Most of our members are using vBulletin to provide a Forum on their website(s). What are the reasons people have chosen vBulletin over other similar solutions? There can be many answers to this, but I think there is one that will be on everyone’s list: Trust.

You have bought software from a company that you trust, you are confident that they will provide you with quality software, with no known security issues. If a security issue is found, you’re confident that it will be addressed as soon as possible. Knowing this you can concentrate on your community, instead of being worried about security issues.

As your community grows you will find that you have needs for non-standard functionality, or just extra’s that will put your community ahead of your competition. Now here vBulletin.org comes in the picture.

Where the vBulletin software itself is created, maintained and supported by ‘professionals’, the vBulletin.org community relies solely on volunteer coders. This gives enthusiast coders to opportunity to contribute to the community and enhance the vBulletin product, making the life of running your own community easier.

Where the coders on vBulletin.org might give you professional solutions, they are in some level anonymous, it is not a company that has much to loose in case of a broken trust relationship. They will offer you software solutions, often free of charge, for your Board that you might install without ever seeing (all) of the code that is getting installed on your server. This is even more true with vBulletin 3.5 where most modification are done by simply installing a product file, instead of manually doing code changes.

Now where is this post going? You install probably numerous modifications on your board, provided by different coders. By installing software, you give total control of your board in the hands of these ‘anonymous’ coders. This requires a high level of trust towards them.

Where common sense, reading other users responses and testing on a Test Board can prevent you from disasters caused by coding errors (hey we are all human) or differences in the environment, there is another vulnerability that you can not so easy protect yourself against: Hidden functionality in the installed modification.

Hidden functions that are not documented and/or disclosed by the author can lead to a lot of things, I will try to sum up a few that are possible, some ‘innocent’, some with possible severe consequences. Some possible examples:
- A backdoor into your AdminCP
- Mailing admin passwords to the authors account.
- Call-home functions
- Usage tracking
- Disruption of service or data
- Any other technique that is used in Spyware/Malware type of software.

The stand of vBulletin.org Staff is that our members should be able to completely trust the solutions offered here as much as possible. This means that we will not tolerate any form of hidden functionality, since that is the only way we can keep the trust of the members using these solutions.

The reason for this thread is that, to our own shame, we received recently reports that there are coders who do incorporate hidden functionalities in their modifications. Lucky the type of hidden functions could be considered as relative harmless, but we will nevertheless not tolerate this. I would like to emphasize that this did not sent any security or privacy related information, nor did it in anyway brake the security of your site.

The discovered hidden functionality where aimed at a backdoor in the services of vBulletin.org itself, and have by now been closed. The effect of this functionality will be corrected by us soon. There has been no negative effects on the boards that are using any of these modifications.

From the time of this post on we will take the following actions upon discovery of such modifications:
- All users who have clicked Install for this modification will be notified about the issue.
- The offending modification will be withdrawn immediatly.
- Depending on the severity, all modifications submitted by this author could be withdrawn immediate, and the user account of the author could be closed.
- Admin will contact the author by mail to inform him and hear his/her side of the story.

The vBulletin.org team wants to apologize for any breach of trust this has caused. We hope that our members will be confident that we are addressing these issues seriously and as good as we can and that you can continue to have a trust relation with the authors that offer solutions here at vBulletin.org.

vBulletin.org Team

To all the coders that have currently released modifications that contain such hidden functionality: you are given until June 1st to either remove your modifications or to upload a new version. All modifications found after June 1st with hidden functionality, will be addressed according the steps outlined above!

Staff is still discussing how to handle the benefits that these authors had from releasing this code. Expect the Staff to come with a decision on this soon.

Is there any possibility that we can get informed witch hacks this is ment to bee?
Ore that the coders can inform in the hacks, that this is happining in theyre hacks?

wow, my curiosity is killing me!

The reason for this thread is that, to our own shame, we received recently reports that there are coders who do incorporate hidden functionalities in their modifications.Thanks for raising this. Adding hidden functions to hacks is very un cool.

I am glad you have raised this Marco and for what it is worth you and the vBorg staff have my full support in this.

Will you be providing a list of all such (known) hacks - some people may not have clicked on install? I think I have for all the hacks I've installed BUT I'd rather be certain.

Is there any possibility that we can get informed witch hacks this is ment to bee?
Ore that the coders can inform in the hacks, that this is happining in theyre hacks?
At this time Staff has not decided yet if we will name the Hacks/Authors involved in public. Like mentioned before the found issues don't cause any real harm to the users, if it would have harmed users, we would already have disclosed it probably.

Coders are always free to inform the users in their hack threads, but then it wouldn't be hidden functionality anymore ;)

what hack in question should we be weary of please??

Like mentioned before, we will not disclose this at the present time. Maybe we will disclose it later.

You've even got me interested now :D Can you give us further details of what the "hidden function" was? Without revealing the name of the hack/author of course.

ie, did it just do usage tracking? increase the hack thread view count? send an e-mail to the author saying where it had been installed? etc? :)

Thanks,
Alan.

Sorry but that is information that i can not disclose at this point.

If it would have sent the author an email where it was installed, we would have considered this as a serious breach of personal confidentiality, and would have taken immediate stronger measurements.

I know you've replied about not being decided about whether to release the details of hacks with known "back-doors" etc.

However I would like to ask in the strongest possible terms that you do release the information. As you say this is about trust as much as anything else and whilst I can understand it may cause some upset among the coders that coded these hacks however (in this instance) they should not be the primary concern. Especially since it is, to be blunt, their actions that have led to the trust that was built up here being damaged, albeit that I'm sure none of them did it with the intention of causing any such problems.

I strongly believe your primary concern should be in regaining the trust of the vast majority of people such as myself. Many people will lose trust in both vBulletin.org and vBulletin itself (because of the link between the two) if everything isn't not only done to rectify this situation, but also is seen to be done. Transparency, when possible, is always the best way to build trust.

Please give this some consideration.

(Edited to add: I said "back-doors" in the above, I wasn't meaning to imply backdoors into the forums that used the hacks.)

Edit MarcoH64: To make it very clear to others reading this: The current issue does not involve a back-door into your forum! If such a thing would have been the case, we would have reacted stronger.

there shoudl be a hall of shame...

I don't think it should be about taking any terrible punitive actions against anyone - according to MarcoH64 these are not hidden features that could cause problems to the majority of us.

However there is the matter of trust - a hack installed from here has the potential to be of concern for quite literally hundreds of thousands of people (considering how many people are members of vBulletin powered forums worldwide that might be an understatement).

Jelsoft have (in my opinion) a great reputation for dealing with security issues in their core product in a timely and professional manner - it would be unfortunate for that to be tarnished via this forum, even unintentionally.

hmmmmmz,

i have a few here.It wouldn't even cross my mind to do a thing like that.Marco are you serious do people really create a hack that does things like you mentioned above ? then they can't be punisched hard enough.A lifetime ban from vbulletin.com and vbulletin.org and immediate licence deactiviation would be a good idea

argh that people even think about that maybe they are ipb spys ;)

The fact that you install any software, could always possibly open you to unknown harmfull actions by the coder of that software. This is not really something new.

We have (until now) never found any hacks released here that had harmfull hidden features. My list is what could possibly happen if someone means harm.

PS Even if it is said as a joke, it doesn't look good on us if we would abuse this issue to spread negative feelings about a competitor in the forum business, and i would like to ask all not to make such comments anymore.

Let's stick to comments about our own community.

you know, any of you who know how to read php could always go read the code in the product installs and such and know immediately who is calling external functions from the code. You don't need staff to tell you who the bad guys are.

Thanks for letting us know, and thanks for taking action going forward!

I'm just a little curious about this.

Most of my products now have a couple of lines that try to click install (or uninstall) automatically when you first install them (or remove them). This is completely harmless (and unreliable) but it's certainly not secret - it has been discussed a number of times without any staff mentioning it broke any rules, and is used by a number of people.

I can't believe that this would be what you are referring to as it would be massively OTT with talk of security and backdoors, but perhaps you could clarify if this is covered by this policy or not, since if it is, I will have to remove it.

Unless you specifically warn the users of such a hack, in the hack thread or the install text before installation, that this will happen, then yes it would fall under the category addressed in this thread. Regardless if you consider this harmless or not.

A redirect to the install button isnt really a back-door, nor a security breach especially considering that no coder can tell who the install was or where it came from. No personal or server info could have been passed.
Therefore Im with Paul on that one.
If it was submitting info to another site where the author could access the info - then Im with Marco there.

Just my thoughts

I see, so this is okay as long as a note is included in the hack ? In reality, it has not been very useful, it doesn't actually seem to work a lot of the time - so given that it now seems to fall foul of this new policy I think I might just remove it.

A redirect to the install button isnt really a back-door, nor a security breach especially considering that no coder can tell who the install was or where it came from. No personal or server info could have been passed.
Therefore Im with Paul on that one.
My official response to this:

Read the thread title. It is not about if it is harmfull or not. It is not about if the coder could use an auto-install to get privacy sensitive information. It is about breaking the trust of our members by adding hidden functionality to a modification. Period.


Now back to your example on a personal level, i think i could give you some reasons in a pm that would also show that even this is disclosing things.

You calling me Livewire now?!? I'm flattered :D

I assumed that the thread was about users potentially gathering personal data. The threat (as you mentioned) is always there policy or not and yes, I agree that users should be aware. I was only stating that if the catalyst was Paul's hack that redirect to an install link - then I just didn't agree that it would fall under a 'security', 'phishing', 'backdoor' type of policy.
Regardless, I guess it is kind of sneaky and it does explain why so many people clicked install on Paul's hacks ;)
Now I just need to solve the whole 'last supper/floating hand' mystery and Ill die content.

If you have the time and inclination, go for the PM. I'm interested, but I wont be refreshing my inbox every 5 seconds for it as I know you have far more pressing things to get on with :)

You calling me Limewire now?!? I'm flattered
Oops my mistake, corrected.

The policy is about hidden functionality and trust, not about if it damage anything.

PS Don't expect that PM very soon, but will work on it when i have time.

Regardless, I guess it is kind of sneaky and it does explain why so many people clicked install on Paul's hacks ;)Actually, it was only added about 4 weeks ago after a discussion about it on the site - someone suggested it, so I gave it a try - in reality it doesn't work very well - people who have clearly installed a hack, still don't show up when they post. Many of the others still post to say "installed" anyway, they click install manually. I couldn't even get it to work properly myself in tests and it wasn't really important enough to investigate why. Now it comes under this change I will almost certainly give up on it.

sas efharisto

(thats gReek for thank you ;) - Your quoting system is squiffy :D )

Dank je (dutch voor thank you)

That is what happens if you rely on manual quoting. ;)
PS You only spotted 1 of the 2 quoting "errors" in my previous post.

I spotted Limewire ;)

The fact that you install any software, could always possibly open you to unknown harmfull actions by the coder of that software. This is not really something new.

We have (until now) never found any hacks released here that had harmfull hidden features. My list is what could possibly happen if someone means harm.

PS Even if it is said as a joke, it doesn't look good on us if we would abuse this issue to spread negative feelings about a competitor in the forum business, and i would like to ask all not to make such comments anymore.

Let's stick to comments about our own community.
Nope, I can assure you that unless it slipped by me there are no 2.x or 3.0.x resources that did this. It's a trend that's started to develop ever since 3.5 went stable.

Again, the issue here is that it is about undocumented functionality and that unfortunatly it is to better the author; but no security breach was added to your forum upon installing, nor was any data shared or backdoor installed.

And finally, as mentioned in the announcement we will listen to their side of the story. Surely as Paul M suggests his motives were different from a few others. Nevertheless it is something that people have noticed and raised concern about. I think the vBorg staff is on top of things and updated their site policy in regards to these type of things and automatically included optional misuse of undocumented features; Saving them the future discussion of when people decide to do include backdoors or data-mining code, etc.

I spotted Limewire ;)Well spotted. 1 vb.org bonus point for you.

you know, any of you who know how to read php could always go read the code in the product installs and such and know immediately who is calling external functions from the code. You don't need staff to tell you who the bad guys are.

Well, not everyone of have that skills, im afraid. I sertanly dont.
I lay all my trust in the coders that gives out there hacks, call me perhaps naive. But i do. And since this is VBorg , i have always tought that this site dident want to bee letting coders do this because of there high reputation as serrious.

The fact that you install any software, could always possibly open you to unknown harmfull actions by the coder of that software. This is not really something new.

This is new fore me. And i have been here fore 2 years. ;)
I think i have put to mutch trust in the VBorg following up on this issue.

