• We are now running on a new, and hopefully much-improved, server. In addition we are also on new forum software. Any move entails a lot of technical details and I suspect we will encounter a few issues as the new server goes live. Please be patient with us. It will be worth it! :) Please help by posting all issues here.
  • The forum will be down for about an hour this weekend for maintenance. I apologize for the inconvenience.
  • If you are having trouble seeing the forum then you may need to clear your browser's DNS cache. Click here for instructions on how to do that
  • Please review the Forum Rules frequently as we are constantly trying to improve the forum for our members and visitors.

***Security Risk*** CloudBleed & Opencarry.org

stealthyeliminator

stealthyeliminator

Regular Member
Joined
Dec 29, 2008
Messages
3,100
Location
Texas
In addition, if you use other sites that use CloudFlare (there's quite a few) you should probably change your passwords on those as well!
 
since9

since9

Campaign Veteran
Joined
Jan 14, 2010
Messages
6,964
Location
Colorado Springs, Colorado, USA
vBulletin is not exactly the most secure online messaging forum. In fact, it's pretty darn full of holes. There are ways of plugging the holes, but it's a hodgepodge of fixes.

phpBB, on the other hand, is free and can use cheap but reliable basic SSL/TLS (https) certificates. It remained free from cloudbleed.

ProBoards is another good option.

Staying with vBulletin, however, is like grabbing hold of the Titanic on that cold, winter night in deep, frozen Atlantic waters.
 
J

jackrockblc

Regular Member
Joined
Jul 13, 2014
Messages
256
Location
Jefferson County, CO
since9 said:
p fhpBB, on the other hand, is free and can use cheap but reliable basic SSL/TLS (https) certificates. It remained free from cloudbleed.
Click to expand...

The software was not a factor of Cloudbleed. The SITE of phpbb.com was unaffected because that site's administrators did not use the Cloudflare service. However, the phpBB software was not the reason behind that.

If a site was hosted behind CloudFlare, it had the potential to be affected. The software they used was not really the weakness.Po


A site that uses VBulletin or Proboards or Joomla or even Sharepoint would potentially be affected if they hosted the service behind Cloudflare.
 
since9

since9

Campaign Veteran
Joined
Jan 14, 2010
Messages
6,964
Location
Colorado Springs, Colorado, USA
jackrockblc said:
The software was not a factor of Cloudbleed. The SITE of phpbb.com was unaffected because that site's administrators did not use the Cloudflare service. However, the phpBB software was not the reason behind that.

If a site was hosted behind CloudFlare, it had the potential to be affected. The software they used was not really the weakness.Po

A site that uses VBulletin or Proboards or Joomla or even Sharepoint would potentially be affected if they hosted the service behind Cloudflare.
Click to expand...

Despite the reference you mentioned, I found no reference that opencarry.org was affected. Cloudflare is used by over 5.5 million websites around the world but Cloudbleed only affected certain services. According to Cloudflare, "around 1 in every 3,300,000 HTTP requests through Cloudflare potentially [resulted] in memory leakage (that’s about 0.00003% of requests)". Additionally, Cloudbleed only affected webpages that carried a specific combination of unbalanced HTML tags.

Pirate (Nick Sweeting) has been doing a super job updating the list of sites that were affected via a variety of data sources. You can access that list, including his sources on github, here.

Regardless, my comments on message forum security remain sound. I'm still an admin on three vBulletin message forums, yet I'll be the first to proclaim just how much of a dinosaur it really is.
 
Last edited:
J

jackrockblc

Regular Member
Joined
Jul 13, 2014
Messages
256
Location
Jefferson County, CO
since9 said:
Despite the reference you mentioned, I found no reference that opencarry.org was affected. Cloudflare is used by over 5.5 million websites around the world but Cloudbleed only affected certain services. According to Cloudflare, "around 1 in every 3,300,000 HTTP requests through Cloudflare potentially [resulted] in memory leakage (that’s about 0.00003% of requests)". Additionally, Cloudbleed only affected webpages that carried a specific combination of unbalanced HTML tags.
Click to expand...

I hadn't heard about the HTML tag vulnerability, that's good to know.

And yeah, Cloudflare certainly isn't serving all of all of the world's websites, so I doubt this is as big of an issue as some are claiming.

since9 said:
Regardless, my comments on message forum security remain sound. I'm still an admin on three vBulletin message forums, yet I'll be the first to proclaim just how much of a dinosaur it really is.
Click to expand...

Can't argue that, except I feel that phpBB is worse in many ways, including security than VBulletin. Of course, that's a pretty low mark to hit. My point was in how it was presented that VBulletin was the problem here (it wasn't) and that phpBB software was immune to the Cloudbleed (it isn't). According to the GitHub link you posted, it's primarily to do with HTML Rewrites enabled (done at the server level), and would allow access to info from sites that did NOT have Rewrites enabled.

What I do find interesting is that Opencarry.org, .com and .net are all on the list of possibly-affected websites, as you can see here: https://cloudbleedcheck.com/?domain=opencarry.org (it's also on the massive .txt file that is linked from the GitHub page).
 
since9

since9

Campaign Veteran
Joined
Jan 14, 2010
Messages
6,964
Location
Colorado Springs, Colorado, USA
jackrockblc said:
I hadn't heard about the HTML tag vulnerability, that's good to know.

And yeah, Cloudflare certainly isn't serving all of all of the world's websites, so I doubt this is as big of an issue as some are claiming.



Can't argue that, except I feel that phpBB is worse in many ways, including security than VBulletin. Of course, that's a pretty low mark to hit. My point was in how it was presented that VBulletin was the problem here (it wasn't) and that phpBB software was immune to the Cloudbleed (it isn't). According to the GitHub link you posted, it's primarily to do with HTML Rewrites enabled (done at the server level), and would allow access to info from sites that did NOT have Rewrites enabled.

What I do find interesting is that Opencarry.org, .com and .net are all on the list of possibly-affected websites, as you can see here: https://cloudbleedcheck.com/?domain=opencarry.org (it's also on the massive .txt file that is linked from the GitHub page).
Click to expand...

Fair enough on all counts. :)
 
You must log in or register to reply here.
Top