Xenforo : no better than vbulletin ; certainly not all that different

Wednesday, 25 May, Year 8 d.Tr. | Author: Mircea Popescu

After the trashing delivered to vBulletin software recentlyi, some voices expressed privately their concern that really, xenforo is just as horrible.

Well, truth be told... it's not. It's much worse. For instance :

curl --cookie-jar - -A "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:20.0) Gecko
/20100101 Firefox/20.0" --data "do=login&url=%2Fusercp.php&vb_login_md5passw
ord=5156390a770193da8ab09ee49ea098a3&vb_login_md5password_utf=5156390a770193
da8ab09ee49ea098a3&s=2103425bcbb7d00c7a53d03d7ddebe95&securitytoken=21af1a47
1268d02b86ee418d42bf02b92a36e851&vb_login_username=julyston&vb_login_passwor
d=" http://www.pbnation.com/login.php?do=login

curl --cookie-jar - -A "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:20.0) Gecko
/20100101 Firefox/20.0" --data "login=hunignot&register=0&password=gangbang&
remember=1&cookie_check=1&_xfToken=&redirect=https%3A%2F%2Fxenforo.com%2Fcom
munity%2F" "https://xenforo.com/community/login/"

Above, the vBulletin login method, consisting of passing md5 (yes!) redundant (plain and utf8!) hashes of the password. Below, the xenforo method of passing... the paintext password. What's your preference, between md5 - thoroughly cracked a decade ago - and plaintext ?

They both result in the same single cookie being set, of course ; but the revered bbsessionhash as unique session identifier has been renamed to xf_session. That's pretty much it, and the notion that a court somewhere bought into the theory xenforo's anything but copy/pasted vBulletin is so ridiculous as could have come only only out of a court somewhere.

Moving on, enumeration of userspace works on entirely novel lines now :

for i in {129996..1}; do curl -v -o /dev/null "https://xenforo.com/community/members/sublimelinter.$i/" 2>&1 | grep "Loca" >> hurr.txt; done

Because aren't they fucking cool, putting the name in there, it'd almost have worked as a spacing method. Except it doesn't, and consequently

wc -l hurr.txt
7413 hurr.txt

We're only about 8% done spidering it seeing how we're proceeding rather lazily ; but should you receive a link to this article in the coming days explaining xenforo is a piece of shit... believe it. For it is true.

———
  1. Did you know that it costs ~an hour's time and ~a dime in electricity to send a quarter million emails to various people, as diverse as small outfitter shops in California or "outreach missions" of whatever obscure cultish neoprotestant nuts ?

    But did you know that the CTR of this impromptu "email campaign" is well over 3% ? Or that the cost of "getting traffic" is universally the same across the web ?

    Maybe there's a lot you don't know. []

Category: Meta psihoza
Comments feed : RSS 2.0. Leave your own comment below, or send a trackback.

10 Responses

  1. Ciao a tutti vengo dall'italia / itawero

  2. Mircea Popescu`s avatar
    2
    Mircea Popescu 
    Sunday, 10 November 2019

    Right, on a South Korean IP with a .pl email, vieni dall'Italia. Here's what we do : I approve your tester comment, and you get to spend however long it takes until you review your spamlist sending "comments" that don't get approved. Dork.

  3. Thank you very much for the invitation :). Best wishes.
    PS: How are you? I am from France :)

  4. hiiiiiii i am spider from Arg. I would to ask you what kind of games do you like playing?? My favourite games is diablo rpg

  5. Mircea Popescu`s avatar
    5
    Mircea Popescu 
    Sunday, 14 February 2021

    There's like a whole section discussing this, you know ?

  6. Como se llamo esto i am from SPAIN

  7. Robertecori`s avatar
    7
    Robertecori 
    Wednesday, 9 June 2021

    FB friends spy is a facebook windows application that offers to its user’s information about their friends they cannot find in there profiles:
    1. Online presence information (offline/online) even if you are in offline chat mode.
    2. People most interested by them.
    3. People most interacting with them(on comments not messages , spying on messages is illegal and forbidden by facebook, so it is impossible to do, thank you for your understanding).
    4. latest Facebook statuses
    5. Places visited.
    6. Events attending or already participated in
    FB friend's spy will ask you for permissions to offer you the information you want, this information will and still be used only by you, it will not be used by anyone else.
    FB friend’s spy uses Facebook SDK to connect to Facebook, so users don’t have to worry about their private or secret information.

  8. Mircea Popescu`s avatar
    8
    Mircea Popescu 
    Wednesday, 9 June 2021

    Bwahahaha really, is it a facebookwindows application ?

    Listen its user's & there profile : who the fuck ever heard of an understandable spy that's legal ? Huh ? The fucking point of spying is to break laws, otherwise what the fuck are you even doing ?

    Wankbook wankdows wank application for wankers.

  9. Perhaps it's a wanclickation (this is not illegal, nor forbidden by facebook and therefore it is possible!)

  1. [...] a kindergarten level text2 on the linux command line as companion reading to the more advanced examples of getting the most out of one's computers presented on Trilema. I've been covering my command line [...]

Add your cents! »
    If this is your first comment, it will wait to be approved. This usually takes a few hours. Subsequent comments are not delayed.