Go Back   English Forum Switzerland > Support > Support > Forum support  
Reply
 
Thread Tools Display Modes
  #1  
Old 11.04.2016, 11:31
SpiritV's Avatar
Member
 
Join Date: Jul 2013
Location: Tannhauser Gate
Posts: 197
Groaned at 1 Time in 1 Post
Thanked 365 Times in 113 Posts
SpiritV has a reputation beyond reputeSpiritV has a reputation beyond reputeSpiritV has a reputation beyond reputeSpiritV has a reputation beyond repute
Forum Upgrade to vBulletin 5?

Hi everyone

Before I launch into the technical details as to why I think this is a good idea, I'll put the tl;dr out there right now: I think it's a good idea to upgrade the forum software to vBulletin 5. Can we please do that?

Why? Security!

Mainly, it's a security issue. Currently we're running on vBulletin 3.8.4. This software version was released in 2010. While it's absolutely stable and admittedly does a good job, there are a number of big security holes in this.

I would love to see these holes fixed, because on this forum I - and I think a lot of other people - share a lot of personal data that I don't necessarily want to see leaked to the net. Sure, I'm taking precautions where I can, but I have revealed where my address and my real name on here, among other things.

A selection of security issues that could lead to the forum being hacked:

  • Registration Bypass
  • SQL Injection - Basically, a hacker can inject malicious code that has an effect on your machine into the forum software
  • File Inclusion - A hacker can include a malicious file such as a script or a virus into the forum's software.
  • PHP Object Injection - A hacker can run any PHP-command she likes. There are patches available for vBulletin 3.8.7 and above. We run on 3.8.4 so there's no way of fixing this.
  • Cross Site Scripting Redirection - "An XSS flaw within the user profile page has recently been discovered. This could allow an attacker to carry out an action as a user or obtain access to a user's account."
  • User Input Spoofing - Exact nature unspecified but the description of the vulnerability type is that someone could imitate input and make it look as if it someone else does it. In the context of this forum, this could mean that someone might be able to post as you.
So this looks kind of bad. I mean, sensitive data and a number of quite bad security holes... not good. Now, there's no reason to panic, but there's also no reason to not do anything about this six years after the release and while some of these vulnerabilites have been out in the wild for over four years.


Therefore, could we please upgrade the forums? If not, what speaks against it? Depending on what is wrong, me or other forum members with an IT background might be able and willing to help out.

EDIT: Of course, an upgrade wouldn't just have advantages for security. Among the new user experience features would be the fact that it's now responsive to mobile devices. This means that the forum would look a lot better on phones and tablets. That would also be quite sweet, no?

Cheers!
Reply With Quote
The following 9 users would like to thank SpiritV for this useful post:
  #2  
Old 11.04.2016, 16:25
mirfield's Avatar
Moddy Wellies
 
Join Date: Apr 2007
Location: North Yorkshire
Posts: 8,703
Groaned at 53 Times in 47 Posts
Thanked 9,802 Times in 3,607 Posts
mirfield has a reputation beyond reputemirfield has a reputation beyond reputemirfield has a reputation beyond reputemirfield has a reputation beyond reputemirfield has a reputation beyond reputemirfield has a reputation beyond repute
Re: Forum Upgrade to vBulletin 5?

I forwarded your query to the boss. He should be able to give a better answer than any of the mods.
Reply With Quote
The following 2 users would like to thank mirfield for this useful post:
  #3  
Old 11.04.2016, 16:56
dodgyken's Avatar
Forum Legend
 
Join Date: Apr 2010
Location: Democratic Republic Kenistan
Posts: 10,654
Groaned at 280 Times in 231 Posts
Thanked 19,403 Times in 7,402 Posts
dodgyken has a reputation beyond reputedodgyken has a reputation beyond reputedodgyken has a reputation beyond reputedodgyken has a reputation beyond reputedodgyken has a reputation beyond reputedodgyken has a reputation beyond repute
Re: Forum Upgrade to vBulletin 5?