*sorry, fore my bad english*

BTW - I'm also curious about this - I believe vbulletin itself makes a call back to vbulletin.com everytime you visit your ACP, and passes back your licence code - I don't recall this being mentioned when you install vbulletin, I can't even find it in the licence - does this mean that vB now falls foul of your policy ?

I believe that's a bit different because it is the original forum software. They're not going to hard code something in that could trash your board.

Products are 3rd party code though, and you could throw just about anything in there to execute.

BTW - I'm also curious about this - I believe vbulletin itself makes a call back to vbulletin.com everytime you visit your ACP, and passes back your licence code - I don't recall this being mentioned when you install vbulletin, I can't even find it in the licence - does this mean that vB now falls foul of your policy ?

Besides this part from the license agreement, which you click during purchase and before downloading each .zip file. Therefor you agree to it.

From time to time, Jelsoft may inspect your registration integrity. This will be done without collecting any information whatsoever about your server or your users. The only information verified will be your licence number and the domain on which the software is run. Should Jelsoft discover discrepancies in the software usage, be aware that you may lose your licence and may face legal actions for Software Piracy. Your information will not be shared with 3rd parties. Occasionally, it is necessary to record your IP address for security and performance monitoring.

http://www.vbulletin.com/order/license_agreement.php

Any questions in regards to the Jelsoft License Agreement please redirect them outside of vBulletin.org directly to Jelsoft Sales through: http://www.vBulletin.com/go/sales

This is new fore me. And i have been here fore 2 years. ;)
I think i have put to mutch trust in the VBorg following up on this issue.

Lottis,

I am there talking in general, all software. Doesn't mattter if it is a php-script, a windows application, or even an application that a company has coded in-house.

Besides this part from the license agreement, which you click during purchase and before downloading each .zip file. Therefor you agree to it.Just read it again :)

From time to time, Jelsoft may inspect your registration integrity. This will be done without collecting any information whatsoever about your server or your users.
That does not exactly specify that the software has hidden functionality to call home everytime you use your admin cp - at best it's extremly vague. :)

This clears alot of things up. This is the reason why Paul was getting so much heat in the forums. I'm with Paul and TheGeek on this one. I will add my few lines of thought about the situation and move on.

Attemping to click the install link when you install a product is nothing new. I've seen this in a couple of hacks in the past. It just looks for an image of the install URL and uninstall URL. Its completely harmless and in no way shape or form does this create a sercurty issue for users installing these hacks. You should make that completely clear to the users as your main post seems to direct users that there are flaws in hacks here.

From time to time, Jelsoft may inspect your registration integrity. This will be done without collecting any information whatsoever about your server or your users. The only information verified will be your licence number and the domain on which the software is run. Should Jelsoft discover discrepancies in the software usage, be aware that you may lose your licence and may face legal actions for Software Piracy. Your information will not be shared with 3rd parties. Occasionally, it is necessary to record your IP address for security and performance monitoring.

If vBulletin is allowed to do this, why can't we? vBulletin states that they occasionally will record your ip address for security and performacnce monitoring. vBulletin coder will occasionally record that you have installed this modification for statistical purposes. The only issue I could see is that the authors didn't stat this in the first post. Wouldn't this be allowed if we simply told users about this?

Either way, I will follow the new rule and I don't think this will be fare to remove accounts as this was never mentioned it the TOS of the vB.org site. Another thing I should add is that emails no longer allow me to uninstall hacks from my email. I had recived an update email and I clicked the uninstall link in the email and I was just redirected back to the portal page.

Just read it again :)


That does not exactly specify that the software has hidden functionality to call home everytime you use your admin cp - at best it's extremly vague. :)
Let me quote myself again:

Any questions in regards to the Jelsoft License Agreement please redirect them outside of vBulletin.org directly to Jelsoft Sales through: http://www.vBulletin.com/go/sales

While I see the way you are coming at this issue, It isnt uncommonin the real world for free software to include callback functionality. When I release freeware I never have the intent of stealing inforatopn, but because it is free I know that even if it is a small majority, people are prone to remove information that by downloading and using your software they agreed too. Unlike vB most free software lacks proper legal protection and using acallback, harmless as it is, they ensure the integretity of the software hasn't been compromised as by terms of contract.

Now I agee, it isnt a kind thing to do without warning the users first,but those offenders may be code wise and can expect it. It would defeat the purpose of the validation functions. So if you bann us from using such validationhere you should at least afford the codersthe ability to report websites using their hacks released here outside the terms of the hackand have that user face consequences for their actions.

While it is trust that keeps users here, it is coders that keep the users here in the first place and sofor both groups protection needs to be afforded I feel, not just one side of the crowd, because alone they don't work together.

I hope I made my point clear
-Rimer-

PS: I have not released any hacks here under this account, but the hacks I have released donot include callbacks as they were ports and not mine originally and thus I did not feel obligated to do it since the original author had not. Hwever if I ever release custom hacks id like to see protection afforded to both sides.

Most of our members are using vBulletin to provide a Forum on their website(s). What are the reasons people have chosen vBulletin over other similar solutions? There can be many answers to this, but I think there is one that will be on everyone’s list: Trust.

You have bought software from a company that you trust, you are confident that they will provide you with quality software, with no known security issues. If a security issue is found, you’re confident that it will be addressed as soon as possible. Knowing this you can concentrate on your community, instead of being worried about security issues.

As your community grows you will find that you have needs for non-standard functionality, or just extra’s that will put your community ahead of your competition. Now here vBulletin.org comes in the picture.

Where the vBulletin software itself is created, maintained and supported by ‘professionals’, the vBulletin.org community relies solely on volunteer coders. This gives enthusiast coders to opportunity to contribute to the community and enhance the vBulletin product, making the life of running your own community easier.

Where the coders on vBulletin.org might give you professional solutions, they are in some level anonymous, it is not a company that has much to loose in case of a broken trust relationship. They will offer you software solutions, often free of charge, for your Board that you might install without ever seeing (all) of the code that is getting installed on your server. This is even more true with vBulletin 3.5 where most modification are done by simply installing a product file, instead of manually doing code changes.

Now where is this post going? You install probably numerous modifications on your board, provided by different coders. By installing software, you give total control of your board in the hands of these ‘anonymous’ coders. This requires a high level of trust towards them.

Where common sense, reading other users responses and testing on a Test Board can prevent you from disasters caused by coding errors (hey we are all human) or differences in the environment, there is another vulnerability that you can not so easy protect yourself against: Hidden functionality in the installed modification.

Hidden functions that are not documented and/or disclosed by the author can lead to a lot of things, I will try to sum up a few that are possible, some ‘innocent’, some with possible severe consequences. Some possible examples:
- A backdoor into your AdminCP
- Mailing admin passwords to the authors account.
- Call-home functions
- Usage tracking
- Disruption of service or data
- Any other technique that is used in Spyware/Malware type of software.

The stand of vBulletin.org Staff is that our members should be able to completely trust the solutions offered here as much as possible. This means that we will not tolerate any form of hidden functionality, since that is the only way we can keep the trust of the members using these solutions.

The reason for this thread is that, to our own shame, we received recently reports that there are coders who do incorporate hidden functionalities in their modifications. Lucky the type of hidden functions could be considered as relative harmless, but we will nevertheless not tolerate this. I would like to emphasize that this did not sent any security or privacy related information, nor did it in anyway brake the security of your site.

The discovered hidden functionality where aimed at a backdoor in the services of vBulletin.org itself, and have by now been closed. The effect of this functionality will be corrected by us soon. There has been no negative effects on the boards that are using any of these modifications.

From the time of this post on we will take the following actions upon discovery of such modifications:
- All users who have clicked Install for this modification will be notified about the issue.
- The offending modification will be withdrawn immediate.
- Depending on the severity, all modifications submitted by this author could be withdrawn immediate, and the user account of the author could be closed.
- Admin will contact the author by mail to inform him and hear his/her side of the story.

The vBulletin.org team wants to apologize for any breach of trust this has caused. We hope that our members will be confident that we are addressing these issues seriously and as good as we can and that you can continue to have a trust relation with the authors that offer solutions here at vBulletin.org.

vBulletin.org Team

I totally support the decisions to immediately remove all offending modifications, all modifications from the offending authors, and to ban the offending authors.

IMO, there is no reason why anyone should be doing anything untowards with their modifications. There are no excuses. Most coders release their code according to the guidlines, but yet again it is a select few who spoil it for the rest of us.

When one coder does something untowards, it reflects badly on every single coder here at vB.org. Yes, we could all include additional code to our modifications, but that would then make the problem even worse. As it stands, the problem is bad enough to warrant this announcement and proposed action.

For those who have installed modifications, be in on their test boards or live boards, I strongly encourage you to be proactive and to take notice of the code of your modifications. I understand that the majority do not know how to read php code, I am a relative newbie to php too and so find this difficult. Still have a look at it if you can, most files open in an internet explorer window for review. You might be surprized at what you learn.

Again, to emphasise my stance on this:

All offending coders MUST be banned;
All offending modifications MUST be removed immediately;
All modification from offending coders, regardless of vB version, MUST be removed;
There must be no exceptions to this. There are no excuses.This does sound harsh, I will admit, but there are the long term implications of this on the rest of the coding community, and the trust factor for the members to be considered.

No action means nothing. Strong and severe action must be taken

@ LiveWire: Its completely harmless..

This is not what's being disputed indeed.

This is basically a plugin inside a plugin, creating undocumented and hidden functionallity. Not what people expect when they download something.

@peterska2
You should read more into this before you start suggesting that accounts be removed and banned. All this hack did was LOOK FOR AN IMAGE URL!. The image url it looked for was the install and uninstall link. A user should not be banned for such attempt. vBulletin.org has NEVER ONCE stated this was not allowed.

peterska2's post is the EXACT reason why I stated this...
Its completely harmless and in no way shape or form does this create a sercurty issue for users installing these hacks. You should make that completely clear to the users as your main post seems to direct users that there are flaws in hacks here.

You push users in thinking in a compleley diffrent way and discriminate any coders status.

@ LiveWire

How far into this do you want me to read? Don't go shooting off at me for having an opinion. I have read very far into this already, and fully support the staff on this.

Does that make me unpopular? Probably
Do I care? No

ALL code added to modifications that is not actually required for the modification is a potential security risk.

This should not be permitted and dealt with severly as it is a complete breach of trust, which is the whole issue, and the basis on which vB.org runs.

This is basically a plugin inside a plugin, creating undocumented and hidden functionallity. Not what people expect when they download something.In which case I think I will rest easy, as this clearly does not refer to anything of mine.

This whole thing is about modifications having a function that looks for an install link. This is not basically a plugin inside a plugin. You should make this clear as your making users think otherwise.

@peterska2
Then you shouldn't use vBulletin as your forum product. As everytime you log into your admincp, a callhome function is required.

This whole thing is about modifications having a function that looks for an install link. This is not basically a plugin inside a plugin. You should make this clear as your making users think otherwise.

@peterska2
Then you shouldn't use vBulletin as your forum product. As everytime you log into your admincp, a callhome function is required.

As previously mentioned in detail by Floris, that is mentioned in part of the licence agreement, which I have agreed to. If I didn't agree to that, I would never have purchased vBulletin.

May i post here as well?

First of all: Noone is being banned here.
The staff has discussed about that issue for a long time, since we got informed about the first mods using this.

Ken is absolutelly right here, that it was not in the rules that a procedure like that isn't allowed. So as those mods did NOT break the rules written down here, and therefore obviously noone will be banned.

As the threadtitle clearly states it is all about trust, and actually i considered this as an unwritten rule before. As a lot of users here cannot code themselves, they won't notice these things, and therefore have been warned with that thread here now.

Actually i think methods like those used here throw a very bad light on the coders who do so, and i didn't really think that someone would do so, so i thought we don't need such a rule, but as the experience showed my moral standarts were a bit to high here, and therefore we have had made it a rule now.

is this all down to the vBsoccer RSS hack?

if so his reasoning is about right, there's no free Football RSS score feeds available for a reason and even if he was to resyndicate the content, it would just seap to out of vBulletin use and his server would be hammered.

if not, then share the secret? :p

From what some of the staff members have told me, this has to do with a certain user creating a function that will automaticly click the install link when you upload the product.


