Hacker News new | past | comments | ask | show | jobs | submit login

So, the affected function, in includes/vb5/frontend/controller/bbcode.php was:

    function evalCode($code) {
        ob_start();
        eval($code);
        $output = ob_get_contents();
        ob_end_clean();
        return $output;
    }
... So anyone who looks at a codebase for eval would have found this. There is no doubt in my mind that when some people have claimed that this has been around for years... That it has definitely been around for years.

And as the fix is:

    // comment out. idk what it breaks but it's a fix for now
    //eval($code);
I don't think anyone even knows what the hell that eval was doing there in the first place.



Oh yes brings back memories from when I worked on vBulletin customizations over a decade ago. No doubt it is a remnant of the early plugin features but also the hacks one had to employ with PHP before namespaces and a proper OOP structure was introduced. Eval in PHP was the go-to for sorting out versioning mishaps and adding a layer of abstraction when one didn’t exist. It was the Swiss Army knife of making difficult problems disappear so it makes sense to me that they had a specific method for this. Between versions 4 & 5 of PHP depending on whatever VHost was chosen eval was necessary sometimes just to start migrating over to version 5 because you could if...then...rewrite your eval(“new code”).


For those interested, you can find the all-important path to that eval in the discussion here: https://www.reddit.com/r/netsec/comments/d8q2dt/vbulletin_0d...

It's not a straightforward POST -> eval but goes through a few calls, which is probably why it wasn't discovered sooner.


vB has made heavy use of eval() for years, it’s used thru the bbcode parser, template and plugin features. I haven’t dug into the vB5 code base much, my heavy use ended in the 4 range. But this hasn’t been the first time it’s been exploited, and I suspect won’t be the last. When 5 was released we were already turned off to vB and it’s overall direction and settled on sticking with v4 until Xenforo matured more (the creators of which were original developers/architectes of vB 1,2,3.


About 9 years ago I was working in ad operations for the owners of vBulletin (they were a large internet publisher). I had just read a basic book on Java to use the Dart API to automate a bunch of tasks with the remnant waterfall. I'd been at "hello world" a few months prior. I had never used PHP aside from installing Wordpress.

When I gave notice, I was asked if I'd like to work on vBulletin as an engineer.

(Some good reading at https://vbtruth.com/category/company/vbulletin/ )




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: