Disabled Avatar/Image Upload to host (CloudFlare security)?

**NachoVB** · Thu 16 Jun '16, 8:20am

Isn't there a more active forum for asking support? I see there is hardly 5 threads a MONTH here...

**Wayne Luke** · Thu 16 Jun '16, 8:42am

There is no security difference from Uploading from a URL or from their own computer. A user can take their exploit image and upload it to tinypic if they so choose to bypass uploading it from their computer. If you're worried about this then you would have to turn off the permission "Can Upload Custom Avatar". They wouldn't be able to add their own avatar at all.

vBulletin 3.8 isn't actively supported at this time. We try to answer questions as they come up and some basic compatibility development has been performed but the software should be consider end of life for most purposes. Most people have upgraded to more feature rich versions.

**NachoVB** · Thu 16 Jun '16, 12:32pm

Originally posted by Wayne Luke

There is no security difference from Uploading from a URL or from their own computer. A user can take their exploit image and upload it to tinypic if they so choose to bypass uploading it from their computer. If you're worried about this then you would have to turn off the permission "Can Upload Custom Avatar". They wouldn't be able to add their own avatar at all.

vBulletin 3.8 isn't actively supported at this time. We try to answer questions as they come up and some basic compatibility development has been performed but the software should be consider end of life for most purposes. Most people have upgraded to more feature rich versions.

Its not the picture that is the problem... is the upload process, an attacker sets up some server, uploads from that server to our forum, then checks the connecting IPs and finds OUR FORUMS IP and with that he can bypass CloudFlare and DDoS the site. We want custom avatars, we just don't want to allow UPLOADING to OUR host, It doesn't matter what they link to as long as our machine doesn't do any remote downloads to untrusted sites.

Does vB5 support this? I Will gladly upgrade if it does, I am only using 3.8 because I see little difference with 5, a lot of options aren't relevant to me, like site builder, etc.

**Paul M** · Thu 16 Jun '16, 12:38pm

Originally posted by NachoVB

Isn't there a more active forum for asking support? I see there is hardly 5 threads a MONTH here...

Which surely is a good thing, it means everyone is fine and dont need any support.

**Wayne Luke** · Thu 16 Jun '16, 1:57pm

Originally posted by NachoVB

Its not the picture that is the problem... is the upload process, an attacker sets up some server, uploads from that server to our forum, then checks the connecting IPs and finds OUR FORUMS IP and with that he can bypass CloudFlare and DDoS the site. We want custom avatars, we just don't want to allow UPLOADING to OUR host, It doesn't matter what they link to as long as our machine doesn't do any remote downloads to untrusted sites.

Does vB5 support this? I Will gladly upgrade if it does, I am only using 3.8 because I see little difference with 5, a lot of options aren't relevant to me, like site builder, etc.

Whether they upload from a URL or upload from their computer, it uploads to your server. vBulletin does not support remote Avatars in any version. vBulletin doesn't download to any site under any circumstance.

**NachoVB** · Thu 16 Jun '16, 2:14pm

Originally posted by Wayne Luke

Whether they upload from a URL or upload from their computer, it uploads to your server. vBulletin does not support remote Avatars in any version. vBulletin doesn't download to any site under any circumstance.

Is there a way to allow only some trusted URLs to upload from (And of course not from the users PC)? Or a mod? Or at least a way i can do it myself? I can't use avatars in my forum with my reverse proxy (CloudFlare) because of this ONE problem... I can't believe you can't do the same as with signatures and allow them to post a link without also uploading to our host.

**Mark.B** · Thu 16 Jun '16, 2:35pm

Originally posted by NachoVB

Is there a way to allow only some trusted URLs to upload from (And of course not from the users PC)? Or a mod? Or at least a way i can do it myself? I can't use avatars in my forum with my reverse proxy (CloudFlare) because of this ONE problem... I can't believe you can't do the same as with signatures and allow them to post a link without also uploading to our host.

There is no way to do this.
You would be looking at paying a third party coder to achieve it.

Personally, I just wouldn't bother with Cloudflare. It's almost always more trouble than it's worth.

**Paul M** · Thu 16 Jun '16, 4:11pm

Even if you did this, you are just deluding yourself if you think people doing any kind of serious DDOS could not find your servers IP. There are always ways.

**NachoVB** · Thu 16 Jun '16, 5:09pm

There is no way to do this.
You would be looking at paying a third party coder to achieve it.

Personally, I just wouldn't bother with Cloudflare. It's almost always more trouble than it's worth.

No, trust me, it works. Maybe I should ask in the modifications forum for this feature? Which version of vB is most supported by mods? On vB.org I see the vB 3 subforum has far, far, FAR more posts (277k vs vB 5.0's 4k...) than 4.0 and specially 5.0, so it seems to be the most popular for modding...

Originally posted by Paul M

Even if you did this, you are just deluding yourself if you think people doing any kind of serious DDOS could not find your servers IP. There are always ways.

Yes i expected someone would say that, they always do. We had attacks 24/7 for years by our competitors, the MOMENT I switched CF (A few months ago) and the attacks stopped dead in their tracks, the other day i disabled CF underattack mode (With prevents attacks via bots on the forum), and a few hours later I was with a "Current active users 28.000+" on my forum ¬¬, CF back on, attack off in minutes. So no, they could'nt find the IP, I only host this forum (A pretty large one with 4 million posts) so it's not like there is an infinite amount of ways to find the IP if you disable mailing, uploading and a few PHP functions its very hard ....

**Replicant** · Thu 16 Jun '16, 7:28pm

Your answer was on Post #8

Originally posted by Mark.B

There is no way to do this.
You would be looking at paying a third party coder to achieve it.

If you need a mod to do something the software isn't designed to do, ask on vbulletin.org.

As far as mods go VB3 and VB4 have tons of mods. VB5 has the most security built in. Most VB5 mods are on a per site basis and are custom coded as such.
As far as getting your IP address goes, post a link to your site. I'd like to try.

.

**Wayne Luke** · Fri 17 Jun '16, 9:07am

Takes all of 10 seconds to get the IP to his site. However, it does get redirected to Cloudflare when accessed via HTTP. But you can probably saturate his site with it making non-http requests if you actually know what you're doing.

If you've been under attack for years, you probably should look into tools like mod_security and other tools to remove the threat permanently. You're hosting provider can also update router rules to kick that off into dead space before it saturates the network. Surprised they haven't complained about your site degrading services if it is that bad.

**Paul M** · Fri 17 Jun '16, 9:15am

Originally posted by NachoVB

Yes i expected someone would say that, they always do.

Because its true.

**NachoVB** · Sun 3 Jul '16, 11:38am

Sorry I was with some problems this last weeks

Originally posted by Wayne Luke

Surprised they haven't complained about your site degrading services if it is that bad.

Because it's a dedicated server machine all for ourselves... also the 25.000+ "members" online spam only satures vB, I can log to my FTP or SSH....

vBulletin 3 End of Life

Disabled Avatar/Image Upload to host (CloudFlare security)?

Disabled Avatar/Image Upload to host (CloudFlare security)?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment