Maintaining a Forum like ours requires vigilance. Not just keeping an eye on things, but being aware of what could happen; of possible threats.
We have been protected by ZB Block for just over four years now, and it does an outstanding job of preventing spam and spammers from getting in. But running it also presented an issue a while ago, due to content the of Thread/Post Titles. Basically, there are times when ZB Block 'sees' the content of certain Thread Titles and/or the action being performed on these threads (a search query, either external or internal; Moderator/Administrator actions on multiple posts/threads) as a possible SQL Injection attack and prevents the action. The normal fix was to temporarily disable ZB Block and perform the required action. Not a deal breaker, but still a minor PITA.
So, to address this, I had a vBulletin Plugin written for us and installed today. It does nothing more than restrict Titles in Threads or Posts to alphanumeric characters, i.e., a through z (upper and lower case) and 0 through 9. This simple modification should almost completely eliminate this problem. Use of non-alphanumeric characters in the body of posts is unaffected.
Am I being over protective? It could be said I am. But, I have had to deal with this issue here more than once, so it was a problem looking for a solution.
Added 01-01-2017:
Well, best of intentions you know. I've temporarily disabled this modification. I discovered, and reported to the author of the MOD, that it was being triggered in our Help the New Guy forum due to requiring Thread Prefixes, a feature of vBulletin that I had enabled for that forum (which I also have temporarily disabled).
We have been protected by ZB Block for just over four years now, and it does an outstanding job of preventing spam and spammers from getting in. But running it also presented an issue a while ago, due to content the of Thread/Post Titles. Basically, there are times when ZB Block 'sees' the content of certain Thread Titles and/or the action being performed on these threads (a search query, either external or internal; Moderator/Administrator actions on multiple posts/threads) as a possible SQL Injection attack and prevents the action. The normal fix was to temporarily disable ZB Block and perform the required action. Not a deal breaker, but still a minor PITA.
So, to address this, I had a vBulletin Plugin written for us and installed today. It does nothing more than restrict Titles in Threads or Posts to alphanumeric characters, i.e., a through z (upper and lower case) and 0 through 9. This simple modification should almost completely eliminate this problem. Use of non-alphanumeric characters in the body of posts is unaffected.
Am I being over protective? It could be said I am. But, I have had to deal with this issue here more than once, so it was a problem looking for a solution.
Added 01-01-2017:
Well, best of intentions you know. I've temporarily disabled this modification. I discovered, and reported to the author of the MOD, that it was being triggered in our Help the New Guy forum due to requiring Thread Prefixes, a feature of vBulletin that I had enabled for that forum (which I also have temporarily disabled).
From the MOD:
That's been remedied, and added ' to the list as well.
Comment