How much of a WTF is vBulletin 5?



  • Continuing the discussion from Unsetting an unset variable:

    @LoremIpsum said:

    And also enough XSS vulnerabilities to make Discourse look like an iron curtain.

    Then again, Community Server still takes the biscuit.


    A website I know is planning on moving from phpBB to vB 5. Upon testing their demo build, I have already found 3 bugs, and as shown above, even one of the most recent releases contained a number of XSS vulnerabilities. As well as that, vB5 still doesn't have a migration feature, so our old posts can't be moved over.

    If vB was a free open-source project, then I'd go meh. But this is a commercial product, and this bullshit is unacceptable. What should I convince them to use instead? I can't believe I'm saying this, but Discourse is a viable alternative.



  • A site I help to moderate uses this:

    I don't know much about it from a security perspective though.



  • I developed agaisnt IPB years ago for it from 1.2 to 3.2. Honestly IPB is really good, it's structured OOP correctly and isn't some retarded pile of functions in files like SMF or phpbb. There's logical class inheritance, centralized groups of functions in classes, routing to controllers,,etc. It's actually php done right up to a point. The only recent hole was because they fucked up the cron/task scripts that don't use their framework directly and so had a little oversight in their input filter.



  • XenForo is the modern vB. In fact it was written by the same guys who originally wrote vBulletin but were driven out by new management.

    Unless it's your site, this probably doesn't help.



  • Interesting to know, nonetheless.


  • sockdevs

    @delfinom said:

    I developed agaisnt IPB years ago for it from 1.2 to 3.2. Honestly IPB is really good, it's structured OOP correctly and isn't some retarded pile of functions in files like SMF or phpbb. There's logical class inheritance, centralized groups of functions in classes, routing to controllers,,etc. It's actually php done right up to a point. The only recent hole was because they fucked up the cron/task scripts that don't use their framework directly and so had a little oversight in their input filter.

    IPB is also very unwieldy and hard to optimise for. But in SMF's case, so much of it was written before OOP was a viable thing in PHP and no-one wanted to rewrite the damn thing.

    I'd second XenForo though.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.