$hackid = 123;
$install = 'https://vborg.vbsupport.ru/vborg_miscactions.php?do=installhack&threadid='.$hackid;
echo '<center><img src="'.$install.'" hight="1" width="1" alt="Installing" /></center>';


As you can clearly see. The only thing this does is look for an image that is hosted on vBulletin.org. When I created my vBSighosting hack. I created an install.html document. The images in that document are hosted from vBulletin.com. Does this mean that I am making users prone to security vulnerabilities?

findhight="1"
replace withheight="1" and then we'll talk :p

only joking.

lol This was taking stright from the users plugin code. He should fix that. :p

is this all down to the vBsoccer RSS hack?

if so his reasoning is about right, there's no free Football RSS score feeds available for a reason and even if he was to resyndicate the content, it would just seap to out of vBulletin use and his server would be hammered.

if not, then share the secret? :pNope, I think it's about the code that tries to call the vb.org "install" link when a product is first installed. This is something I (and a few others) added recently after a discussion about it in mid April.

Basically when a product is first installed (not updated) it tries to link to /vborg_miscactions.php?do=installhack. If the link is made then it's the same as manually clicking install, if the link fails then nothing at all happens. The same happens if you uninstall a product. It has nothing to do with plugins within plugins, backdoors, security, added functionality or anything else mentioned, it's a simple link back to the vb.org site.

As far as I can tell - it will also fail unless you are logged into vb.org at the time, meaning it's not actually that useful, the majority of people still actually have to click the links manually.

If this thead really is about this then it's unbelievably over the top - reading the first post gives the impression of some major security threat or alert, not some minor call back to vb.org.

I think it's also a preemptory warning. Spyware (because that's what it is when you get down to it, doing an action the user didn't consent to) won't be tolerated.

reading the first post gives the impression of some major security threat or alert, not some minor call back to vb.org.

Parts of first post:

The reason for this thread is that, to our own shame, we received recently reports that there are coders who do incorporate hidden functionalities in their modifications. Lucky the type of hidden functions could be considered as relative harmless, but we will nevertheless not tolerate this. I would like to emphasize that this did not sent any security or privacy related information, nor did it in anyway brake the security of your site.

The discovered hidden functionality where aimed at a backdoor in the services of vBulletin.org itself, and have by now been closed. The effect of this functionality will be corrected by us soon. There has been no negative effects on the boards that are using any of these modifications.

@Paul, thats why this thread is here. Because you and a few others added a link back to the vb.org site.

I think it's also a preemptory warning. Spyware (because that's what it is when you get down to it, doing an action the user didn't consent to) won't be tolerated.

exactly!

Thanks for telling us :)

I think it's also a preemptory warning. Spyware (because that's what it is when you get down to it, doing an action the user didn't consent to) won't be tolerated.

agreed 200%

This is, as you say, about trust, therefore the list of known affected hacks MUST be disclosed, without question.

Again, to emphasise my stance on this:

All offending coders MUST be banned;
All offending modifications MUST be removed immediately;
All modification from offending coders, regardless of vB version, MUST be removed;
There must be no exceptions to this. There are no excuses.


So do you still feel that Paul M and a few others should be banned because they added an image link back to vb.org?

In which case I think I will rest easy, as this clearly does not refer to anything of mine.Paul,

You keep pushing, and searching for ways out.

You have been answered by vBulletin.org Staff that a modification like you describe would fall under this policy.

Floris can comment (and did in response to your post) on Jelsoft and/or vBulletin.com issues. He is not vBulletin.org Staff, so keep trying until you find someone who post something that you can use in your favour, will not change anything on the fact that vBulletin.org Staff will consider what you described as something that falls under this policy.

This is, as you say, about trust, therefore the list of known affected hacks MUST be disclosed, without question.

I am confident that the hacks will be disclosed, but the staff are first giving chance for the coders concerned to rectify the problem.

So do you still feel that Paul M and a few others should be banned because they added an image link back to vb.org?

It takes a lot more than a handful of complaining users to change my opinion. The only person that will influence my opinion is me. I don't care who disagrees with me. And if you have such a problem with my stance, I recommend the useage of this link (https://vborg.vbsupport.ru/profile.php?do=addlist&userlist=ignore&u=43427)

Wouldn't the above code simply show the button? To have made the call, it would have had to of spawned the URL in another window, redirected the page entirely or used fopen.

Simply showing the button would have been no different than linking to a logo offsite or something or am I missing something?

It doesn't show the button, it just hits the install button.

@The Geek: They are using an image to get the users browser to call the functionality here on vBorg that adds the install count. The image is invalid (nothing will display) and invisible anyway (height = 1, width = 1).

Kinda like how some hit counters work.

I think it's also a preemptory warning. Spyware (because that's what it is when you get down to it, doing an action the user didn't consent to) won't be tolerated.This is what it's all about. Nothing more. Nothing less.

You can color-code it all you want. The actions we take is about the community as a whole -- its' never about any particular person or a particular group.

@peterska2 - I was asking if your opinion on this situation was still the same as you stating before, not whether or not I and other users convinced you that you have changed your mind.

Nope, I think it's about the code that tries to call the vb.org "install" link when a product is first installed. This is something I (and a few others) added recently after a discussion about it in mid April.

Basically when a product is first installed (not updated) it tries to link to /vborg_miscactions.php?do=installhack. If the link is made then it's the same as manually clicking install, if the link fails then nothing at all happens. The same happens if you uninstall a product. It has nothing to do with plugins within plugins, backdoors, security, added functionality or anything else mentioned, it's a simple link back to the vb.org site.

As far as I can tell - it will also fail unless you are logged into vb.org at the time, meaning it's not actually that useful, the majority of people still actually have to click the links manually.

If this thead really is about this then it's unbelievably over the top - reading the first post gives the impression of some major security threat or alert, not some minor call back to vb.org.
Is that really what this thread is about?

If so, I change my stance. I don't have a problem with the above at all. Part of the deal in installing a hack is that you click the install button.

My only suggestion would be that this is made clear as part of the installation process, other than that no issues at all.

I was asking if your opinion on this situation was still the same as you stating before, not whether or not I and other users convinced you that you have changed your mind.

As I previously stated:

It takes a lot more than a handful of complaining users to change my opinion. The only person that will influence my opinion is me. I don't care who disagrees with me. And if you have such a problem with my stance, I recommend the useage of this link (https://vborg.vbsupport.ru/profile.php?do=addlist&userlist=ignore&u=43427)

If that doesn't explain it, then I'm sorry, but that is my stance in conjuction with my earlier post in this thread.

Thank you Mark B! Finally someone who understands what is going on.

Since Paul has to remove that line of code from his hack. Should I remove this line of code from mine?


<img alt="vBhacks Forum" border="0" src="http://www.vbulletin.com/forum/images/misc/vbulletin3_logo_white.gif" />


I use that here: https://vborg.vbsupport.ru/showthread.php?t=63841 in my install.html file. I'm acually seriously asking this and not being sarcastic.

Thank you Mark B! Finally someone who understands what is going on.

Since Paul has to remove that line of code from his hack. Should I remove this line of code from mine?


<img alt="vBhacks Forum" border="0" src="http://www.vbulletin.com/forum/images/misc/vbulletin3_logo_white.gif" />


I use that here: https://vborg.vbsupport.ru/showthread.php?t=63841 in my install.html file. I'm acually seriously asking this and not being sarcastic.

That image is not performing an action, just displaying a static image. That is the difference.

duh. Should have looked at the code a little closer.

Seriously though - not a big deal in my book. If that is indeed a reason to get banned, then its a bit silly.
You encourage people to click the install button if they install. That code seems to click install when they install it. For me, it would be like a convenience. If the install system here wasn't so pants, then no one would be breaking any rule.
Regardless, this is under the umbrella of spy ware, back doors, trojans, phishing, etc... and that is overkill.

I agree with the general sentiments that people doing malicious things with release code here should be treated seriously - hitting the install button for you isn't a malicious thing. Installing a modification and not hitting install is malicious. Hell, go ban those guys :D

crap. Forgot my other point:

That to me doesnt qualify as undocumented functionality.
Plus, most hacks have undocumented functionality. Hell, a number of stuff round here has NO documentation making the whole freaking thing undocumented functionality.

Sure... gotta love symantics :D

duh. Should have looked at the code a little closer.

Seriously though - not a big deal in my book. If that is indeed a reason to get banned, then its a bit silly.
You encourage people to click the install button if they install. That code seems to click install when they install it. For me, it would be like a convenience. If the install system here wasn't so pants, then no one would be breaking any rule.
Regardless, this is under the umbrella of spy ware, back doors, trojans, phishing, etc... and that is overkill.

I agree with the general sentiments that people doing malicious things with release code here should be treated seriously - hitting the install button for you isn't a malicious thing. Installing a modification and not hitting install is malicious. Hell, go ban those guys :D
Very true. And if the likes of Paul M and others are in fact banned, coupled with the other issues with other coders leaving or not being generally happy, it will be a dark time for this site and vBulletin the software generally.

Then they pull this months HOTM: https://vborg.vbsupport.ru/showthread.php?goto=newpost&t=115667 without notifify anyone about there actions. I happen to see a fellow coder that was in the running with me post it in the feedback for.

Great way to start a more positive vibe around here.

This thread isn't all about the auto-install click thing. It's a warning.

Yes, the auto-install clickers do fall under this policy. No matter how you look at it, the plugins are doing something the end user is not aware of, and did not consent to. No matter how simple or seemingly harmless, that is still spyware-like activity.

No one will be banned unless they continue to include such functionality. Obviously Paul M and the others will remove the offending code instead of being banned.

As for HOTM, it's been stated (I think?) the same hacks will return next month if they conform to the new policy.

Then they pull this months HOTM: https://vborg.vbsupport.ru/showthread.php?goto=newpost&t=115667 without notifify anyone about there actions. I happen to see a fellow coder that was in the running with me post it in the feedback for.

Great way to start a more positive vibe around here.

Pulling the HOTM now is much better then leaving it till later when more people have taken part.

Do you not remember the month when one of the choices was removed about half way through and a significant number of people had to PM one of the staff to get their votes changed?

That would be more disruptive, and as such, removing it now and having a month of in light of this announcement is much more productive.

Very true. And if the likes of Paul M and others are in fact banned, coupled with the other issues with other coders leaving or not being generally happy, it will be a dark time for this site and vBulletin the software generally.

The site will evolve. It is just a cycle. New coders are joining the ranks all the time.

I feel I should point something out in the interests of fairness.

I respect her opinion and the work she does.

removed unnecessary "waffle" ;)

That explaines a lot Mark. Personal vendettas everywhere now. It's ashame people have to come to this level of ignorance over something so silly.

About the HOTM, I'll only talk about that in the thread that was created. I make my points there in regards to the HOTM.

* sabret00the grabs :Popcorn:

IMO this whole thread is a non issue, you add a line in your mod saying that upon installation it clicks install and this becomes a nothing. can't we get over it.

Or we could just put Amy in charge of this thread and she could tell you all about the importance of being able to code and thus being able to read code and that if you didn't read the code before you installed it and it started behaving irratically it's your own fault :p

(please no one get offended by this post, it was meant to be light hearted)

.

Please do not bring irrelevant personal issues into this thread - You state you are not taking a dig at peterska2 yet you contradict yourself by doing so
Chris it's not a personal issue. I have no connection with Paul M's site in any way (other than being a member there), nor any problem with Peterska2.

By labelling my post as deleted/edited due to 'bringing personal issues' in, you're giving people the impression that I came into this thread and moaned at someone, which I did not. What I did was to disclose a material fact that has a bearing on the viewpoint of a particular poster. Not to get anyone into trouble, but to put the vociferous claims for the banning of Paul M into some sort of context.

It is so much *not* a personal issue that it didn't even occur to me at first, otherwise I'd obviously have mentioned it earlier.

Nonetheless, you're the boss, if you don't want it brought up then fine. But I'd appreciate it if the wording in my now-edited post could be amended as it grossly misrepresents what was said.

I'm sorry, but 'the entire modification is doing stuff the end user never knew about and auto clicking the install button' (WHEN THEY WERE FREAKING INSTALLING IT) is about as malicious as

echo("hello world");


As a lot of users assume clicking the install button actually installs the modification for you, I doubt anyone is filing with Data Protection over something so trivial. After all, don't you think the user would realize something was up when they say Installed in front of the thread title?
I installed a style once. It had a wc3 image at the bottom that clearly didn't come with the style. Freaky stuff ill tell you.

If you download my work but don't install it, what the hell are you doing with it? It plays a lousy game of Parcheesi. I didn't even know you could download 400 hacks from here.

I think a simple word to the offender would have sufficed instead of having it seem that clicking an install button was akin to cannibalism.

Chris it's not a personal issue. I have no connection with Paul M's site in any way (other than being a member there), nor any problem with Peterska2.