Quote:
View Post

  • Registration Bypass
  • SQL Injection - Basically, a hacker can inject malicious code that has an effect on your machine into the forum software
  • File Inclusion - A hacker can include a malicious file such as a script or a virus into the forum's software.
  • PHP Object Injection - A hacker can run any PHP-command she likes. There are patches available for vBulletin 3.8.7 and above. We run on 3.8.4 so there's no way of fixing this.
  • Cross Site Scripting Redirection - "An XSS flaw within the user profile page has recently been discovered. This could allow an attacker to carry out an action as a user or obtain access to a user's account."
  • User Input Spoofing - Exact nature unspecified but the description of the vulnerability type is that someone could imitate input and make it look as if it someone else does it. In the context of this forum, this could mean that someone might be able to post as you.
They all sound like vaccinations - we don't need those!
Reply With Quote
This user would like to thank dodgyken for this useful post:
  #4  
Old 11.04.2016, 17:00
Textoch's Avatar
Forum Veteran
 
Join Date: Mar 2011
Location: Texas, USA (formerly Vaud, CH)
Posts: 1,201
Groaned at 25 Times in 23 Posts
Thanked 3,058 Times in 937 Posts
Textoch has a reputation beyond reputeTextoch has a reputation beyond reputeTextoch has a reputation beyond reputeTextoch has a reputation beyond reputeTextoch has a reputation beyond reputeTextoch has a reputation beyond repute
Re: Forum Upgrade to vBulletin 5?

Quote:
View Post
They all sound like vaccinations - we don't need those!
I agree. If every other forum does the upgrade, we should be fine.
Reply With Quote
The following 4 users would like to thank Textoch for this useful post:
  #5  
Old 11.04.2016, 17:07
SpiritV's Avatar
Member
 
Join Date: Jul 2013
Location: Tannhauser Gate
Posts: 197
Groaned at 1 Time in 1 Post
Thanked 365 Times in 113 Posts
SpiritV has a reputation beyond reputeSpiritV has a reputation beyond reputeSpiritV has a reputation beyond reputeSpiritV has a reputation beyond repute
Re: Forum Upgrade to vBulletin 5?

Quote:
View Post
I forwarded your query to the boss. He should be able to give a better answer than any of the mods.
Sweet. Thanks.

Quote:
They all sound like vaccinations - we don't need those
I repeat: Vaccinations do not cause autism. Forum vaccinations do not cause eAutism.

Also, the vulnerabilities I've listed are not something we could get. They're something we already have. They're gaps in the code that allow for other people to do all kinds of stuff with the forum and its database.

SQL injection is called SQL injection because someone else can inject code into gaps in our system.

Quote:
I agree. If every other forum does the upgrade, we should be fine.
That's not quite how it works.

If there's less forums that are vulnerable, the likelihood that we get hit is bigger.
Reply With Quote
This user would like to thank SpiritV for this useful post:
  #6  
Old 28.04.2016, 08:25
SpiritV's Avatar
Member
 
Join Date: Jul 2013
Location: Tannhauser Gate
Posts: 197
Groaned at 1 Time in 1 Post
Thanked 365 Times in 113 Posts
SpiritV has a reputation beyond reputeSpiritV has a reputation beyond reputeSpiritV has a reputation beyond reputeSpiritV has a reputation beyond repute
Re: Forum Upgrade to vBulletin 5?

Do we have an update on this? Because it would be sweet.
Reply With Quote
This user would like to thank SpiritV for this useful post:
  #7  
Old 28.04.2016, 09:16
Phil_MCR's Avatar
Forum Legend
 
Join Date: Oct 2009
Location: Basel
Posts: 14,615
Groaned at 281 Times in 187 Posts
Thanked 18,461 Times in 7,744 Posts
Phil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond repute
Re: Forum Upgrade to vBulletin 5?

Quote:
View Post
Hi everyone

Before I launch into the technical details as to why I think this is a good idea, I'll put the tl;dr out there right now: I think it's a good idea to upgrade the forum software to vBulletin 5. Can we please do that?

