combating iplogging scripts that bypass CloudFlare and Incapsula.

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • mentalrz
    Senior Member
    • Sep 2004
    • 538
    • 1.1.x

    combating iplogging scripts that bypass CloudFlare and Incapsula.

    Hi

    It recently came to my attention that majority if not all of the websites that are behind CF or Incapsula get their ip leaked by image retrievals (plus mail servers and so on..). Vbulletin has two methods, 1... retrieve by url and 2 upload from HDD. Option 1 is the offender and so the simple solution is to just remove all code of it from the template, wrong! You're still able to edit the HTML from your browser and inject the code which just nullifies this method.

    The real way to fix would be to edit class_upload.php particularly the following uploadurl . One of the problems that I came across is even when attempting to remove any possible reference to uploadurl causes all uploading to break, so in the mean time i've just totally removed the file until a working fix is found.

    Any suggestions on 100% stopping image retrieval from urls? It's a killer!
  • Zachery
    Former vBulletin Support
    • Jul 2002
    • 59097

    #2
    Disable allow_url_fopen and curl in your php.

    Comment

    • mentalrz
      Senior Member
      • Sep 2004
      • 538
      • 1.1.x

      #3
      I did this before posting this thread. I disabled fopen in php and removed all curl options in the code and it still didnt fix the problem.
      EDIT

      I need curl
      Last edited by mentalrz; Tue 29 Jul '14, 1:47pm.

      Comment

      • Zachery
        Former vBulletin Support
        • Jul 2002
        • 59097

        #4
        Your next choice is to either use plugins to disable the remote fetching or make code modifications.

        I bet if you wanted to it wouldn't be hard to add another machine to act as a relay to fetch the data you want safely.

        Comment

        • mentalrz
          Senior Member
          • Sep 2004
          • 538
          • 1.1.x

          #5
          Originally posted by Zachery
          Your next choice is to either use plugins to disable the remote fetching or make code modifications.

          I bet if you wanted to it wouldn't be hard to add another machine to act as a relay to fetch the data you want safely.
          Well i got some huge stuff going on for my site atm so this really wont be an issue but it still would be nice to get resolved for other people. i'll look into it further and share what i find.

          Comment

          • mentalrz
            Senior Member
            • Sep 2004
            • 538
            • 1.1.x

            #6
            Found a work around which doesn't break facebook intergration! was quite simple! noticed vbulletin had two checks in order to disable remote retrieval, so i just simple removed curl.

            in php.ini set

            Code:
            allow_url_fopen = Off
            allow_url_include = Off
            in includes/class_upload.php find

            Code:
            if (ini_get('allow_url_fopen') == 0 AND !function_exists('curl_init'))
            and change to

            Code:
                        if (ini_get('allow_url_fopen') == 0)

            Sorted


            vbulletin.org: http://www.vbulletin.org/forum/showthread.php?t=313353
            Last edited by mentalrz; Wed 30 Jul '14, 12:49pm.

            Comment

            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
            Working...