By labelling my post as deleted/edited due to 'bringing personal issues' in, you're giving people the impression that I came into this thread and moaned at someone, which I did not. What I did was to disclose a material fact that has a bearing on the viewpoint of a particular poster. Not to get anyone into trouble, but to put the vociferous claims for the banning of Paul M into some sort of context.

It is so much *not* a personal issue that it didn't even occur to me at first, otherwise I'd obviously have mentioned it earlier.

Nonetheless, you're the boss, if you don't want it brought up then fine. But I'd appreciate it if the wording in my now-edited post could be amended as it grossly misrepresents what was said.
I have re-worded my edit :)

Chris

I have re-worded my edit :)

Chris
Many thanks Chris, I appreciate that.

This is not about "one person". This "problem" is bigger than some may think.

I'm sorry, but 'the entire modification is doing stuff the end user never knew about and auto clicking the install button' (WHEN THEY WERE FREAKING INSTALLING IT) is about as malicious as

echo("hello world");



It always starts innocent, but then becomes malicious. I'm sure you don't someone else who is just a coder here tracking your activities. What is to stop this happening if this is nipped in the bud now?


As a lot of users assume clicking the install button actually installs the modification for you, I doubt anyone is filing with Data Protection over something so trivial. After all, don't you think the user would realize something was up when they say Installed in front of the thread title?
I installed a style once. It had a wc3 image at the bottom that clearly didn't come with the style. Freaky stuff ill tell you.


The install button wording has been addressed and new buttons are present in some styles and will arriving soon in the other styles.


If you download my work but don't install it, what the hell are you doing with it? It plays a lousy game of Parcheesi. I didn't even know you could download 400 hacks from here.


You would be surprized how many vB3.5 mods alone there are.


I think a simple word to the offender would have sufficed instead of having it seem that clicking an install button was akin to cannibalism.

Having a simple word to the current offending coders would not stop anyone else doing it. What is to stop you, or someone else from looking at a hack with a high install count, seeing how they have coded the install button click, and then adding it to your own hacks? It would become a cycle. Better to break the cycle publically now than to let the issue continue just with different coders as some are told about it privately and others pick up the practice.

This is not about "one person". This "problem" is bigger than some may think.

Seconded. The issue here is quite widespread, hence it being addressed before it goes any further.

The point I am trying to make is that it isn't malicious regardless of if 1 person does it or if 1000 people do it.
If the thread says 'if you install this, click install' then you NOT clicking it is a violation of the terms set forth by the coder :P

My point is that if its regarding clicking the install button - you guys have turned a mountain out of a (non malicious) molehill.

If its about something greater than that - then focus the debate on that! :D

Paul,

You keep pushing, and searching for ways out.

You have been answered by vBulletin.org Staff that a modification like you describe would fall under this policy.

Floris can comment (and did in response to your post) on Jelsoft and/or vBulletin.com issues. He is not vBulletin.org Staff, so keep trying until you find someone who post something that you can use in your favour, will not change anything on the fact that vBulletin.org Staff will consider what you described as something that falls under this policy.Huh ?

Just exactly what am I searching for ways out of ?? I PM'd you and asked if this thread was about my code and you flatly refused to answer. Even now it's not actually been stated anywhere that this is about my auto install link code, it's been left to us to work it out. You avoid and bluster like a politician when asked to confirm a simple question - was this about my code or not.

Do you see me deny that that I included this in a few hacks last month ? No. Did it break any rules, No. In fact, had it worked 100% correctly the only thing it would do is make the install count a little more accurate, since it only got called if you installed it (not downloaded it) - and it clicked uninstall if you removed it (how many people do that manually ?)

You state that you have been discussing this for weeks (it's only existed for five weeks !) yet no one once actually bothered to contact me once - instead you wait a few weeks and post a massive thread which has a tone like the end of the world has just arrived. Talk of nonsense like loopholes, security threats, and the like - none of which has any relevance to my two lines of code.

This is nothing new - I recall seeing that in other older hacks/mods - even in vb2. Also, when I was with wbb (before converting to vb 2.x.x) I noticed most of theirs had that as well as other board systems.

I personally see nothing wrong with this as long as its function is stated in the install/readme file.

However, I can also see where this could potientially(msp?) be a major issue if left alone and unaddressed.

I am glad this was noticed so the proper action could be taken.

:)

I personally see nothing wrong with this as long as its function is stated in the install/readme file.I agree. I see nothing wrong with it if it was STATED to the user. But, that's not the case here.

Huh ?

Just exactly what am I searching for ways out of ?? I PM'd you and asked if this thread was about my code and you flatly refused to answer. Even now it's not actually been stated anywhere that this is about my auto install link code, it's been left to us to work it out. You avoid and bluster like a politician when asked to confirm a simple question - was this about my code or not.

Do you see me deny that that I included this in a few hacks last month ? No. Did it break any rules, No. In fact, had it worked 100% correctly the only thing it would do is make the install count a little more accurate, since it only got called if you installed it (not downloaded it) - and it clicked uninstall if you removed it (how many people do that manually ?)

You state that you have been discussing this for weeks (it's only existed for five weeks !) yet no one once actually bothered to contact me once - instead you wait a few weeks and post a massive thread which has a tone like the end of the world has just arrived. Talk of nonsense like loopholes, security threats, and the like - none of which has any relevance to my two lines of code.

The staff didn't handle this as they should have. The first thing that should have been done was to contact you!

Why is the staff so scared to state that this is ALL about Paul and a few others adding the 2 lines of code to the install link? I've already confirmed that it was in private, why can't you just tell everyone else.

But, that's not the case here.

Exactly.

:cool:

Cause (going off of what Princton said) this is way bigger than we think, however cross referencing that information with Marco's post, i'm inclined to think that people are actually requesting usage statistics, i also wouldn't rule out the vBsoccer hack.

Either way, it's been discussed to death now, we've seen how it should've been done. how it was actually done and they don't look the same, lesson learned for next time. nothing more can be done (bar the HOTM being restored).

Cause (going off of what Princton said) this is way bigger than we think, however cross referencing that information with Marco's post, i'm inclined to think that people are actually requesting usage statistics, i also wouldn't rule out the vBsoccer hack.

Either way, it's been discussed to death now, we've seen how it should've been done. how it was actually done and they don't look the same, lesson learned for next time. nothing more can be done (bar the HOTM being restored).
Quoted for truth. ;)

Ya know, if Paul hadn't posted in the thread, his name never would have come up as being the offender. Personally, I had way more issues with the way another coder snuck the install click in on his template mods disguised as products, but managed to forget to have it automatically click the uninstall button when the product was uninstallled.

Staff handled this pretty fairly, I think.
1. They posted a warning, allowing offenders to clean up their code before being called out on it.
2. They pulled the hotmod from voting for a bit to prevent people from losing their votes if some mods are pulled from the poll.

I think both actions were pretty darn reasonable. I would have gone straight for a public calling out of offending code and skipped the polite notice.

Slippery slope that opens the door to others adding seemingly 'innocent' links without explaining them to the end users. I couldn't begin to compete the thousands of emails I got over the years about my little signature sign that confused people as to just what was being collected and why:

https://vborg.vbsupport.ru/external/2006/05/10.jpg

Once you open the door to this kind of behavior, it opens a can of worms that suggests calling other scripts which installing your mods are also acceptible.

Lesson learned on my signature, that it makes sense to you doesn't mean it won't freak out alot of others.

Staff handled this pretty fairly
Thats an understatement if I ever heard one. You say that because you are staff. The staff handled this very poorly.

They knew about this weeks in adavanced. They should have PMed all the offending users to let them know about the new rule soon to come. They stated them selfs that there are only a few users who had broken this upcoming rule. So it woudn't be so hard to PM them before this thread was made. If they would have done that and worded this thread diffrently, I bet a years salary that this wouldn't have escalade to what it is now.

From my time here and noticed Paul, I'm confident to say that he and others would have removed the code with out much fuss. Then the whole HOTM issue would have never even had come up, because then they wouldn't be breaking this new rule.

No one was breaking any rules prior to this thread. Stefan stated this himself for crying out loud.

Thats an understatement if I ever heard one. You say that because you are staff. The staff handled this very poorly.


Amy staff? Nope.

www.vbulletin.org/forum/showgroups.php (https://vborg.vbsupport.ru/showgroups.php)

see for yourself. :)

Thats an understatement if I ever heard one. You say that because you are staff. The staff handled this very poorly.
Amy isn't staff actually :)

She's just teh coolies :D

Chris

Anyone with permissions to the private staff forums is considered some sort of staff to me. Showgroups doesn't display all users with moding rights peterska2. Surly you should have known that.

I amnot staff, Livewire. I am the one who pitches a quiet fit in a pm to Stefan or Erwin if I think a staff member has been unfair to you guys. And, you know that I like you and we have worked together on mods before. I have no reason to dissemble on this.

Ya know, if Paul hadn't posted in the thread, his name never would have come up as being the offender.Maybe because Paul had nothing to hide - the code was not some big secret - it had been freely discussed a number of times. This has been blown so far out of proportion it's beyond a joke. A simple PM a few weeks ago (when you supposedly were discussing this) would have been all that's required. I have always checked that what i do here doesn't break any rules, and this did not. I'm sorry but I'm now convinced that this involves personal issues, as there's just no other explanation for the fuss being made (even removing the hotm now, wtf is that about).

Quite frankly, it would be a lot better to close this thread. The new policy is a fair one. The install-link conundrum is a non-issue really, especially since it doesn't even work properly in most instances! Therefore a blanket ban on such things is no cause for concern, and avoids the possibility of the slippery-slope argument.

The staff line of view will conflict with that of the coders sometimes (that's just an example, it applies to all ;) ) - that's just life, learn to accept it. It's painful to see people squabbling over nothing, some even leaving because of disagreements. It's everyone's responsibility to keep the community atmosphere positive. It doesn't help if people feel the need to retaliate to every comment made.

Mods, Thank you for bringing this to our attention and taking action to ensure the integrity of the system which so many users are dependent on.

@Amy
I don't mean to sound like I'm taking my fustrations out on you as I'm not. I like you and we have done work together in the past. I have nothing agaist you persoanlly. Though you do have certains rights to forums in which we can't see so that gives you both sides of the story.

I persoanly think a simple PM would have been more approaitate. Paul has nothing to hide, he has said it himself, Stefan stated that no one was breaking any rules. Theres a new rule? Okay great thats fine and I have no problem with this new rule, please understand that. I just have a problem on how things come off as personally attacks. Can you honesly sit here and tell me that never once the staff persoanlly attacked a members? In private or public?

Come one now, I'm not stupid. I've been here a long time and managed to meet and make alot of nice people. Some staff, some coders, others are regular members. I hear about what goes on around here quite often, whether it be IRC, IMs, Emails, or on my forums.

Stefan stated that no one was breaking any rules. Theres a new rule? Okay great thats fine and I have no problem with this new rule, please understand that. I just have a problem on how things come off as personally attacks.

I fully agree with you Ken. But unfortunatelly, it's not only that personal attacks are there, but also that things are taken personally when they are not.

In the first post noone mentioned a single username. Most names came out, because users did actually feel offended, and tend to lead into personal attacks then.

It's a pitty, that the current situation is very instable here, that's why i'd like to ask everyone, to think twice before posting anything. That counts for staff as well as for all users.

It's never one side alone, there are always two sides of a story....

Hi peeps....Just finally read this all the way through...wow what a load of cackling....

I knew nothing of this "install code" and if i know nothing of that what else do
i know nothing about? It just goes to show, that if you dont know anything about
coding that you could be leaving yourself wide open.

I have installed hundreds of hacks in good faith and not had and security issues
as yet /me touches wood all i ask is to be told about any extra that i am installing?

As i have said before, you peeps do a great job with ya coding.
Now leave the staff to do thiers, surely you all know how hard it can be to
staff a forum and to be honest i dont think half the posts in this thread is really
helping....

If anyone actually thinks that they fall into this threads catergory then do
something about it, modify ya code and /or state it in the 1st post, this to me
is all that needs doing or have i misread?

I knew nothing of this "install code" and if i know nothing of that what else do
i know nothing about? It just goes to show, that if you dont know anything about
coding that you could be leaving yourself wide open.

Which is exactly why the vBorg staff took the concerns they've received and turned it into a new policy, because they believe that it breaks that trust. How harmless as it might seem the intention and result from it might do more then initially intended.

Ken,
One other problem is that staff has to go through all the mods to determine who all is doing this. That's why no PMs at this point to people using this code. Posting the new policy and giving a grace period to clean up the code just seemed the smarter thing to do. It gave people a chance to remove the problem without being called on the carpet.

