Hi there, has there been a sudden surge of attacks that a number of hacks have been sent to the graveyard, please?

this is the notice in the email

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This modification currently contains a vulnerability. It is recommended you uninstall it until further notice.
- vBulletin.org Staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

this reason has been given for a number of hacks
is there a place where we can get further feedback on this, because certain hacks are an integral part of the various sites that have these hacks, please?

Thank you in advance

Yes please - the same...

can not find a reason nor solution than uninstall...

Yes please - the same...

can not find a reason nor solution than uninstall...

My suggestion if it's something you need on your forum either wait for the author to update it fixing the vulnerability, fix it yourself, or hire someone to fix it.

If we could have a little further feedback regarding the problems, such as the attacks that these hacks have been receiving, then we know a little more.

currently it seems as though this has been a blanket reason/approach given for a number of hacks, is this true?

is it a coincidence that this has taken pace, after

1 .. Jelsoft takeover and 2. new sheriffs in town ?

As a user of a number of hacks on a number of forums developed, it would be appreciated that an impression is not being created that the vulnerabilities have occurred due to the 2 points mentioned and questioned above

whereas we may not want to publicly display the vulnerabilities etc, it would also go a long way in reassuring users that what has taken place is not because of over zealous new Mods etc?

or so as not to start a conspiracy theory .. that this is not a policy to prepare users for the new Add-ons that vbulletin.com will be releasing in the future, so kill off any opposition in good old Microsoft style. This is not the case, right?

in mentioning this you can see our concern as users

No, we will not be giving out the details of the exploit to anyone other then the author of the modification. This is to protect those that still have such a modification installed.

Your insinuations really don't make sense. Because Jelsoft was acquired and we have a few new staff members, there suddenly are vulnerable modifications?? Either a modification is vulnerable or not, no company take-over or new staff can change that.

There have been a large number of (valid) reports by members on vulnerable modifications lately, once reported staff will investigate and if correct take actions. That is all that is to it.

Just some questions to Moderators:

I bought my first vB licence at Oct 2003. Since then, there are lots of patches for vulnerabilities in vBulletin itself. Why I never got a similar type of email saying "....uninstall vBulletin till future notice"? And why I never informed as client at the time that the vulnerability found, but only when you had ready the patch?
Do you count as fair to inform members (now I'm talking for mods) who have installed it by email (faster) and the author by ...PM?? What should happen if the author has to visit your site for days?That's for the history. Could you please remove my other mods too?

Thank you
Maria Avlatzi
Loutron 41
57200 Lagadas
Tel +30-23940-20117
Greece
Just to avoid sayings that I'm talking in anonymous mode.

Hi Marco

this is certainly not a case of insinuations, it has a great deal to do with someone using a product which is related to work and clients. This is not a game for some of us but a livelihood

when all of a sudden certain things start occurring we as users of hacks need to be a reassured that what is taking place does not coincide with the 2 points mentioned, maybe I should have placed question marks (will edit post) as then it is a question and will not be seen as an insinuation which obviously has negative connotations attached to it

Thank you

Hi Marco

this is certainly not a case of insinuations, it has a great deal to do with someone using a product which is related to work and clients. This is not a game for some of us but a livelihood

when all of a sudden certain things start occurring we as users of hacks need to be a reassured that what is taking place does not coincide with the 2 points mentioned, maybe I should have placed question marks (will edit post) as then it is a question and will not be seen as an insinuation which obviously has negative connotations attached to it

Thank you

I think that I've put questionmarks. Also at the top I'm talking about "questions". Or I misunderstood you post??

Yes, these are concerned questions put to the community and vBulletin.org

I have seen the forums go through many swings and changes over the years

@MicroHellas

1. vB.org staff does not have control over the procedures used when a vulnerability is found in vBulletin itself. If you want to discuss the Jelsoft procedures, then please post it as a suggestion at vbulletin.com.

2. With our current procedures we will inform both the users that have installed a modification and the author at the same time if the vulnerability found is serious. The reason members are notified by email and the author by PM is merely using the tools we have available. The author is also informed on the details of the vulnerability found. We have no way of knowing if an author will read his email faster then a PM, and he/she could have email notifications of a PM. Also the author could have disabled Email as contact method, so the best way to contact them (that will always work) is by PM.

