How to stop CloudFlare / Incapsula bypass for vBulletin.

Results 1 to 2 of 2
  1. #1
    GET OVER HERE! MentaL is offline
      Administrator  Rank
    Jan 2001 Join Date
    32,913Posts

    How to stop CloudFlare / Incapsula bypass for vBulletin.


    RaGEZONE Recommends

    RaGEZONE Recommends

    Hi,

    There are a few methods to bypass CloudFlare and Incapsulas protection to get the originating server ip, the first being mail server headers (so what I do is use a third party server with modified mail headers that remove the sender IP which would be the server we are trying to protect) and the second is vBulletins image retrieval.

    At the moment vBulletin has the following ;


    • avatar image retrieval
    • profile image retrieval
    • album image retrieval
    • ... etc


    This is bad! Anyone could simply use an ip logger such as this and then could insert the fake image into the URL field to download it would grab the source ip and bypassing CF/Incapsula. What originally I was doing was editing the template and removing option 1 (the ability to retrieve image url) but as it turns out this is no good, because you can just inject the original code using firebug or element inspector and pretend nothing was ever gone! I did this for months until it was brought to my attention two days ago!

    The work around.

    We need to disable the following in php.ini (really only the fopen but include stops offsite injections).

    Code:
    allow_url_fopen = Off
    allow_url_include = Off
    And secondly we need to disable CURL, we could use the disable_function and add curl_init but then this would disable the facebook integration that's pre-built within vBulletin ! Not good! So , to combat this we do the following;

    Edit includes/class_upload.php

    find

    Code:
    if (ini_get('allow_url_fopen') == 0 AND !function_exists('curl_init'))
    replace with

    Code:
    if (ini_get('allow_url_fopen') == 0)
    Sorted! since all vBulletin base upload and image retrievals are based through this class its effectively side wide stopping any automatic retrievals and disabling the usage of ip image loggers.

    RaGEZONE Recommends


  2. #2
    GET OVER HERE! MentaL is offline
      Administrator  Rank
    Jan 2001 Join Date
    32,913Posts

    Re: How to stop CloudFlare / Incapsula bypass for vBulletin.

    Also, I'll put up a tutorial soon on how to modify the mail headers of exim so it will hide the originating ip. With this method you can also spoof the senders server but that's not advisable as it could get you blacklisted. Also, that mail server will need to be offsite but any old $10 a year vps will do!
    RaGEZONE Recommends




Advertisement