vBulletin is a little bit different than the list of CMSes we have been analyzing in this series. The first and most apparent being that it is not a free piece of software. The vBulletin site displays a cost of $195-$285 for a new license. The obvious question then, is why do people pay for this CMS when there are other good CMSs available for free? The answer lies in the varied list of features, such as a built-in photo album, event management and many other interesting and helpful features. Add to this good support, compatibility with existing software, many themes, built-in integration for payment engines and advertisement support… it’s not hard to see why vBulletin has acquired a large fan base.

Next, we will take a closer look at vBulletin to understand security issues facing active installations seen publicly on the Internet.

The aim of this experiment:

• To determine the number of vBulletin sites using older versions of the CMS package (and hence vulnerable to attacks).
• To identify the associated scripts vBulletin that users install in addition to core vBulletin functionality.
• Identify the vulnerabilities of using the associated scripts.

Experiment methodology:

An initial corpus of 100,000 websites was mined (via Google) using a keyword search to locate websites which discussed vBulletin. Understandably, not all 100,000 websites would actually be using vBulletin. Approximately 10,000 websites from this corpus were analyzed. Each website was analyzed to determine if it was generated by vBulletin or its associated plugins. Each website was then cross-referenced with the Google Safe Browsing List. This experiment was conducted between February 5th and February 8th, 2010.

Distribution of vBulletin versions:

In 93.09% of sites running on vBulletin the version number could be identified. We found the following distribution of vBulletin versions in the websites examined (where versions of installations could be determined). A more detailed breakdown of the distribution of vBulletin versions can be seen at the end of this article.

Significant numbers of older vBulletin installations are present on the Internet.

Note: Publicly available information about exploits for vBulletin 3.x.x and earlier versions exist. [1] [2]

We present the most interesting results here:

• Nearly 95% (see graph above) of vBulletin sites are running older versions for which exploits are available.
• None of the vBulletin sites were blacklisted by Google Safe Browsing.
• Only 13.5% of vBulletin sites had Iframes embedded in them. None of the Iframes were obfuscated or tried to load malware. All Iframes found loaded ads.
• 10.2% of the vBulletin sites which had Iframes were using JQuery.
  Note: JQuery has been known to be targeted by malicious hackers as a code-injection delivery mechanism.
• Only 0.1% of the vBulletin sites use Mootools
• None of the vBulletin sites use AC_RunActiveContent.js.

Conclusion:

This limited experiment shows that like WordPress, vBulletin also suffers from a large number of vulnerable installations being available on the Internet. It is intriguing to see that a CMS system, which is not free, and is tightly controlled is not kept up to date across the board. Consider the case of Drupal, where we observed that the variety in the versions of various installations is very low. The natural question at this point is: why is a free CMS system like Drupal doing better, security-wise, than a commercial CMS system like vBulletin? Why are most Drupal installations up to date. One thing to note though is that like Drupal and phpBB, vBulletin installations also seem to be relatively safe from the most prevalent malware. Most Iframes on vBulletin sites are Ads, a likely revenue stream for most forum admins.

The fact remains that there many vulnerable installations of vBulletin which can fall prey to malicious hackers.

Till next time.

See below for detailed breakdown of the distribution of vBulletin versions:

• 0.89% of sites were running version 3.0.13
• 0.29% of sites were running version 3.0.14
• 0.29% of sites were running version 3.0.3
• 0.29% of sites were running version 3.0.5
• 0.29% of sites were running version 3.0.7
• 1.18% of sites were running version 3.5.2
• 2.67% of sites were running version 3.5.4
• 0.29% of sites were running version 3.6.1
• 1.18% of sites were running version 3.6.10
• 0.59% of sites were running version 3.6.12
• 1.18% of sites were running version 3.6.2
• 4.45% of sites were running version 3.6.4
• 0.29% of sites were running version 3.6.6
• 1.48% of sites were running version 3.6.7
• 4.74% of sites were running version 3.6.8
• 0.29% of sites were running version 3.6.9
• 2.96% of sites were running version 3.7.0
• 2.37% of sites were running version 3.7.1
• 1.78% of sites were running version 3.7.2
• 4.74% of sites were running version 3.7.3
• 2.37% of sites were running version 3.7.4
• 1.18% of sites were running version 3.7.5
• 2.96% of sites were running version 3.7.6
• 1.48% of sites were running version 3.8.0
• 8.90% of sites were running version 3.8.1
• 10.3% of sites were running version 3.8.2
• 3.85% of sites were running version 3.8.3
• 31.7% of sites were running version 3.8.4
• 2.07% of sites were running version 4.0.0
• 2.07% of sites were running version 4.0.1
• 0.59% of sites were running version 4.0.2