We are however at this time prepairing new procedures making it easier to communicate with the author when a vulnerability is found.

Also please note the even though we are a community that is build upon the input of many coders, if a vulnerability is found our primary goal is to protect the members.

if a vulnerability is found our primary goal is to protect the members.

and for this we are absolutely appreciative

what led to my concern was the timing and the amount of hacks which have been found to be vulnerable only now

I am sure you can see concerns by users of these forums?

I cant?

Maybe there are a surge of bored coders?
Maybe coding pratcies by coders are getting worse?
Maybe there are more people using the modifications who are finding said issues?

what led to my concern was the timing and the amount of hacks which have been found to be vulnerable only now

I am sure you can see concerns by users of these forums?
I already replied to that. There have been a sudden increase of modifications being reported by members lately, and we do nothing more then follow up on these reports.

OK .. here is an example of 1

VBGooglemap Member Edition

Released: 06. Aug 2006 Last Update: 16. Sep 2006 Installs: 522

Not Supported DB Changes Uses Plugins Template changes Additional files

--------------------------------------------------

yesterday's date 23rd July we receive an email to uninstall

This Modification is no longer available or supported.
This thread is in the Modification Graveyard and is available for information purposes only.

the above is now placed on the thread ..

10 months after 522 installs we now have a vulnerability

there are further examples

I have tried to contact the author of the hack and await a reply

as mentioned it is the timing of things

surely we would not like vB.com now to offer these add ons in the very near future?

:D ;)

I cant?

Maybe there are a surge of bored coders?
Maybe coding pratcies by coders are getting worse?
Maybe there are more people using the modifications who are finding said issues?
The first hack I ever wrote, sat here for three years with a security vulnerability in it. It had 50 - 60 installs. It was only reported very recently. I don't think coding practices have changed, or anyone is getting lazy. I think more vulnerabilities are being found is all. Who is finding them is unclear, but it's a good thing, so who cares?

BTW: To staff - thank you for listening and changing the procedure to not announce the nature of the vulnerability other than to the author.

BTW: To staff - thank you for listening and changing the procedure to not announce the nature of the vulnerability other than to the author.

this is excellent, however are the authors of the hacks being notified via email as well, please?

my major concern is about the solution to the vulnerability

that is my bottom line

I was just coming up with 2 random, and one logical suggestion.

Way back in the day lots of highly skilled coders lived and shared their work here, sadly lots of them found something that took them away. Now we've been in a cycle of rebuilding year after year.

If anyone makes a living though vBulletin.org or though peoples hacks, its my belief that they should be able to take a look at a modifications code and make sure it is safe. Though this rarely happens anymore :( alot more things might get fixed this way.

this is excellent, however are the authors of the hacks being notified via email as well, please?

my major concern is about the solution to the vulnerability

that is my bottom line
I guess it depends on their PM settings. I get an email every time I get a PM, so in my case, yes. Er, if I had any releases :)

@ hambil pml


zach .. there are only so many hours in the day ;)

one day we will get there ;)

@MicroHellas
2. With our current procedures we will inform both the users that have installed a modification and the author at the same time if the vulnerability found is serious. The reason members are notified by email and the author by PM is merely using the tools we have available. The author is also informed on the details of the vulnerability found. We have no way of knowing if an author will read his email faster then a PM, and he/she could have email notifications of a PM. Also the author could have disabled Email as contact method, so the best way to contact them (that will always work) is by PM.


I just re-read your Mod Vulnerability Guidelines located at:
https://vborg.vbsupport.ru/info.php?do=security
and the order that it says, didn't followed. You can check the timestamps of the emails and PMs. Firstly the users informed and then the author.

In any case, I don't have the power to argue anymore. By signing here I accepted the rules, so no reason to talk. The only that I want to say is that on the sames Mod Vulnerability Guidelines says that you've the right to provide a fix (&4) and then to put it back to public (&5). You can do &4 for all users who've installed it already, but please I don't want to have it back to public.

Thank you.