Why? Security!

Mainly, it's a security issue. Currently we're running on vBulletin 3.8.4. This software version was released in 2010. While it's absolutely stable and admittedly does a good job, there are a number of big security holes in this.

I would love to see these holes fixed, because on this forum I - and I think a lot of other people - share a lot of personal data that I don't necessarily want to see leaked to the net. Sure, I'm taking precautions where I can, but I have revealed where my address and my real name on here, among other things.

A selection of security issues that could lead to the forum being hacked:

  • Registration Bypass
  • SQL Injection - Basically, a hacker can inject malicious code that has an effect on your machine into the forum software
  • File Inclusion - A hacker can include a malicious file such as a script or a virus into the forum's software.
  • PHP Object Injection - A hacker can run any PHP-command she likes. There are patches available for vBulletin 3.8.7 and above. We run on 3.8.4 so there's no way of fixing this.
  • Cross Site Scripting Redirection - "An XSS flaw within the user profile page has recently been discovered. This could allow an attacker to carry out an action as a user or obtain access to a user's account."
  • User Input Spoofing - Exact nature unspecified but the description of the vulnerability type is that someone could imitate input and make it look as if it someone else does it. In the context of this forum, this could mean that someone might be able to post as you.
So this looks kind of bad. I mean, sensitive data and a number of quite bad security holes... not good. Now, there's no reason to panic, but there's also no reason to not do anything about this six years after the release and while some of these vulnerabilites have been out in the wild for over four years.


Therefore, could we please upgrade the forums? If not, what speaks against it? Depending on what is wrong, me or other forum members with an IT background might be able and willing to help out.

EDIT: Of course, an upgrade wouldn't just have advantages for security. Among the new user experience features would be the fact that it's now responsive to mobile devices. This means that the forum would look a lot better on phones and tablets. That would also be quite sweet, no?

Cheers!
Thanks for posting. I look forward to trying these out!
Reply With Quote
The following 2 users would like to thank Phil_MCR for this useful post:
  #8  
Old 28.04.2016, 09:53
Guest
 
Posts: n/a
Re: Forum Upgrade to vBulletin 5?

Quote:
View Post
Thanks for posting. I look forward to trying these out!
Those that can do this will already know about it
Reply With Quote
  #9  
Old 28.04.2016, 10:20
Phil_MCR's Avatar
Forum Legend
 
Join Date: Oct 2009
Location: Basel
Posts: 14,615
Groaned at 281 Times in 187 Posts
Thanked 18,461 Times in 7,744 Posts
Phil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond repute
Re: Forum Upgrade to vBulletin 5?

Quote:
Those that can do this will already know about it
Well, I didn't know about it but now I do
Reply With Quote
  #10  
Old 28.04.2016, 10:33
Guest
 
Posts: n/a
Re: Forum Upgrade to vBulletin 5?

Quote:
View Post
Well, I didn't know about it but now I do
Ah but can you do it?
Reply With Quote
This user would like to thank for this useful post:
  #11  
Old 28.04.2016, 12:40
mirfield's Avatar
Moddy Wellies
 
Join Date: Apr 2007
Location: North Yorkshire
Posts: 8,703
Groaned at 53 Times in 47 Posts
Thanked 9,802 Times in 3,607 Posts
mirfield has a reputation beyond reputemirfield has a reputation beyond reputemirfield has a reputation beyond reputemirfield has a reputation beyond reputemirfield has a reputation beyond reputemirfield has a reputation beyond repute
Re: Forum Upgrade to vBulletin 5?

Quote:
View Post
Do we have an update on this? Because it would be sweet.
There is something in the pipeline, but I think it'll take a while to plan, test and implement the migration.
Reply With Quote
  #12  
Old 28.04.2016, 13:01
Assassin's Avatar
Forum Legend
 
Join Date: Mar 2010
Location: Chasing clouds
Posts: 4,023
Groaned at 180 Times in 123 Posts
Thanked 11,560 Times in 3,148 Posts
Assassin has a reputation beyond reputeAssassin has a reputation beyond reputeAssassin has a reputation beyond reputeAssassin has a reputation beyond reputeAssassin has a reputation beyond reputeAssassin has a reputation beyond repute
Re: Forum Upgrade to vBulletin 5?

