| 6:07 pm on Jul 25, 2010 (gmt 0)|
If you buy VB, you'll be buying the new 4.+ versions, which don't have these vulnerabilities. I think. Hope. :-)
| 8:41 pm on Jul 25, 2010 (gmt 0)|
Anyhow, is there anything as good as or better then vB? Anyone knows IP Board?
Or which free solution would be the best?
| 9:39 pm on Jul 25, 2010 (gmt 0)|
|If you buy VB, you'll be buying the new 4.+ versions, which don't have these vulnerabilities. I think. Hope. :-) |
Were you using version 3 previously? If so how do the two compare? I don't see any new functionality worth upgrading for yet that isn't available in a moddification and the performance requirements have increased...
|Or which free solution would be the best? |
PHPBB is the most popular free alternative...
| 5:35 pm on Jul 26, 2010 (gmt 0)|
The customers I'm working with all still have older versions, and I'm applying their patches, reporting no problems so far. Some history here [webmasterworld.com] and here [webmasterworld.com] on why my clients haven't jumped to 4.+. Bottom line is that you can use "old versions" "forever" without licensing updates, but you get no support. Yet here's this patch <shrug>.
| 7:26 pm on Jul 26, 2010 (gmt 0)|
A recent change in vB licensing arrangements and a good number of forums remaining on 3 series might mean that 3 series could remain supported for some time. I certainly hope so. I'm not moving useful forums to 4 series having tested it and kept an eye on it, but I'm not moving them elsewhere either as all my URLs will change.
Others must feel exactly the same as a mess up in a 3 series upgrades got a mention on the WebmasterWorld homepage. For the record it revealed database access credentials rather than passwords to the admin account. Leaves you open to more damage, but sensible server management (ie not allowing database access from remote machines) could have reduced risk. Not upgrading for a few days after an update is the best security measure - there are always patches.
| 2:17 am on Jul 27, 2010 (gmt 0)|
|Bottom line is that you can use "old versions" "forever" without licensing updates, but you get no support. |
Given how good and thouroughly well tested vbulletin 3.8.4 and 3.8.5 are, buying a second hand copy is an option...
| 4:02 am on Jul 27, 2010 (gmt 0)|
What's the problem with version 4 (if starting a new forum)?
| 6:22 pm on Jul 27, 2010 (gmt 0)|
Cost. Per the threads above, felt as though we were - even as paying licensed customers - being throttled into buying an expensive upgrade in trying to execute due diligence by keeping versions up to date. For some applications, where the forums are just hobbyist or supplemental add ons, it would not be cost effective to invest in it (think it was about $400?)
| 6:23 pm on Jul 27, 2010 (gmt 0)|
The initial worries about vB4 were the change in pricing structure and the rush to release that led to a lot of bugs. Those seem to be gradually being sorted.
Apparently styles in vB4 are difficult to modify, it is database intensive and slower than vB3 (though Shawn Hogan has published modifications to improve this), and it doesn't support IE6. vB3 has advantages over vB4 for many.
| 6:52 pm on Jul 27, 2010 (gmt 0)|
Cost is not my worry as this would be for the site that makes money.
What worries me is:
- SEO friendliness
- easiness of forum management
- making it part of existing static website (can be subdomain or subfolder, no complicated integration, just using existing domain and site)
- possibility of extending it into so people can run their blogs or similar (I see vB 4 has it in it's suite, and I see IP Board has forum and blog as separate packages)
I'm not attached to any, and I welcome other solutions as well. I don't care if it's $200 or $2,000.
I just care about getting a good platform.
Yes, I would hate to see me spending $500 and figuring some free open source would do it better. Uncertainty is what is stopping me.
| 10:52 pm on Jul 27, 2010 (gmt 0)|
I did a little hunting with Google and after a few minutes found details of the "hack." I thought it may have been some sort of PHP injection to force it to reveal an arbitrary variable, but it is surprisingly simple.
Thankfully my version doesn't seem to be affected; I tried both the "hack" method and checking the particular install file for certain strings.
My db server disallows remote logins anyway, the worst that could have happened is they would be able to see the (unique) user/pass for vbulletin...
| 5:40 am on Oct 5, 2010 (gmt 0)|
|Vbulletin development has been mess since Internet Brands bought Jelsoft (for more detail read the page about vbulletin on wikipedia). So personally I'm looking for a way out, whilst secretly hoping the the original team might start a new project, failing that i might consider vbulletin 5 if IB have a handle on it by then... |
Seems a new project has been in the works after all...