@ MicroHellas

this would be sad, as your hacks have truly been refreshing

is there no way that this matter can be sorted out in a manner that benefits all, please?

We did follow those Guidelines. The fact that #2 and #3 are done simultaniously does not change anything. And yes it might be that the Update email to the members is sent a few minutes before the PM to the author. I can not see that as not following the guidelines, but merely a practical implementation of it.

Staff may provide a solution themself, but that is not the standard procedure.

If you don't want your modifications to be released here anymore, then you can either simply not provide a solution for the users of your modification or report your thread with the request to remove it.

PS If you really want to go that way, then please remember that it is not our staff who will suffer from this.

then please remember that it is not our staff who will suffer from this.

I'm totally sure for it. Only people with sensitive feelings can suffer for situation like this. Because they can count lot of parametters and not only Guidelines. In any case the real problem is that I just realized that is already 1pm here, I'm blocked with this situation (at all) since 7am, and finally I'll have problems with my real job.

And yes, I want all my mods to be removed. I prefer "Member" than "Coder". Maye in the future I'll start publishing mods like how to move this title under the form, or how to place it on the right and I'll become coder again.

Greetings
Maria

hi,

at first, be nice ;)

ok, there is a vulnerability in the mod.
ok, there is no reason to giving out the details of the exploit
ok, there will be a fix, or not

But please dont let the Users tapping in the dark. A little more information would be nice.

And there is no reason to get rude ;)

hi,

at first, be nice ;)

ok, there is a vulnerability in the mod.
ok, there is no reason to giving out the details of the exploit
ok, there will be a fix, or not

But please dont let the Users tapping in the dark. A little more information would be nice.

And there is no reason to get rude ;)

@microhellas

are there any vulnerabilities in your Mods, please?

is this a situation for users to be concerned, please?

there may be a vulnerability in one script from Mary, but she decided to have them all dropped from the distributions... her own decision... she now support on her own site...

As I don't know where to place my post, I'm placing it here asking the understanding of Moderator. So, at least for my mods, the sucurity issues were than in 1-2 instances I run SQL queries by not placing the quotes. Also I found 1 instance that I've forgotten to add addshalshes in a $POST.

As I don't plan to continue distirbuting the free version I'll attach the corrected file in a new post here tomorrow morning. If it's not permitted, then sorry, you must visit my site to get this patch.

Thank you

The answer is clear people, vb will eventually charge us for these hacks. I bet you it is because they want a share of the pie. Unfair practice by the bigman as always. The posted hacks are optional to users. Why else would they removed them ? As good as VB is, it is nothing without these free hacks. I guess I better start looking for another alternative...VB should create their own hacks to replace the ones that they feel that are harmful...these hacks make your product better.....

free the hacks VB....

The answer is clear people, vb will eventually charge us for these hacks. I bet you it is because they want a share of the pie. Unfair practice by the bigman as always. The posted hacks are optional to users. Why else would they removed them ? As good as VB is, it is nothing without these free hacks. I guess I better start looking for another alternative...VB should create their own hacks to replace the ones that they feel that are harmful...these hacks make your product better.....

free the hacks VB....
1./ vBulletin will NEVER charge anything for access to these hacks (except for the initial license fee), vBulletin CAN never charge anything. All hacks are property of their owners and they are protected under law.

2./ We only remove hacks when it contains vulnerabilities. We don't remove them for the hell of it. I'd rather have no hacks than a board defaced by hackers. And yes, we verify all vulnerabilities before removing hacks; furthermore, all accounts of reported vulnerabilities are kept.

Dismounted

@odonel, you really are out of the track here...

alert of security risks is different from controling the content of the releases... you are trying to start a new polemic, and this is not good from a new by..