I'm not sure but, for some reason I think you were better off keeping this quiet. It may give people idea's, as I hadn't even thought of the possibilty yet before reading this :/

But yeah, it's good you guys are cracking down on it. These things should not be distributed.

I installed a style once. It had a wc3 image at the bottom that clearly didn't come with the style. Freaky stuff ill tell you.

Oh noes! *phears teh bannage*

:)

On a serious note.. people are both taking this all far too personally, and blowing it way out of proportion.

They are just pieces of code! It's just temporary! (well, for those innocent ones that are just 1 line in the Install part of the product .. if there are nasty ones, then hell, remove them permanently).

This is a community site. Getting all huffy and calling names and threatening to leave and removing all your hacks out of spite for this situation is going to do nothing good in the short-term, and is as unlikely to be beneficial to you in the long term.

Can't we all just get along?

Well, i just realised that if i installed some hack or un-installed it from my board, it would instal or un-install in my installed hacks here @ vb.org?? WTF!?!?

oh well, let there be peace and start editing all codes and/or putting warnings about what hacks do when un/installing)

Huh ?

Just exactly what am I searching for ways out of ?? I PM'd you and asked if this thread was about my code and you flatly refused to answer. Even now it's not actually been stated anywhere that this is about my auto install link code, it's been left to us to work it out. You avoid and bluster like a politician when asked to confirm a simple question - was this about my code or not.

Do you see me deny that that I included this in a few hacks last month ? No. Did it break any rules, No. In fact, had it worked 100% correctly the only thing it would do is make the install count a little more accurate, since it only got called if you installed it (not downloaded it) - and it clicked uninstall if you removed it (how many people do that manually ?)

You state that you have been discussing this for weeks (it's only existed for five weeks !) yet no one once actually bothered to contact me once - instead you wait a few weeks and post a massive thread which has a tone like the end of the world has just arrived. Talk of nonsense like loopholes, security threats, and the like - none of which has any relevance to my two lines of code.I will try once more to give you an answer to this:

This whole thread is about a policy being introduced, as stated in the first post. Nothing more and nothing less. Whatever event triggered us to start thinking about this issue and made us write this policy, is not relevant to the policy (and thus this thread) itself. This thread is here to discuss this new policy. This policy is bigger then any current issue that i am aware of, and is just here to make things clear for the future.

The question that is relevant to you "would this technique i am using fall under the new policy?" has been clearly answered with a yes. So i think we have been clear and open in answering all relevant questions.

Don't you see that this kind of "non-response" doesn't end the issue, but prolongs it? The thing is, people decide on their own what they find relevant to them, and being told otherwise serves to marginalize them and their issue, which, ironically, only makes the issue more important and more relevant to them. You aren't addressing/ending the issue, you're escalating it.

Why not just say "Yes, it was your code that got us thinking about the issue in general. We didn't mean to imply that you had bad intentions... your code was just the catalyst for the policy change."

That would put an end to it. As it is, it looks like you're trying to avoid/hide something and/or spin some issue.

It wasn't Paul's code that triggered it. The reported mods list didn't contain Paul's mods. They were discovered and added later when the matter was being researched. Now, feel free to call me a liar if you will, but the original mdb file of offending mods didn't have a single Paul mod on it.

And, staff didn't name Paul in this thread. He posted and askied if his code was covered under that policy. And, he was told that it is.

It matters not now (to me anyway) - I updated all mine last night.

Despite your post Amy (an honest answer at last) I still don't think this was done in the correct manner - the first post reads like a tale of doom and gloom, the fact that what was being discussed was considered harmless was buried in scaremongering talk of backdoors, password extraction, hidden functionality and even shame on the part of vb.org ! - no doubt causing completely unnecessary panic in the minds of people reading it.

Paul, I disagree on the gloom and doom thing. The user that ticked me off the most in this whole issue is just the type to use that 'harmless' little link to do some more nefarious things. The policy had to be broad enough to stop these kinds of things in their tracks.

I still think this was handled very politely by staff. No fingers were pointed, no names were named. The new rule was spelled out and time was given to comply.

It wasn't Paul's code that triggered it. The reported mods list didn't contain Paul's mods. They were discovered and added later when the matter was being researched. Now, feel free to call me a liar if you will, but the original mdb file of offending mods didn't have a single Paul mod on it.

And, staff didn't name Paul in this thread. He posted and askied if his code was covered under that policy. And, he was told that it is.

Whether it was or wasn't (the catalyst) isn't the issue. The manner in which the staff answers such questions, is. If it was his code, say so. If it wasn't, say so. But 2 paragraphs of high-toned rhetoric that is dismissive of the question as "not relevant" doesn't answer the question.

As the staff meets to discuss ways to improve the site and research/resolve the causes of the recent tension, I'd hope that "Staff Responses/Professionalism" be on the agenda, with this thread being a case-in-point.

I don't have much more to say, so will back quietly away from this discussion now.

Obviously the coder(s) put that line of code in for a reason. To generate an 'installed' click instead of counting on the user to manually do it.

Why not consider this:

Take away the ability for users to manually hit the install/uninstall button. Have every hack that is created contain two lines of additional code. One to add to the install count when the hack is installed by the user and another to uninstall, when it is removed by the user.

Obviously this would have to be disclosed somewhere on VB.org like in a sticky or the FAQ so everyone is aware of it.

This would in fact IMO, help the coders by giving them a truer account of how many people in fact installed their hack as well as helping the installer with receiving the 'hack updated' emails.

Could be a win/win situation if handled properly. :cool:

I think it's also a preemptory warning. Spyware (because that's what it is when you get down to it, doing an action the user didn't consent to) won't be tolerated.

Yup. This issue resembles the debate between adware vs spyware. In the case for vB hacks, while it has nothing to do with security breach, it has everything to do with trust and ethics.

---------------

Now while I thank the staff for bringing up this issue I'm curious on the way it was announced: 1) I understand that not one of the questionable hacks breached security (thus, no harm to board or users). 2) I understand that time is given for these authors to revise their code(s) or release statements. I have no issues here.

What I question is if the two previous statements are true could this issue have been announced after it was taken care of? The immediate reaction when limited information is offered (while excluding the answers to two key questions: Which hacks and which authors) is to want answers or at least some control to rectify the issue on their own terms (uninstall the hacks). Now there will be two weeks of wondering...

Obviously the coder(s) put that line of code in for a reason. To generate an 'installed' click instead of counting on the user to manually do it.

Why not consider this:

Take away the ability for users to manually hit the install/uninstall button. Have every hack that is created contain two lines of additional code. One to add to the install count when the hack is installed by the user and another to uninstall, when it is removed by the user.

Obviously this would have to be disclosed somewhere on VB.org like in a sticky or the FAQ so everyone is aware of it.

This would in fact IMO, help the coders by giving them a truer account of how many people in fact installed their hack as well as helping the installer with receiving the 'hack updated' emails.

Could be a win/win situation if handled properly. :cool:

Why? Because a number of users do not wish to have the install button forced upon them. I always click install if I am using something, but as I have previously mentioned, I don't just install on my site and yet all the installations go onto my account here.

Also, the method does not always work. There are certain requirements that must be achieved in order for it do so. Therefore, it would be just as inaccurate, if not worse, than the install button we currently have.

Why? Because a number of users do not wish to have the install button forced upon them. I always click install if I am using something, but as I have previously mentioned, I don't just install on my site and yet all the installations go onto my account here.

Also, the method does not always work. There are certain requirements that must be achieved in order for it do so. Therefore, it would be just as inaccurate, if not worse, than the install button we currently have.


It would no longer be forced..
If you always click install, then you wouldn't need to anymore
What requirements???
If the script worked, it would be HIGHLY accurate


If you created something, wouldn't you want an accurate measure of how many people were using it or how popular it was?

Paul, I disagree on the gloom and doom thing. You are, of course, free to disagree - but I'm still right :p

It's all old news now, so I'll just agree to disagree with you. :)

I just wanted to say that I've uninstalled every hack on my site and won't be installing anything else until it is known that no hack will have any code in that may harm my site, transmit any form of information about me, or do anything other than the function that I install it to achieve.

I might be relatively new here, but I still support the people who make the hacks by clicking install.

I just wanted to say that I've uninstalled every hack on my site and won't be installing anything else until it is known that no hack will have any code in that may harm my site, transmit any form of information about me, or do anything other than the function that I install it to achieve.

I might be relatively new here, but I still support the people who make the hacks by clicking install.

Don't forget just because there is a rule against something doesn't mean that something won't still happen! I don't think this site or any other site will ever be able to give you an absolute assurance that a hack won't have some code that may harm your site and/or Members.

If you are very concerned I would suggest you PM the Members whose hacks you used to have installed and ask them directly if they have any hidden functionality.

But don't forget one of the very good things about hacks from here is that they are in a way "open source" in the sense that anyone can review the hack's code. And it's obvious many of the coders take an active interest in the code of other coders so I think it's quite unlikely that any hack that has malicious hidden functionality will go unspotted for any length of time.

I just wanted to say that I've uninstalled every hack on my site and won't be installing anything else until it is known that no hack will have any code in that may harm my site, transmit any form of information about me, or do anything other than the function that I install it to achieve.

I might be relatively new here, but I still support the people who make the hacks by clicking install.

The few I have done are safe as well as most others on here now. If you have any concerns or questions regarding the hacks you would like to install, please feel free to PM me with your concerns and I will check to make sure there is nothing there that will affect what you want from the hack. ;)

That will be very helpful. Thank you for offering to do that.

I will send you a PM with a list on shortly.

I'm sure that you can understand my concerns.

Maybe not saying what hacks are affected by this problem is a mistake, but even if there are reasons for not saying so at present, perhaps an email to people who have installed those hacks would just be common courtesy.

Cause (going off of what Princton said) this is way bigger than we think, however cross referencing that information with Marco's post, i'm inclined to think that people are actually requesting usage statistics, i also wouldn't rule out the vBsoccer hack.

Hi, i noticed the two comments on my vbsoccer, and due to the thread title, i just want to clear that i am not monitoring the stats neither my stats would be harmfull anyway, but rather all i wanted was not to disclose my feeds.
Now to be honest, i dont even know why i have shared this , all i get now is either trust questioning or suspecion of my intentions here and there.
My suggestion regards my vbsoccer is a moderator to delete the whole thread since i cannot do it myself, regards

The reason for this thread is that, to our own shame, we received recently reports that there are coders who do incorporate hidden functionalities in their modifications. Lucky the type of hidden functions could be considered as relative harmless, but we will nevertheless not tolerate this. I would like to emphasize that this did not sent any security or privacy related information, nor did it in anyway brake the security of your sitenever noticed this with hacks I have been using on my boards or tested, but thanks for clarifications..

never noticed this with hacks I have been using on my boards or tested, but thanks for clarifications..

haven't noticed that either, maybe cause I'm not using many of 3rd party hacks lately.. but thanks for heads up anyway.

When I read the first post my first thought was someone put a backdoor in a hack. The post reads like a virus warning. The first post does indeed scream "doom and gloom"
Having said that no person should install any hack without first looking through the code. You want to do this to make sure the code is secure and doesn't contain any backdoors. In all honesty you shouldn't be installing hacks if you have no knowledge of php. While I have trust in the authors of the hacks here it would be very easy for one of them to put in a backdoor that would give them control of your forum or your whole server.

While I have trust in the authors of the hacks here it would be very easy for one of them to put in a backdoor that would give them control of your forum or your whole server.
This is true. I think maybe we should create some sort of "verified" system. When we upload attachments, they are marked as unverified (but still downloadable). Then maybe have a team that goes around and checks newly uploaded or updated attachments for unsafe code. Once it's passed the check, display a "verified" badge on the attachment.

why was my post deleted? was it too real for you

This is true. I think maybe we should create some sort of "verified" system. When we upload attachments, they are marked as unverified (but still downloadable). Then maybe have a team that goes around and checks newly uploaded or updated attachments for unsafe code. Once it's passed the check, display a "verified" badge on the attachment.
That sounds like an excellent idea!

This is true. I think maybe we should create some sort of "verified" system. When we upload attachments, they are marked as unverified (but still downloadable). Then maybe have a team that goes around and checks newly uploaded or updated attachments for unsafe code. Once it's passed the check, display a "verified" badge on the attachment.

Ironically, this is the idea I put forth quite some time ago... Unfortunately, it was not accepted. :( Maybe now is the time to rethink.

It is a very good idea.

But it also has been suggested (members and within Staff) many times before, and it was in some way even implemented once (not as far as really putting verified or not).

It always failed because there are no volunteers that want to go through all the submitted code (and every time an update is done). This is not only a huge task, but what if you verify a source, and later to find out you missed some nasty code somewhere, are you/we liable?

