Xenforo : no better than vbulletin ; certainly not all that different

Wednesday, 25 May, Year 8 d.Tr. | Author: Mircea Popescu

After the trashing delivered to vBulletin software recentlyi, some voices expressed privately their concern that really, xenforo is just as horrible.

Well, truth be told... it's not. It's much worse. For instance :

curl --cookie-jar - -A "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:20.0) Gecko
/20100101 Firefox/20.0" --data "do=login&url=%2Fusercp.php&vb_login_md5passw
d=" http://www.pbnation.com/login.php?do=login

curl --cookie-jar - -A "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:20.0) Gecko
/20100101 Firefox/20.0" --data "login=hunignot&register=0&password=gangbang&
munity%2F" "https://xenforo.com/community/login/"

Above, the vBulletin login method, consisting of passing md5 (yes!) redundant (plain and utf8!) hashes of the password. Below, the xenforo method of passing... the paintext password. What's your preference, between md5 - thoroughly cracked a decade ago - and plaintext ?

They both result in the same single cookie being set, of course ; but the revered bbsessionhash as unique session identifier has been renamed to xf_session. That's pretty much it, and the notion that a court somewhere bought into the theory xenforo's anything but copy/pasted vBulletin is so ridiculous as could have come only only out of a court somewhere.

Moving on, enumeration of userspace works on entirely novel lines now :

for i in {129996..1}; do curl -v -o /dev/null "https://xenforo.com/community/members/sublimelinter.$i/" 2>&1 | grep "Loca" >> hurr.txt; done

Because aren't they fucking cool, putting the name in there, it'd almost have worked as a spacing method. Except it doesn't, and consequently

wc -l hurr.txt
7413 hurr.txt

We're only about 8% done spidering it seeing how we're proceeding rather lazily ; but should you receive a link to this article in the coming days explaining xenforo is a piece of shit... believe it. For it is true.

  1. Did you know that it costs ~an hour's time and ~a dime in electricity to send a quarter million emails to various people, as diverse as small outfitter shops in California or "outreach missions" of whatever obscure cultish neoprotestant nuts ?

    But did you know that the CTR of this impromptu "email campaign" is well over 3% ? Or that the cost of "getting traffic" is universally the same across the web ?

    Maybe there's a lot you don't know. []

Category: Meta psihoza
Comments feed : RSS 2.0. Leave your own comment below, or send a trackback.

7 Responses

  1. Ciao a tutti vengo dall'italia / itawero

  2. Mircea Popescu`s avatar
    Mircea Popescu 
    Sunday, 10 November 2019

    Right, on a South Korean IP with a .pl email, vieni dall'Italia. Here's what we do : I approve your tester comment, and you get to spend however long it takes until you review your spamlist sending "comments" that don't get approved. Dork.

  3. Thank you very much for the invitation :). Best wishes.
    PS: How are you? I am from France :)

  4. hiiiiiii i am spider from Arg. I would to ask you what kind of games do you like playing?? My favourite games is diablo rpg

  5. Mircea Popescu`s avatar
    Mircea Popescu 
    Sunday, 14 February 2021

    There's like a whole section discussing this, you know ?

  6. Como se llamo esto i am from SPAIN

  1. [...] a kindergarten level text2 on the linux command line as companion reading to the more advanced examples of getting the most out of one's computers presented on Trilema. I've been covering my command line [...]

Add your cents! »
    If this is your first comment, it will wait to be approved. This usually takes a few hours. Subsequent comments are not delayed.