The answer is clear people, vb will eventually charge us for these hacks. I bet you it is because they want a share of the pie. Unfair practice by the bigman as always. The posted hacks are optional to users. Why else would they removed them ? As good as VB is, it is nothing without these free hacks. I guess I better start looking for another alternative...VB should create their own hacks to replace the ones that they feel that are harmful...these hacks make your product better.....

free the hacks VB....
Rubbish...utter rubbish!:rolleyes:

finding a solution to the problems are number one, which should be always be the aim

however

as mentioned by microhellas, you don't find vBulletin sending out an email to all their users, when they find a vulnerability, to uninstall their software. They work to first find a solution.

to see how an email was sent out to all the users of Microhellas' hacks before finding a solution with the author was (imo) irresponsible and it has led to a valid contributor now making her hacks unavailable to the users of vb.org

I can see her point, the email sent out creates alarm (which from a business point of view for her is plain destructive) and causes the users of her products to get the impression that there is something inferior or wrong with her products

in this instance a solution was easily found by the author and this whole scenario could have been avoided

hopefully those involved can learn from this

Thank you everyone for working to provide a service of value to all users

It is recommended that you remove a hack because it isn't the product. If you still want to continue using the hack at the risk of an exploit, it's your own choice.

10 months after 522 installs we now have a vulnerability


There is no "we now have " about it - the vulnerability has always been there, it's only now been reported to us. There is a big difference there.

It is recommended that you remove a hack because it isn't the product. If you still want to continue using the hack at the risk of an exploit, it's your own choice.

I wont get involved in petty arguments, each person has something valid to represent

At the end of the day vBulletin is also still a product and the information gathered by the forums on my servers is our property. To protect this property from exploits is no different

when exploits are found with vBulletin they do not send out an email to all their users telling them to uninstall.

all I am saying is that this could have been dealt with differently

There is no "we now have " about it - the vulnerability has always been there, it's only now been reported to us. There is a big difference there.

Hi Paul, this I understand

the timing was what I questioned

I voice my concerns regarding microhellas, it is not an attack on any party in any way but more a hope of avoiding similar scenarios in the future

I am thankful for the work done by vB.org however there are often many ways to skin a cat

:)

i like this thread... a similar one was started by my friend Hambil 2 weeks ago (https://vborg.vbsupport.ru/showthread.php?t=151083), and 3 weeks ago too (https://vborg.vbsupport.ru/showthread.php?t=150973), with the same reasons, same debate, and same result... (none)...

so it would be just time you stop complaining and start repairing your bugs when you have some...it usually take less than 1hour to do so, and then your releases go back to public...

and if you are not happy with the policies, instead of complaining, because it's useless, these are made to be unchanged because they work, you can simply release your work elsewhere better... (if you find a better place, just tell me, i'd be happy to start complaining there also!)

I'd rather have no hacks than a board defaced by hackers.
Dismounted

I apologize if I misunderstood it, but are you calling us hackers????

Noooo, he's not saying that at all. I believe he's saying that he would rather have a board with zero modifications, rather than have a board that was defaced by hackers due to exploited modifications or modifications with security issues.

I apologize if I misunderstood it, but are you calling us hackers????
Huh?

Are you defacing other peoples websites?

If the answer is "Yes" then, yes he is calling you a hacker.

Huh?

Are you defacing other peoples websites?

If the answer is "Yes" then, yes he is calling you a hacker.

Funny!! That's why I wrote "I apologize etc etc". I don't know the meaning of "deface". I got the meaning of "full of" as the other member wrote above.

Noooo, he's not saying that at all. I believe he's saying that he would rather have a board with zero modifications, rather than have a board that was defaced by hackers due to exploited modifications or modifications with security issues.

to be absolutely honest, if were not for vb.org and the various hacks then vbulletin would be simply another set of forums

@marco

adding fuel to fire should be left to trolls ;)


thanks jammiegirl for a level headed approach

:D

as mentioned hopefully this can be avoided in the future

Funny!! That's why I wrote "I apologize etc etc". I don't know the meaning of "deface". I got the meaning of "full of" as the other member wrote above.
I'm sorry...I used the term "defaced" in my post, not realizing you did not know. Defacing is a very bad thing...
to be absolutely honest, if were not for vb.org and the various hacks then vbulletin would be simply another set of forums

@marco

adding fuel to fire should be left to trolls ;)


thanks jammiegirl for a level headed approach

:D

as mentioned hopefully this can be avoided in the future
Oh, you're absolutely right! Even though I'm through modifying my own board (I think), I still love coming here to see the new mods. But seeing good mods end up in The Graveyard makes me sad.:(