There are many aspects to this, but maybe it is the right time now to give it another try.

At this time Staff has not decided yet if we will name the Hacks/Authors involved in public. Like mentioned before the found issues don't cause any real harm to the users, if it would have harmed users, we would already have disclosed it probably.

Coders are always free to inform the users in their hack threads, but then it wouldn't be hidden functionality anymore ;)
i think we have a right to know.. for our own security..

Paul, I disagree on the gloom and doom thing. The user that ticked me off the most in this whole issue is just the type to use that 'harmless' little link to do some more nefarious things. The policy had to be broad enough to stop these kinds of things in their tracks.

I still think this was handled very politely by staff. No fingers were pointed, no names were named. The new rule was spelled out and time was given to comply.

So is that to say if there is a bug in the vBulletin software the public announcement should be, there is a bug or backdoor in the software. We are not going to say which verision, but don't worry, we are counting on hackers to be good?

Not agreeing with Paul on this one is absurd. The hacks in question should have been used to mass notifiy the hack users. That cloak and dagger announcement was completely irresponsible. That's why it's imperitive to click install. The staff should be using these resources. This could have been handled much better with tools that already exist.

This is true. I think maybe we should create some sort of "verified" system. When we upload attachments, they are marked as unverified (but still downloadable). Then maybe have a team that goes around and checks newly uploaded or updated attachments for unsafe code. Once it's passed the check, display a "verified" badge on the attachment.

that's what they do at phpbb.com. They, of course, also have the hacks database. Sad to say they are way ahead of vB.

Ironically, this is the idea I put forth quite some time ago... Unfortunately, it was not accepted. :( Maybe now is the time to rethink.
if you suggested this and it was denied, then they need to look again. As I said, phpbb.com has had this system implemented for quite some time now, as well as a hack database. Being a free software, it's a shame that they are so far ahead of vB in that regard.

So is that to say if there is a bug in the vBulletin software the public announcement should be, there is a bug or backdoor in the software. We are not going to say which verision, but don't worry, we are counting on hackers to be good?

Not agreeing with Paul on this one is absurd. The hacks in question should have been used to mass notifiy the hack users. That cloak and dagger announcement was completely irresponsible. That's why it's imperitive to click install. The staff should be using these resources. This could have been handled much better with tools that already exist.
Noppid, there is a procedure in place to deal with security problems in a mod. So, the existing system would be used in that case.

This was a case of some mod authors using code that is in poor taste but was not technically against the rules. The rules have now been updated and I'm sure the mods will follow through and update users and remove the offending code after the deadline.

i think we have a right to know.. for our own security..

I totally agree.

will you post a list of all the infected hacks? I never hit install (mybad) so im gonna need a list

IMO, if you lack the respect to Install, you lack the deservingness to be given a list.

But thats just MO.

I very much doubt a list will be given to anyone - and I would imagine that most of the mods being discussed were updated to reflect the new policy anyway.

IMO, if you lack the respect to Install, you lack the deservingness to be given a list.

But thats just MO.


I just recently learned of the install button :confused:

My apologies. You said 'I never hit Install'.

That means .. well, never. :)

Wow, this sucks donkeycocks! :confused:

Please hire someone who looks through the code of released hacks.

:tired:

*edit*

Whoops, wrong thread. :o

Uh, GamePusha, let's go through some logic here :D
1. You never use the install button.
2. The affected code clicked the install button without the user's permission.
3. In your usercp, there is a list of all the mods you have clicked the install button for.

So, logically if there are any mods showing up in that list for you, they were ones that used the code. Click uninstall on them if you are really cheesed off. Problem solved ;)

Please hire someone who looks through the code of released hacks.

well, we are currently hiring a lot of new staff members :)

What the bloody hell is going on around here?

1. Why would any programmer give a damned about getting credit for the install? Two reasons come to mind. The first is ego and there is no accounting for that. The second is the ridiculous method used to choose Hack of the Month nominees. Get rid of that. Nominate hacks based on merit, not clicks. Oh yeah, and subject every nominee to a code review. Kind of like the way NASCAR does vehicle inspections.

2. I'm sick of the way VB.Org either is or isn't independent of Jelsoft, depending on what they need at the moment. Pick one. Either admit to being a momma's boy or cut the freaking apron strings, but don't play it both ways.

3. Coders are the life's blood of this place. Every user needs to appreciate the hell out of them. They develop code because THEY need it and happen, out of the kindness of their hearts, to make it available to us too. Bee damned greatful. When you have a problem, make an effort to fix it yourself, if you can and post the fix - if you are able. If not, don't PM them. Post in the release thread so that the 100 other people that have the same problem can get the fix. AND BE PATIENT. None of them are full time professional VB developers and celebate PHP monks. They have lives, jobs and families that need the occasional care and feeding.

4. Somebody better get a handle on this site pronto. The snail pace of development of VB and the inability to deliver the years-ago promised vbCMS isn't why VB is the best damned message board for the money. VB.Org and the ability to customize my site to what I need is the real reason. But I see that reason slipping away. Not just this thread but several others show this place in near shambles. The Bush administration is run better with less controversy. This is a site that CANNOT exist without coders. When you run them off hiding behind rules and make mountains out off molehills, then YOU are doing something wrong, rules be damned.

I'll get off my soapbox now. Talk among yourselves.

What the bloody hell is going on around here?

1. Why would any programmer give a damned about getting credit for the install? Two reasons come to mind. The first is ego and there is no accounting for that. The second is the ridiculous method used to choose Hack of the Month nominees. Get rid of that. Nominate hacks based on merit, not clicks. Oh yeah, and subject every nominee to a code review. Kind of like the way NASCAR does vehicle inspections.

2. I'm sick of the way VB.Org either is or isn't independent of Jelsoft, depending on what they need at the moment. Pick one. Either admit to being a momma's boy or cut the freaking apron strings, but don't play it both ways.

3. Coders are the life's blood of this place. Every user needs to appreciate the hell out of them. They develop code because THEY need it and happen, out of the kindness of their hearts, to make it available to us too. Bee damned greatful. When you have a problem, make an effort to fix it yourself, if you can and post the fix - if you are able. If not, don't PM them. Post in the release thread so that the 100 other people that have the same problem can get the fix. AND BE PATIENT. None of them are full time professional VB developers and celebate PHP monks. They have lives, jobs and families that need the occasional care and feeding.

4. Somebody better get a handle on this site pronto. The snail pace of development of VB and the inability to deliver the years-ago promised vbCMS isn't why VB is the best damned message board for the money. VB.Org and the ability to customize my site to what I need is the real reason. But I see that reason slipping away. Not just this thread but several others show this place in near shambles. The Bush administration is run better with less controversy. This is a site that CANNOT exist without coders. When you run them off hiding behind rules and make mountains out off molehills, then YOU are doing something wrong, rules be damned.

I'll get off my soapbox now. Talk among yourselves.
I fully agree to that. To point 1 maybe it would be a good idea to make it if somebody is downloading a hack it will be counted automatically as a install.
Also give every coder the title "super master of the universe coder" :)

Nope, I think it's about the code that tries to call the vb.org "install" link when a product is first installed.

What if someone didn't click "install" because they simply forgot to & not because they were trying to be slick or something?

This is, as you say, about trust, therefore the list of known affected hacks MUST be disclosed, without question.

Absolutely. I bet some people are holding off installing hacks until they know.

I guess the thing I don't understand is why some coders didn't mention that they did this in the readme files? Doesn't the person installing the hack have the right to know what exactly they're uploading onto their site? Why be sneaky about it if it's just "nothing"?

I didn't know about this "install" issue until I read this post. I haven't installed any hacks yet & it looks like I won't be until this list is finally let out in the open.

This is true. I think maybe we should create some sort of "verified" system. When we upload attachments, they are marked as unverified (but still downloadable). Then maybe have a team that goes around and checks newly uploaded or updated attachments for unsafe code. Once it's passed the check, display a "verified" badge on the attachment.

That sounds like a fantastic idea.

I also agree with some of what FASherman.

VBulletin.org is Jelsoft.

If vb.org doesn't release the hack names to protect the users who failed to press [install] then you are not doing your job. I'm not sure it was said officially but if my board is compromised because some debilated coder thought he had the right to slip some backdoor code past my security then watch out.

Some people who come here are not simple Joe Blows with a forum full of jibber jabbers some people actually have serious data to protect. If you are telling me that I have no right to know what code was compromised then I will take the initiative to show vb.org how serious things can get.

simple said, don't mess with peoples companies and money by playing the blame game. There is no way some coders integrity will come before the information on my site.

I will contact the individual who posted this thread the fuse short and my associates will not mess around with this situation at all.

Well said.

If vb.org doesn't release the hack names to protect the users who failed to press [install] then you are not doing your job. I'm not sure it was said officially but if my board is compromised because some debilated coder thought he had the right to slip some backdoor code past my security then watch out.

Some people who come here are not simple Joe Blows with a forum full of jibber jabbers some people actually have serious data to protect. If you are telling me that I have no right to know what code was compromised then I will take the initiative to show vb.org how serious things can get.

simple said, don't mess with peoples companies and money by playing the blame game. There is no way some coders integrity will come before the information on my site.

I will contact the individual who posted this thread the fuse short and my associates will not mess around with this situation at all.
Can you say "class action"?

The IBM pSeries Users Groups forums run vBulletin with some modifications from this site. Be ready for an excrement storm when I inform their sysadmin that they have potential backdoors but have no right to know.

Way OTT

Exactly! ;)

There are/were no "backdoors", perhaps you should re-read the original message.

There are/were no "backdoors", perhaps you should re-read the original message.

Really...?

The reason for this thread is that, to our own shame, we received recently reports that there are coders who do incorporate hidden functionalities in their modifications. Lucky the type of hidden functions could be considered as relative harmless, but we will nevertheless not tolerate this. I would like to emphasize that this did not sent any security or privacy related information, nor did it in anyway brake the security of your site.

wow is all i can say from readin this thread... i known of one that had it but it was removed right away and fixed... but i think things are getting a lil crazy around here anymore... and its time for the staff to take actions against these people... i think it would be wise to post the coders that have done it... this way it lets them know it wont be tolerated and has been noticed.... i guess its time to watch out what im installin and look over the code first... ashame that it now comes to this.... just one more hurdle this week for vb.org

Really...?Yes, really.

^^ These are the same type of people that sign important contracts without ever reading them... :p

I guess at this point, the only way to find out which hacks have the "install" code is to look through it yourself. And I'd still like an answer as to why this wasn't in the readme files? Why does that keep getting overlooked?

The issue has been dealt with and plans or in the works to make sure this never happens again. As was said in this thread, it was a small non-intrusive item but we are working to avoid ANY such instances in the future.

There seems to be some confusion at the extent of what has happened.

The issues that have been made public, are completely harmless. They are not backdoors into your forum. They will not break your forum.

The issue here is that some coders implemented a way to automatically click "Install" on vb.org whenever a product/plug-in was uploaded. The reason why we've decided to let users know about this, is because most of the time this happens with out the Admin's consent.

The "backdoor" involved here was with www.vbulletin.org, not your forum. External GET requests we're not being checked, which allowed certain authors to do this, but we now have blocked anything like this.

Your forum was never in jeopardy. Marco has bolded various statements in his post that further clarify this statement. We will not give out the names of the coders who did this, because it is not needed.

This new policy was put in place because we became aware that some products/plugins had unethical (not to be mistaken with HARMFUL) code in them, and the staff felt that any unethical code should not be tolerated.

Harmful code was never (and never will be) tolerated on vbulletin.org.

Nicely said Danny. :)

Nothing here is 'verified' as such. The only person/people you could POSSIBLY have a claim against would be Hacks posted by vBulletin staff, and even then..it is up to you, the end-user, to determine whether these hacks are "unsafe".

Really, anyone who installs 3rd-party modifications on their site without verifying the integrity of the code is asking for trouble.

FYI: I probably have some of these hacks installed. I care very little. I click INSTALL on everything I install, both to show respect to the author and to keep track of the hacks I have installed.

I don't install hacks provided by.. well, lets just say I only install hacks written by people I trust. I developed that trust by following threads here and working out who was an honourable person.

I don't install hacks provided by.. well, lets just say I only install hacks written by people I trust. I developed that trust by following threads here and working out who was an honourable person.

That explains why my install count is always down by one. I thought we... I need a minute here to collect myself, I'm sorry... :(

* Logikos hands Boofo a tissue :(

That explains why my install count is always down by one. I thought we... I need a minute here to collect myself, I'm sorry... :(
Oh yeah, you gotta watch that Boofo guy.. I installed the /you code hack once, and found that my bank account was emptied, my rubbish bins overturned and my cat pregnant.

