vBulletin – posts redirecting to content.php

Ran into an interesting issue on vBulletin today where a single user’s posts redirected to foobar.com/vbulletin-path/content.php instead of foobar.com/vbulletin-path/showthread.php?21589-Title-Of-My-Post. What we knew at the time was that it appeared limited to a single user, and to two of their posts (but none of their other 100’s of posts). Or at least nobody else was complaining and we couldn’t replicate it on a spot-check of 100 other posts. Further, functionality worked fine in Tapatalk and, as it appeared anyways, as one would shorten the posts to “random” shorter lengths it would work as well. I.e. one post worked if you shortened the URL by 10 characters, say: “foobar.com/vbulletin-path/showthread.php?21589-Title-” instead of “foobar.com/vbulletin-path/showthread.php?21589-Title-Of-My-Post”, and another if you went 22 characters shorter or more. Further, it was not OS specific nor browser specific. Every OS and browser I could get my hands on replicated it. The posts look innocent enough. This isn’t exact verbiage, but an alternative example of the thread title/links that were doing it was:


Title: “Visited LFS (Local Fish Store) today” resulting in a link of:
showthread.php?22223-Visited-LFS-(-Local-Fish-Store-)-today


and


Title: “Update of my Aquarium” resulting in a link of:
showthread.php?22222-Update-of-my-Aquarium


The first post would work if one shortened it to:
showthread.php?22223-Visited-LFS-(-Local-Fish-Store-
or shorter, all the way down to:
showthread.php?22223


The second post would work if one shortened it to:
showthread.php?22222-Updat
or shorter, all the way down to:
showthread.php?22222


Even disabling hooks and practically re-installing the entire site’s forums didn’t help. Nothing in the access_log or error_log indicated anything either.


Ultimately, the issue proved to be mod_security in Apache. In particular, there were a couple different violations.


For the issue:
Title: “Update of my Aquarium” resulting in a link of:
showthread.php?22222-Update-of-my-Aquarium


OWASP’s Mod Security rule #981247 prevented the term ‘Update’ (among other key SQL terms such as union|delete|select|etc.) directly after a number and dash. Or in vBulletin terms, as the first word of the post. (There are obviously other ways this could be violated, but this is what triggered it in this case.) Rather than simply deleting this rule, I modified the regular expression behind this rule as:





Which relaxed this rule a little bit and allowed such forum titles.


For the issue:
Title: “Visited LFS (Local Fish Store) today” resulting in a link of:
showthread.php?22223-Visited-LFS-(-Local-Fish-Store-)-today


This violated OWASP’s Mod Security rule #981261. Knowing this, I saw that this rule was being ‘violated’ all the time in vBulletin and ultimately I disabled this rule due to the sheer quantity of false hits it was causing.

Leave a Reply

Your email address will not be published. Required fields are marked *