You're welcome...I try!:D Hehe...you called me "jammiegirl"...how cute!:D

finding a solution to the problems are number one, which should be always be the aim

however

as mentioned by microhellas, you don't find vBulletin sending out an email to all their users, when they find a vulnerability, to uninstall their software. They work to first find a solution.

to see how an email was sent out to all the users of Microhellas' hacks before finding a solution with the author was (imo) irresponsible and it has led to a valid contributor now making her hacks unavailable to the users of vb.org

I can see her point, the email sent out creates alarm (which from a business point of view for her is plain destructive) and causes the users of her products to get the impression that there is something inferior or wrong with her products

in this instance a solution was easily found by the author and this whole scenario could have been avoided

hopefully those involved can learn from this

Thank you everyone for working to provide a service of value to all usersBeen here, had this argument, lost it, and that's why my hacks are no longer available here either. Glad to see I'm not alone in feeling this way, though :)

when exploits are found with vBulletin they do not send out an email to all their users telling them to uninstall.
What Jelsoft do is not relevant - they own and write vbulletin, so they simply fix any exploits and advise you to upgrade.

vbulletin.org do not own/control/write the modifications so they advise you to uninstall - whether you take that advice is entirely up to you.

This modification contains an xxxxx vulnerability. You are hereby advised to uninstall this modification until such time that the author provides a fix.
-- vBorg Staff

Wouldn't it be much better for the people involved to do this:

1) Modification is reported with an exploit and it is verified.

2) Staff member puts a "Exploit found" flag on the modification. Within a notes field, the staff member can document the exploit and add any other necessary comments. When they save it, an email is fired off to the Author(s) of the addon.

3) The flag above also puts a notice on the addon and prohibits new users from downloading it until a new version is uploaded by the author. People who have already marked it as installed can still download it but a warning is shown on the first post in nice bright, eye-catching letters. This could also send the email out to users who have installed it. The text of which could be modified to something like:

An vulnerability in XXX modification has been reported and confirmed. We have notified the author about this and are awaiting a fix for the issue. At this time it is advised to disable this addon on your site. To get more infomation about this issue please visit the modification support thread at:


4) Staff looks at new version, if okay then flag is removed and everyone goes about their merry business.

This would prevent moving addons to the "graveyard", give authors time to fix the problem and not make the exploit available to new users. Current customers can continue to get support. Addon authors keep their work and such and less work overall for the staff here. Seems likes it would be win-win-win all-around.

It seems most of this system is in place. Just a little different way of handling it

Wouldn't it be much better for the people involved to do this:

1) Modification is reported with an exploit and it is verified.

2) Staff member puts a "Exploit found" flag on the modification. Within a notes field, the staff member can document the exploit and add any other necessary comments. When they save it, an email is fired off to the Author(s) of the addon.

3) The flag above also puts a notice on the addon and prohibits new users from downloading it until a new version is uploaded by the author. People who have already marked it as installed can still download it but a warning is shown on the first post in nice bright, eye-catching letters. This could also send the email out to users who have installed it. The text of which could be modified to something like:




4) Staff looks at new version, if okay then flag is removed and everyone goes about their merry business.

This would prevent moving addons to the "graveyard", give authors time to fix the problem and not make the exploit available to new users. Current customers can continue to get support. Addon authors keep their work and such and less work overall for the staff here. Seems likes it would be win-win-win all-around.

It seems most of this system is in place. Just a little different way of handling it
For what it's worth, I would fully support this. Thanks Wayne.

That would be much better but as the author I still want to have the opportunity to FIX the issue and send the security issue message at the SAME TIME. Rather than leaving users waiting for a fix! If I don't update it yeh sure send the message but the opportunity needs to be there.

i think wayne should be running things here because his ideas make alot more sense than whats happening right now

Please leave the install .txt file on graveyarded modifications and a list of files that would have been added to the server and their location.

If it's a file that causes the problem, then by removing the plugin only will not stop the risk, IMO.

Please leave the install .txt file on graveyarded modifications and a list of files that would have been added to the server and their location.