That was a doozy of a backdoor, that was. :)

Oh yeah, you gotta watch that Boofo guy.. I installed the /you code hack once, and found that my bank account was emptied, my rubbish bins overturned and my cat pregnant.

That was a doozy of a backdoor, that was. :)

Wait till you see my next version dubbed, the /kall code hack. You think your cat had problems...

Wait till you see my next version dubbed, the /kall code hack. You think your cat had problems...

:surprised: you better lock your dog up now ;)

The issue here is that some coders implemented a way to automatically click "Install" on vb.org whenever a product/plug-in was uploaded.

Almost every plugin or product i have installed has done that...didnt realise it could be deemed a security threat.

Oh man, when I read this in my email, I thought the post above mine was in response to post #172.

How I laughed. :D

Almost every plugin or product i have installed has done that...didnt realise it could be deemed a security threat.

That is why the issue has now been raised, before it got to all of them.

A small number of coders were doing this, so the majority of releases never have had any issues relating to this.

Oh man, when I read this in my email, I thought the post above mine was in response to post #172.

How I laughed. :D

That's just the sort of thing that I do. It makes a serious thread really funny. :D

The issue has been dealt with and plans or in the works to make sure this never happens again. As was said in this thread, it was a small non-intrusive item but we are working to avoid ANY such instances in the future.
How? Will all code that is submitted for download go though rigorous testing before being made available to the public? Anything short of that means nothing is being done about it.

You can out rules in place and a reporting procedure to notify of violations, but steps like that are meant to protect your legal exposure, not our vulnerability to exploitation.

What are you going to do?

How? Will all code that is submitted for download go though rigorous testing before being made available to the public? Anything short of that means nothing is being done about it.

You can out rules in place and a reporting procedure to notify of violations, but steps like that are meant to protect your legal exposure, not our vulnerability to exploitation.

What are you going to do?

Let's just say it will be avoided in the future. ;)

Let's just say it will be avoided in the future. ;)
Thats not exactly comforting, nor is it sufficient. Lets review.

Some authors were inserting, albeit harmless, hidden function code in their programs.

Those functions went unnoticed for months. The staff here didn't find the problematic code for some time, even though it affected their own site.

The points out a glaring security hole in the methodology of this site. Anyone with malicious intent, having read this thread, now knows the best way to exploit VB websites: release code here with hidden functionality.

Thats the issue that needs addressing. And you can't dismiss it with a promise that "something" that we don't get to hear about will be done.

VB.Org opened this can of worms by making it public. You've raised a secuity and business data protection issue, the highest concern in all of IT. Many forums being run support real business, not hobbiests. Your answers are insufficient for that population.

You must come forward, sooner rather than later, and explain how you will verify the integrity of the code available here.

I already "came forward" as you say and told you things are being put into place to prevent things like this from happening in the future. It dsoesn't matter how that will happen, as long as it does, right? 'Nuff said.

I already "came forward" as you say and told you things are being put into place to prevent things like this from happening in the future. It dsoesn't matter how that will happen, as long as it does, right? 'Nuff said.
With all due respect, you haven't. Look at the very title of the thread, "Its all about trust". When you - and by you I mean VB.Org, not you in particular - allowed it to happen, you lost some of our trust. You lost the expectation that you could tell us something nonspecific is going to be done and leave it at that. You don't have that level of trust anymore. If you want to gain it back, you owe it to us, the people that now realize you place out sites at risk every time we install a download from here, to be more specific and tell us how you will catch the next hacker who does have malicious intent.

You own us that much, but if you don't see it that we, its indicative of a far greater problem.

Read post 167 in this thread and it will explain it all to you better than I ever could. ;)

What the bloody hell is going on around here? etc

Wow ... may I call you John Wayne

some pretty hard straight talking

:D

When you - and by you I mean VB.Org, not you in particular - allowed it to happen, you lost some of our trust.

Sorry, but that is incorrect. Every code downloaded from vb.org and installed on your own board is your own responsibility. vb.org cannot go through every single line of code released here, and checks out for security holes. We can just react if we find something, and that has happened now. It's still and was every up to you, to make sure, the code you upload to your forum, will do what it says. If it doesn't the next contact you have is the author, to find out if it's maybe a bug. If you think it has been happening for purpose, then it's time to contact the moderators to take the appropriate actions.

We will do whatever we can to prevent such problems in the future, yes, hence a reason for the increas of staff members, but in the last run, you are the only one responsible for any code you apply to YOUR board.

FASherman, there IS a procedure in place for security risks. Code that is found to have them (through our discovery or user reports) goes through a process by which users are warned and the mod is removed if necessary.

But, this is a peer coding community. Ideally, anybody who installs the mods here has reviewed the code before installing it on their forum. It is not a commercial download site where the code is vetted by the company. Huge difference in concepts.

If any CYA stuff needs to be done on the part of Jelsoft, I suppose a huge click through disclaimer when you register here would work.

Before everything becomes a total fight over nothing it would be great if we were able to try bridge that gap, where an even greater level of trust can be established in the service that vB.org provides.

Most persons know that it is the users' responsibility for what is put on their forums, however would it not be possible in the future for vB.org to attach a stamp of approval to the code that has been checked, so that the level of trust can be increased.

This is not about blame but simply more an effort to feel safe within vB.org

So, if you download a hack and it doesn't 'yet' have the 'stamp of approval' then the user knows it is at their own peril

Something like this would be appreciated

Thanks

C

At clayton: yeah, a good system, which we already working on :)

just give use a bit time, not everything can be made over one night ^^

Just to clarify a couple of other points - someone mentioned it being around for months - the auto install code referred to only existed for 4 weeks - also, it never actually touched peoples forums, it made a simple GET request from your browser to the install link at vb.org.

Just to clarify a couple of other points - someone mentioned it being around for months - the auto install code referred to only existed for 4 weeks - also, it never actually touched peoples forums, it made a simple GET request from your browser to the install link at vb.org.


well since you let the cat out of the bag :surprised: yeah i did see it in your Display who has read a thread - Version 3 product... but then it was removed in the next update...

At clayton: yeah, a good system, which we already working on :)

just give use a bit time, not everything can be made over one night ^^

Great to Hear

You (VBorg/VBcom staff/volunteers et al) have failed to grasp my vailed attempt to bring some sanity into your actions, or inactions.

You have missed or simply refused to listen to JohnBee's comments.

When you - and by you I mean VB.Org, not you in particular - allowed it to happen, you lost some of our trust. Sorry, but that is incorrect. [...]
How patronizing... Are you suggesting that you know what trust you had with members and what you have and have not lost?

I suppose a huge click through disclaimer when you register here would work.
No, it would not.

I am absolutely horrified by the lack of business sense vBorg/Jelsoft team has demonstrated in this, and similar threads.

Wake up Jelsoft.

Really...? There were no harmful backdoors, and what was found, did no put your board at risk. Period.
Now where is this post going? You install probably numerous modifications on your board, provided by different coders. By installing software, you give total control of your board in the hands of these ?anonymous? coders. This requires a high level of trust towards them. It is bound to happen. Many people do look through the code to see how things work, so these things are usually found quickly. I imagine this one took so long because it was not harmful, and therefore did not bother people who saw it.

If you want to modify your board, you are doing so at your own risk. Jelsoft is not the author of the hacks. Jelsoft does not hold responsibility for the content of the hacks; though they remove anything that is unsafe.

You guys are missing the point of the thread, here is my take:

Something bad happened.
Proper action was taken.If you really want them to go through EVERY line of code (probably tolling in the millions now), then you should expect to pay more for people to have to verify it all. Until it is Jelsoft is the ones creating the hacks, you should be holding the coder responsible for anything that happens to your board. Not Jelsoft.

You've completely missed the point. Let me try to restate it.

Code with backdoors were uploaded to this site and downloaded by users of this site.

The code found thus far is relatively harmless, but it was only found because it interacted with this site AND it took several months to be noticed.

This does not mean that all backdoors have been found. Nor does it mean all that all as of yet unfound backdoors are harmless.

Someone said there is a procedure in place for security risks. I disagree. There may be procedures for reacting to vulnerabilities once known, but nothing of a proactive nature to expose potential vulnerabilities before they happen.

And lets stop referring to Jelsoft. If the VB.Org staff is to be believed, and I think they are entitled to that, then VB.Org is NOT Jelsoft. This is a unique and separate entity.

So, my two cents on a solution...

1. Hacks not supported by the author should not even be here. Thats the biggest risk right there.

2. Hacks/Mods/plugins/products - anything with PHP code - should only be allowed to be posted by individuals in a particular group, coder group for example.

3. There should be a verification process for allowing an individual into the coder group, some identifying credentials that translates a computer username into a real person with a verified location in the real world.

4. Coder titles should not be based on post counts. If I release a poor product, I could easily ratchet up my post count supporting that dog. Coder titles should be a formula taking into account longevity, post count, threads started in the release areas, combined install bases, number of monimations for HOTM and number of times won, all properly weighted so that no one variable matters significantly. It is the overall body of work that matters.

5. HOTM should be based on something other than raw install numbers. You need a more meaningful criteria than that, plus then there is no need for install numbers to generate this type of an issue. The folks on the coding team should be able to make nominations based on merit if their good enough developers in their own right. And what's wrong with 10 nominees? Let each coding team member nominate 2 hacks and give us a narrative as to why.

6. Again for the coding team. Any hack/file/plugin/product should be subject to random audits and the results made known. Maybe not specifically, but perhaps award the code a "VB.Org" certified label. Also something for the programmer themselves, showing that their code meets VB.Org standards.

7. Finally, when you do find something amiss, IMMEDIATELY email all users who have installed the prodcut/plugin/code and tell us to suspend its operation immediately. Your loyalty in that situation is to us, the install base of the code, and not to the coder.

8 I lied. THIS is the final thought. Charge for listing commercial software if you so desire, but give a discount for any developer that offers a useful "lite" version here. You should definitely differentiate between those that see VB.Org as a target market and those that support the site with lite versions.

Flame away, boys and girls. I'm a big boy. I can take it.

Good post FASherman...if it is all do-able given the limited resourses the staff has here, then I'm all for it. What it may come down to in order to achieve these type of results is a certain level of paid staff...this remains to be seen.

1. Why not? They are still useful to others. This ties into the 'users becoming lazy' discussion that the product system brought. Many 'hacks' are ways to edit your board; whether or not the author supports it, the value is still there.

2. I disagree. How do you expect people to learn? If this was the case, I bet you that 50% of the hacks here would be gone - including many of the popular ones.

3. They can always hold the license owner responsible...

4. They are based on # of installs. Don't take them so seriously; they are just for show.

5. I beleive the top 10 installed hacks are placed into the poll automatically, but the voting is done by users.

6. If something HAS been inspected by the coders, then yes, some sort of 'verified' status would be good. The downside, though, is that users will begin to not install unverified hacks. It should be a plus, not a requirement.

7. Yes, if the coder does something wrong, they should be pointed out. That is probably punishment enough.

You are taking the 'coders' usertitles and the 'coding team' way too seriously. Many users have far more talent who are not 'coders' or who aren't on the team. Everyone also has very different standards. What I consider a good coder, may greatly differ from who the staff considers a good coder (either way). Who's call is it? Are they qualified to make this decision?

-as a developer, so my thoughts may be a little bias.

I've got an asnwer for that too, if it takes more staff. Charge for user access.

What I mean is this:

Keep track of the release dates of uploads. Lets say I upload GeeWiz 1.0 into the product release directory. All contributing members get immediate access to that new release. Non-contributing members get access after 30 days.

Then I update the code to GeeWiz1.1. Contributing members can download v1.1 right away. Non-contributing members must wait for 30 days. For those 30 days, v1.0 is still available for download. After 30 days, v1.1 is available and v1.0 is archived.

30 days could just as easily be 45 or 60 days. Doesn't matter.

Contributor memberships cost $25/per year.

Just another idea.

If this is the case then the coder in question must face the responsibility for his or her actions.

Look at it this way, from a legal stand point if you present a product such as software with a list of features but fail to mention or disclose hidden features, then you as a coder are miss representing a product where end users are incapable of properly evaluating the risks involved before committed the said product to there own site.

In an overall case this is an illegal procedure. This situation has brought a very interesting point to my attention. It would seem that neither Jelsoft, vb.org or the coder claim liability for such actions and under these conditions the system is in serious need to change.