I'll throw in my $ 0.02. E-homeopathy, avoid peppermints and we'll all be just fine.
Reply With Quote
  #13  
Old 26.05.2016, 11:18
soswiss's Avatar
Member
 
Join Date: Jun 2015
Location: Zurich
Posts: 114
Groaned at 1 Time in 1 Post
Thanked 45 Times in 25 Posts
soswiss has made some interesting contributions
Re: Forum Upgrade to vBulletin 5?

Any news on vBulletin 5 upgrade? Using EF on mobile is a challenge.
Reply With Quote
  #14  
Old 26.05.2016, 11:21
Phil_MCR's Avatar
Forum Legend
 
Join Date: Oct 2009
Location: Basel
Posts: 14,615
Groaned at 281 Times in 187 Posts
Thanked 18,461 Times in 7,744 Posts
Phil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond repute
Re: Forum Upgrade to vBulletin 5?

Quote:
View Post
Any news on vBulletin 5 upgrade? Using EF on mobile is a challenge.
can't you just use tapatalk?
Reply With Quote
  #15  
Old 26.05.2016, 11:24
Treverus's Avatar
Forum Legend
 
Join Date: Dec 2007
Location: Work in ZH, live in SZ
Posts: 12,105
Groaned at 344 Times in 278 Posts
Thanked 23,194 Times in 8,381 Posts
Treverus has a reputation beyond reputeTreverus has a reputation beyond reputeTreverus has a reputation beyond reputeTreverus has a reputation beyond reputeTreverus has a reputation beyond reputeTreverus has a reputation beyond repute
Re: Forum Upgrade to vBulletin 5?

Quote:
View Post
There is something in the pipeline, but I think it'll take a while to plan, test and implement the migration.
Will it be done before Musk finishes the hyperloop prototype?
Reply With Quote
  #16  
Old 26.05.2016, 11:27
Phil_MCR's Avatar
Forum Legend
 
Join Date: Oct 2009
Location: Basel
Posts: 14,615
Groaned at 281 Times in 187 Posts
Thanked 18,461 Times in 7,744 Posts
Phil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond repute
Re: Forum Upgrade to vBulletin 5?

Quote:
View Post
Will it be done before Musk finishes the hyperloop prototype?
no
Reply With Quote
  #17  
Old 26.05.2016, 12:36
Pachyderm's Avatar
Forum Veteran
 
Join Date: Feb 2012
Location: Zurich
Posts: 1,522
Groaned at 76 Times in 55 Posts
Thanked 3,344 Times in 1,140 Posts
Pachyderm has a reputation beyond reputePachyderm has a reputation beyond reputePachyderm has a reputation beyond reputePachyderm has a reputation beyond reputePachyderm has a reputation beyond reputePachyderm has a reputation beyond repute
Re: Forum Upgrade to vBulletin 5?

Sorry, a bit long, but...

I used to administer a vBulletin forum, installed and designed from scratch, and I went through various version changes and upgrades. It's a really simple process requiring not much skill, but if "the boss" is nervous about hitting the button, the hosting company or vB themselves will do the work for a modest fee. It's quick and simple. As long as there's a db backup there is really no risk.

I'm out of touch with the back-end changes over the years but IMO the OP makes an irresistibly compelling case for an upgrade if we are now 6 years behind the latest version.

Apart from better usability, the security issue is important. We may not have bank or credit card details stored in profiles but there will be a lot pf personal contact information. Also, people should be aware that all PMs remain in the database and easily readable by anyone with admin access. A hacker would probably find a lot of personal data here as it's not encrypted. PMs may well contain highly confidential information re finances, personal circumstances and medical conditions, to name just a few.