If it's a file that causes the problem, then by removing the plugin only will not stop the risk, IMO.
This is true. Not all products 'disable' the way they should - especially if they contain file edits or template edits. Good point.

This is true. Not all products 'disable' the way they should - especially if they contain file edits or template edits. Good point.


i have just ran into a problem uninstalling one in the graveyard, i uninstalled but it left a graphic behind that now i cannot find how to remove, searching for it in templates does not find it and the thread is locked so i cant ask questions and its a hack so vB.com wont support my problem

come on vB.org, this was not thought through :confused:

i think wayne should be running things here because his ideas make alot more sense than whats happening right now

Not my job. The people in charge here are more than capable. The system just seems to need some refinement and I am sure they can do that. I am just putting in a suggestion as a user of the site.

That would be much better but as the author I still want to have the opportunity to FIX the issue and send the security issue message at the SAME TIME. Rather than leaving users waiting for a fix! If I don't update it yeh sure send the message but the opportunity needs to be there.

In the meantime while they are waiting for you to fix the problem, upload the update, and verify that it corrects the security issue, everyone who has the mod on their site is sitting vulnerable. By sending the emails out immediately the end user now is aware that there is a security issue and can decide for themselves whether or not to remove the mod until it is fixed.

@quiklink;

ok, so WILL you uninstall vbulletin if it had a security issue? yes or no? will you uninstall a hack or no? please don't answer! Why don't Jeloft inform me about security issues when discovered but only when they have published the fix?

Do you feel the same way about vbulletin as a standalone product?

You have to understand the issue was reported privately hence no one knows about it (or very few) so the author has the opportunity to fix it and tell users at the same time. Now if someone made the security issue public, fair enough you would inform as many users as possible, since someone will now try to exploit the issue no doubt.

Now if you ask users to uninstall mods, e.g. if you had articles mod, six months later there is a security issue, by now the site might have plenty of articles etc and on uninstall everything will be lost, would you want that? you have to understand not everyone is technically minded or even simple things like uninstalling or disabling would mean the same thing to them...

as always there are pro/cons to every procedure.

@quiklink;

ok, so WILL you uninstall vbulletin if it had a security issue? yes or no? will you uninstall a hack or no? please don't answer! Why don't Jeloft inform me about security issues when discovered but only when they have published the fix?

While owned by Jelsoft, this site has nothing to do with security on vBulletin. I keep seeing many make this comparison and it doesn't wash, not to mention the liability issue to Jelsoft should they know of a vulnerability in a mod and not make it known. It's one thing to have a liability on your own product, it's quite another to assume potential liability on a 3rd party product. And regardless of what Jelsoft does with it's own products, what YOU are doing is advocating allowing the end users to remain vulnerable for a security issue you created.

Do you feel the same way about vbulletin as a standalone product?

Jelsoft's practices have no bearing on this discussion because these are not Jelsoft mods.

You have to understand the issue was reported privately hence no one knows about it (or very few) so the author has the opportunity to fix it and tell users at the same time. Now if someone made the security issue public, fair enough you would inform as many users as possible, since someone will now try to exploit the issue no doubt.

Obviously at least one person knows of the vulnerability, there quite possibly could be many others who are choosing to exploit the vulnerability rather than announce it. Again, you advocate allowing this to happen.

Now if you ask users to uninstall mods, e.g. if you had articles mod, six months later there is a security issue, by now the site might have plenty of articles etc and on uninstall everything will be lost, would you want that? you have to understand not everyone is technically minded or even simple things like uninstalling or disabling would mean the same thing to them...

It's up the the end user to make that decision. You have no right to make it for them and you have a responsibility to inform them of the vulnerability immediately so that they may protect themselves from harm through code you produced.


as always there are pro/cons to every procedure.

There is no pro to your argument. Only cons, and the con is to the end user you want to keep at risk to protect your own reputation.

While owned by Jelsoft, this site has nothing to do with security on vBulletin. I keep seeing many make this comparison and it doesn't wash, not to mention the liability issue to Jelsoft should they know of a vulnerability in a mod and not make it known. It's one thing to have a liability on your own product, it's quite another to assume potential liability on a 3rd party product. And regardless of what Jelsoft does with it's own products, what YOU are doing is advocating allowing the end users to remain vulnerable for a security issue you created.