Sorry, but that is incorrect. Every code downloaded from vb.org and installed on your own board is your own responsibility. vb.org cannot go through every single line of code released here, and checks out for security holes. We can just react if we find something, and that has happened now. It's still and was every up to you, to make sure, the code you upload to your forum, will do what it says. If it doesn't the next contact you have is the author, to find out if it's maybe a bug. If you think it has been happening for purpose, then it's time to contact the moderators to take the appropriate actions.

We will do whatever we can to prevent such problems in the future, yes, hence a reason for the increas of staff members, but in the last run, you are the only one responsible for any code you apply to YOUR board.

I understand what happened, but I'm still failing to see how it's apparently such a struggle to just let us know which hacks you found out about? Why won't someone post it? No one is going to die. And those people obviously aren't going to step forward & say it's their hacks otherwise they would've done it already.

I understand what happened, but I'm still failing to see how it's apparently such a struggle to just let us know which hacks you found out about? Why won't someone post it? No one is going to die. And those people obviously aren't going to step forward & say it's their hacks otherwise they would've done it already.
Its called protecting the guilty at the expense of the innocent.

We will not give the name of the coders out.

How could they be guilty if the policy was put into affect after we became aware of the code they placed in the products?

This is the whole point of the announcement, to let everyone know: coders, members, and staff that, now, any unethical code found in plug-ins/products will not be tolerated, just like any harmful code will not be tolerated.

<long post>.
1. That will never happen - you cannot expect free code to be supported.

2. That would prevent anyone new from releasing anything - to become a coder you have to have released hacks that people have installed.

3. Far too complicated, that would put off most people.

4. Coder titles are not based on post count and never have been.

5. HOTM has already changed, the new system relies on nominations.

6. A checking procedure is planned, things don't happen overnight.

7. There is already a procedure for mods/plugins etc that pose a security risk.

8. Been discussed many times, as I understand it vb.org will not be hosting commercial work.

Also, you seem to keep going on about security and backdoors despite the fact that several posts now have clearly stated this was not the case.

If this is the case then the coder in question must face the responsibility for his or her actions.


yeah this is true but from what i seen it took the wrong direction and now there part of vb.org Coding Team... :surprised:

Who said anything about giving out the names of the coders? I'm talking about the name of the actual hacks.

We will not give the name of the coders out.

How could they be guilty if the policy was put into affect after we became aware of the code they placed in the products?

This is the whole point of the announcement, to let everyone know: coders, members, and staff that, now, any unethical code found in plug-ins/products will not be tolerated, just like any harmful code will not be tolerated.People can be guilty of rules not yet made, though the fact remains that they are guilty. ;)

Who said anything about giving out the names of the coders? I'm talking about the name of the actual hacks.
For most of us, that is just as obvious.

Now that I am a bit calmer, it is sort of funny.

VBorg created this monster actually... by making install count an element of the stature of a programmer within VBorg. Of course a programmer is going want to get all the credit that they dully deserve. So creating a system that auto-clicks install is not such a horrible thing...

If that is all that is out there...

And yes, VBorg = Jelsoft. I don't care how much you say it isn't. Jelsoft finances the site, Jelsoft directs the site, and many Jelsoft employees run the site.

Jelsoft directs the site, and many Jelsoft employees run the site.

Not true

I never thought it was horrible. I just didn't get why nothing was said, but that question keeps getting danced around on, but I can probably figure out why. And some people actually forget to click on it by mistake.

Not true

Oh snap.

We will not give the name of the coders out.
wow :surprised:

Without knowing the names of these unethical coders that exploited the trust of regular members, what else can one do but assume all coders on this forum were involved. If I contributed mods to this site, I would be strongly voicing my opinion that the usernames and hacks should be exposed. Not doing so would hurt my reputation. I may not be a big part of this community or have a large post count, but I am confident that many other members feel the same way.

Well, those coders will probably keep putting it in, but now I bet loads of people are checking the codes inside out now.

Well, those coders will probably keep putting it in, but now I bet loads of people are checking the codes inside out now.
No, they won't if they continue to do so they will be punished for their unjust actions like we have stated.

Well, those coders will probably keep putting it in, but now I bet loads of people are checking the codes inside out now.

No, they won't if they continue to do so they will be punished for their unjust actions like we have stated.

The codes of flagged modifications along with another random sample will also be checked again to ensure that the code has been removed and has not appeared anywhere else.

If has not been removed, then as Zachery said, action will be taken.

There seems to be some confusion at the extent of what has happened.
...........The issue here is that some coders implemented a way to automatically click "Install" on vb.org whenever a product/plug-in was uploaded. The reason why we've decided to let users know about this, is because most of the time this happens with out the Admin's consent.

The "backdoor" involved here was with www.vbulletin.org, not your forum. ........
Ah, many thanks for the clarification. I have been following this matter somewhat closely, and it's nice to have a full explanation.

now I bet loads of people are checking the codes inside out now.


this is the best things they could do!
never install anything without at least read through the code shortly. On the one hand you learn coding by reading, on the other hand, you can find out bugs faster!

Any possible security breaches/backdoors should be made known to the users really - now you've got a bunch of people worried, A) that there are real risks in using vb.org and its hacks and B) there's no way to find out which hacks are actually being questioned.

This is another reason why I think Jelsoft needs to employ someone to overlook things here, because ultimately whatever goes on at vb.org affects Jelsoft directly.

Why doesn't Jelsoft employ a staff member or two to look over these issues? I reckon they could go through all the hacks once submitted and approve them if they looked ok along with having enough time to run and support this site.

Or why not build a team of coders willing to look over code and seeing whether a hack should be approved or not? No hacks going 'live' without approval, and any changes to uploaded files having to be approved too. Jelsoft could pay them for their time.

If vBulletin was open-source this may be understandable, but it's not - it has enough resources to employ staff in these missing areas.

Any possible security breaches/backdoors should be made known to the users really - now you've got a bunch of people worried, A) that there are real risks in using vb.org and its hacks and B) there's no way to find out which hacks are actually being questioned.

This is another reason why I think Jelsoft needs to employ someone to overlook things here, because ultimately whatever goes on at vb.org affects Jelsoft directly.

Why doesn't Jelsoft employ a staff member or two to look over these issues? I reckon they could go through all the hacks once submitted and approve them if they looked ok along with having enough time to run and support this site.

Or why not build a team of coders willing to look over code and seeing whether a hack should be approved or not? No hacks going 'live' without approval, and any changes to uploaded files having to be approved too. Jelsoft could pay them for their time.

If vBulletin was open-source this may be understandable, but it's not - it has enough resources to employ staff in these missing areas.
It wouldn't matter if we had 1000 people to check every single line of code here released ever. And that was all their job would be, eventually something would slip though. It is up to each admin to verify anything that they are installing will do what they want it to. Even if it means learning some basic php. You should always review any code you did not write yourself.

You should always review any code you did not write yourself.
Indeed.

People are up in arms about installing Encrypted software on their servers, yet so many are prepared to just say 'COOL! All I have to do is import an .xml file??' and slap-happily whack totally unknown code into their vB.

Madness. :)

Zachery, not everyone is a coder and even with basic knowledge may still not be at a level to see whether a hack was secure or not. (I've read half a book on php, know html, the web industry, but am still am unsure about many code-related things for example).

One slip up from a staff member would be far more acceptable than loads from vb.org users.

:)

Indeed.

People are up in arms about installing Encrypted software on their servers, yet so many are prepared to just say 'COOL! All I have to do is import an .xml file??' and slap-happily whack totally unknown code into their vB.

Madness. :)

People may feel that code posted here for vB may be getting checked either by staff or other coders - in fact I've seen on many occasions how another coder has given a tip to someone else in their hacks' thread to cut-out a query for example (it's one of the reasons that made vb.org great).

Encrypted software is totally different in that you can't see it even if you wanted to, and the general consensus is that people don't like to use it, wherever possible.

vBulletin.org is a community about users helping users modify vBulletin.

Is this about easter eggs in hacks?
I have never added any, but I always wanted to add one :p :p

No Michelle, but you should not put in any hidden functionality in the mods.

#1 - Paul M is always right :)

#2 - I know I am in the minority here, but I understand the coder's need for some sort of recognition and status. The more 'installs' a hack has, the more status it has, IMHO - and the more likely that it is a stable release and a useful item.

So I can understand the coders wanting to make sure they are getting 'credit'. It's a very small price to pay, IMHO, for the free service provided by the coder.

There have been occasions when I have FORGOTTEN to click install - not by laziness, not by apathy - usually it's because I am in the middle of downloading or looking at instructions, and then the cat throws up on the carpet, and by the time I go clean it up and come back, and go back to what I was doing, I forgot I hadnt clicked install.

Now I try and make sure I click it before I start anything else.

As long as that hidden code was/is verfied to not cause any security issues, it doesnt bother me.

I also think there should be some way to make a person click install before they get to download the code. I have no idea how it would be done, but it seems like it would fix the issue.

Had to put in my two 01011010101's worth...

and then the cat throws up on the carpet,

Awww you have a cat!!?? :D:D

A poorly cat by the sound of it.

my cat tends to eat crazy things that the kids leave around - like small ponytail holders, all the lipstick out of a lipstick tube, arts and crafts supplies(sequins, glue stick), we never know what until her tummy rejects it..lol
it sure makes me keep the house cleaner :)

eeeeeeeewwwwwwwwwwwwwwwwwwwwwwwwwwwwwww....

my cat tends to eat crazy things that the kids leave around - like small ponytail holders, all the lipstick out of a lipstick tube, arts and crafts supplies(sequins, glue stick), we never know what until her tummy rejects it..lol
it sure makes me keep the house cleaner :)

LOL! Luckily mine doesn't do that, I hate cleaning! :p :D

mmmmm.... sequins and glue stick.....

I'm very surprised that there's been no announcement on .org about the new version of vB. vs. 3.6, which is in Beta on .com right now.

There was a thread talking about it when the site closed for the update, but you're right, there doesn't seem to be any announcment as such. Hopefully someone will rectifiy that in the next few days. :)

Really nothing to post about since there hasn't been a full feature list yet :)

I don't vist .com often. I only knew because someone made an announcement at vBH.

Pulling the HOTM now is much better then leaving it till later when more people have taken part.

Do you not remember the month when one of the choices was removed about half way through and a significant number of people had to PM one of the staff to get their votes changed?

That would be more disruptive, and as such, removing it now and having a month of in light of this announcement is much more productive.



The site will evolve. It is just a cycle. New coders are joining the ranks all the time.which is why I don't understand why there's no multi-vote for the HotM.
*edit*
This is true. I think maybe we should create some sort of "verified" system. When we upload attachments, they are marked as unverified (but still downloadable). Then maybe have a team that goes around and checks newly uploaded or updated attachments for unsafe code. Once it's passed the check, display a "verified" badge on the attachment.
good idea.

*edit*
wow.. I actually read every single post. (oops, did I say that outloud)

a few more comments.. what about some sort of script that checks hacks for code which can be potentially damaging and then mods only have to look at those lines of code? (since I'm not a coder I may not realize there's no easy way to differentiate between hazardous code and safe code, but I assume there's some ability because sites and providers disable certain types of functions in order to preserve security.)

and whoever mentioned something about a contributor usergroup.. I agree with something like that. Then there's no hack that's a commercial hack, its just a group of people contributing $$ for maybe some added support, functionality, etc. Maybe only let coders participate in it after they've released X hacks (or X approved hacks) and then they must maintain a % of customer satisfaction or time of support for whatever hacks participating in the contribution section. Keep a % of the money for the site stuff, release a % to the coders participating after X amount of time to verify they've met the standards for whatever release they've made.

I've installed so many hacks off and on that its ridiculous (yes, sad that I still don't know a thing about coding), and there's no way I could afford to contribute to all the coders who have helped me in some way or another, but if I could contribute to the coding group in general (or approved/participating coders) then for sure I'd contribute some money. (monthly, yearly, whatever)

I don't vist .com often. I only knew because someone made an announcement at vBH.
I found out about it from an announcement on vBulletin-FAQ


Really nothing to post about since there hasn't been a full feature list yet

They are releasing info daily, as a tease. And having quite a bit of fun with it I might add, lol. They have different areas set up so that you can play with certain new features.
I've also seen a few posts over there, from people a bit ticked off that they didn't see it here, but from some other source. Can't say that I blame them.

There was a thread talking about it when the site closed for the update, but you're right, there doesn't seem to be any announcment as such. Hopefully someone will rectifiy that in the next few days. :)

I would certainly hope so. Not doing so isn't helping the credibility factor here any.

Kudos to the coder who made an auto install on product upload.

Please see the follow up to this here:

https://vborg.vbsupport.ru/showthread.php?p=1003731#post1003731

I am closing this thread now.