

VBulletin: Why should you pay when security ain't really better - backslash
http://www.stopthehacker.com/2010/02/08/analyzing-popular-cmss-are-vbulletin-users-at-risk/

======
duskwuff
Wait, this is complete bullshit. "JQuery has been known to be targeted by
malicious hackers as a code-injection delivery mechanism"? _Really_?!

Security scanning is valuable, to be sure, but:

\- Not all old versions of software are vulnerable. Commercial PHP boards like
vBulletin typically charge for major updates, but continue to patch older
versions for security issues.

\- Containing iframes or loading JQuery is not a sign of vulnerabilities. If
it's anything, it's a sign that the forums being investigated have revenue. :)

\- The actual results (no forums examined were listed by GSB, or contained
malicious iframes) are completely counter to the conclusions ("there many
vulnerable installations of vBulletin which can fall prey to malicious
hackers").

