Xenforo : no better than vbulletin ; certainly not all that different

Wednesday, 25 May, Year 8 d.Tr. | Author: Mircea Popescu

After the trashing delivered to vBulletin software recentlyi, some voices expressed privately their concern that really, xenforo is just as horrible.

Well, truth be told... it's not. It's much worse. For instance :

curl --cookie-jar - -A "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:20.0) Gecko
/20100101 Firefox/20.0" --data "do=login&url=%2Fusercp.php&vb_login_md5passw
ord=5156390a770193da8ab09ee49ea098a3&vb_login_md5password_utf=5156390a770193
da8ab09ee49ea098a3&s=2103425bcbb7d00c7a53d03d7ddebe95&securitytoken=21af1a47
1268d02b86ee418d42bf02b92a36e851&vb_login_username=julyston&vb_login_passwor
d=" http://www.pbnation.com/login.php?do=login

curl --cookie-jar - -A "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:20.0) Gecko
/20100101 Firefox/20.0" --data "login=hunignot&register=0&password=gangbang&
remember=1&cookie_check=1&_xfToken=&redirect=https%3A%2F%2Fxenforo.com%2Fcom
munity%2F" "https://xenforo.com/community/login/"

Above, the vBulletin login method, consisting of passing md5 (yes!) redundant (plain and utf8!) hashes of the password. Below, the xenforo method of passing... the paintext password. What's your preference, between md5 - thoroughly cracked a decade ago - and plaintext ?

They both result in the same single cookie being set, of course ; but the revered bbsessionhash as unique session identifier has been renamed to xf_session. That's pretty much it, and the notion that a court somewhere bought into the theory xenforo's anything but copy/pasted vBulletin is so ridiculous as could have come only only out of a court somewhere.

Moving on, enumeration of userspace works on entirely novel lines now :

for i in {129996..1}; do curl -v -o /dev/null "https://xenforo.com/community/members/sublimelinter.$i/" 2>&1 | grep "Loca" >> hurr.txt; done

Because aren't they fucking cool, putting the name in there, it'd almost have worked as a spacing method. Except it doesn't, and consequently

wc -l hurr.txt
7413 hurr.txt

We're only about 8% done spidering it seeing how we're proceeding rather lazily ; but should you receive a link to this article in the coming days explaining xenforo is a piece of shit... believe it. For it is true.

———
  1. Did you know that it costs ~an hour's time and ~a dime in electricity to send a quarter million emails to various people, as diverse as small outfitter shops in California or "outreach missions" of whatever obscure cultish neoprotestant nuts ?

    But did you know that the CTR of this impromptu "email campaign" is well over 3% ? Or that the cost of "getting traffic" is universally the same across the web ?

    Maybe there's a lot you don't know. []

Category: Meta psihoza
Comments feed : RSS 2.0. Leave your own comment below, or send a trackback.
Add your cents! »
    If this is your first comment, it will wait to be approved. This usually takes a few hours. Subsequent comments are not delayed.