So I too would like an upgrade to the latest version, please. Moreover, apart from security/usability, my previous forum admin experience is that it helps a tremendous amount with marketing, usage and general forum happiness to keep the upgrades coming. New little tools and widgets, and modest styling improvements keep the punters interested and active.

------------------------------------------------------------
*Just occurred to me that we don't know which vB pricing model the site owners have gone for. They may have bought the software outright rather than take the leased automatic upgrade model. I would ask the owners to talk to vB about options. In the big scheme of things, we are not talking about a lot of money. And if money really was the issue, I'm sure we could come up with a creative answer. You can buy centuries of upgrades with 120K CHFs.....
Reply With Quote
The following 2 users would like to thank Pachyderm for this useful post:
  #18  
Old 26.05.2016, 15:57
Member
 
Join Date: Oct 2010
Location: Zürich
Posts: 113
Groaned at 5 Times in 2 Posts
Thanked 36 Times in 26 Posts
josep has annoyed a few people around herejosep has annoyed a few people around here
Re: Forum Upgrade to vBulletin 5?

For me there are two good reasons to make the update.

1st: the current version looks really old fashioned... come on, same look since so many years... nothing revamped. Asthetics do matter in many ways

2nd: the experience accessing from mobile devices is... really bad.
Reply With Quote
  #19  
Old 29.06.2016, 14:54
Medea Fleecestealer's Avatar
Forum Legend
 
Join Date: Jul 2011
Location: Switzerland
Posts: 22,314
Groaned at 411 Times in 319 Posts
Thanked 17,348 Times in 9,733 Posts
Medea Fleecestealer has a reputation beyond reputeMedea Fleecestealer has a reputation beyond reputeMedea Fleecestealer has a reputation beyond reputeMedea Fleecestealer has a reputation beyond reputeMedea Fleecestealer has a reputation beyond reputeMedea Fleecestealer has a reputation beyond repute
Re: Forum Upgrade to vBulletin 5?

If it'll make vbulletin actually go to the last post in a thread I'd be very happy.

Currently the Brexit thread is at page 154 - so why does vbulletin insist on sending me to my post on page 58 when I use the link from an e-mail notification? It's not as if I haven't made both earlier and later posts in that thread so why can't it get closer. For heaven's sake that's nearly 100 pages off! It's always been bad for that sort of thing, but that must be a record distance between where the last post is and the actual page you get taken to.
Reply With Quote
  #20  
Old 29.06.2016, 14:58
JagWaugh's Avatar
RIP
 
Join Date: Apr 2009
Location: Eglisau
Posts: 7,249
Groaned at 46 Times in 45 Posts
Thanked 14,131 Times in 5,506 Posts
JagWaugh has a reputation beyond reputeJagWaugh has a reputation beyond reputeJagWaugh has a reputation beyond reputeJagWaugh has a reputation beyond reputeJagWaugh has a reputation beyond reputeJagWaugh has a reputation beyond repute
Re: Forum Upgrade to vBulletin 5?

Quote:
View Post
If it'll make vbulletin actually go to the last post in a thread I'd be very happy.

Currently the Brexit thread is at page 154 - so why does vbulletin insist on sending me to my post on page 58 when I use the link from an e-mail notification? It's not as if I haven't made both earlier and later posts in that thread so why can't it get closer. For heaven's sake that's nearly 100 pages off! It's always been bad for that sort of thing, but that must be a record distance between where the last post is and the actual page you get taken to.


Odd, works for me.


The Quote function not always working is what annoys me.


Out of interest, what browser are you using?
Reply With Quote
Reply




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Swiss kid burns down his Ferrari to upgrade to the latest model... zmaster1911 Swiss politics/news 27 16.08.2015 14:08
Upgrade from frontpage to what? Davidinzurich TV/internet/telephone 2 02.12.2013 19:14
Upgrade to go to the Zurich Airport avita Transportation/driving 2 03.09.2010 23:46


All times are GMT +2. The time now is 23:17.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.1.0