Have I said Jelsoft should be held reposible for anything made by 3rd party, where SHOW ME! Jelsoft choose not to inform users when they discover a security issue but only and as quickly as the release the fix.

So its fine for Jelsoft not to inform its users but not me? you don't seem to make sense, you are asking me to inform all my hack users, then why not Jelsoft?

Jelsoft's practices have no bearing on this discussion because these are not Jelsoft mods.

who said it does? so you like Jelsoft practices but not mine, its a shame that the practices are exactly the same! yet you see a difference? I wan't to try and make sure when I inform users of a security issue I issue the fix at the same time, if I am unable to fix its fair to say I should inform them with 24 hours IF i can't fix it!

Obviously at least one person knows of the vulnerability, there quite possibly could be many others who are choosing to exploit the vulnerability rather than announce it. Again, you advocate allowing this to happen.

the same again applies with every script out there not matter who creates it, if no one reports a security issue, it won't be fixed. Remember the user reporting has done so in good faith so the issue can be fixed, no doubt there are users who won't report it and rather take advantage. Ones a issue becomes public it becomes a race to get the fix out before even more users are able to take advantage. Now the minority has become the majority. And now there's more pressure on the mod creator.

It's up the the end user to make that decision. You have no right to make it for them and you have a responsibility to inform them of the vulnerability immediately so that they may protect themselves from harm through code you produced.

Wait so Jelsoft have the right to make the decision for you and I don't? why not me? Wheres my right? So you trust Jelsoft more than the coders here.

There is no pro to your argument. Only cons, and the con is to the end user you want to keep at risk to protect your own reputation

wait don't Jelsoft do that?

I'm sorry for using Jelsoft as a example I'm sure theres more out there.

While owned by Jelsoft, this site has nothing to do with security on vBulletin. I keep seeing many make this comparison and it doesn't wash, not to mention the liability issue to Jelsoft should they know of a vulnerability in a mod and not make it known.
Jelsoft has made it abundantly clear they have no liability for any mods on this site, period.

@Sniper: I'd focus your arguments on staff and not get sidetracked by posts from members, for what my opinion is worth :)

Jelsoft has made it abundantly clear they have no liability for any mods on this site, period.

@Sniper: I'd focus your arguments on staff and not get sidetracked by posts from members, for what my opinion is worth :)

thanks will do :)

its a shame there are narrow minded people out there...doh.

I am just putting in a suggestion as a user of the site.
damn Wayne, it's time to drop that user title then.. lol..

Have I said Jelsoft should be held reposible for anything made by 3rd party, where SHOW ME! Jelsoft choose not to inform users when they discover a security issue but only and as quickly as the release the fix.

So its fine for Jelsoft not to inform its users but not me? you don't seem to make sense, you are asking me to inform all my hack users, then why not Jelsoft?

So because Jelsoft follows such a practice that makes it ok for you to do so?

who said it does? so you like Jelsoft practices but not mine, its a shame that the practices are exactly the same! yet you see a difference? I wan't to try and make sure when I inform users of a security issue I issue the fix at the same time, if I am unable to fix its fair to say I should inform them with 24 hours IF i can't fix it!

We aren't talking about Jelsoft, though you keep trying to use them as your defense. So again you advocate leaving the end user and their customers vulnerable to cover your own reputation. Nice.

the same again applies with every script out there not matter who creates it, if no one reports a security issue, it won't be fixed. Remember the user reporting has done so in good faith so the issue can be fixed, no doubt there are users who won't report it and rather take advantage. Ones a issue becomes public it becomes a race to get the fix out before even more users are able to take advantage. Now the minority has become the majority. And now there's more pressure on the mod creator.

You have no idea if the exploit has already been know by others and is only now being reported by a responsible person. But apparently the risk to the people who are using your mods means nothing to you save what it means to your reputation should it be found out that your mod has a security flaw.

Wait so Jelsoft have the right to make the decision for you and I don't? why not me? Wheres my right? So you trust Jelsoft more than the coders here.

Again, quit trying to use Jelsoft's practices as an excuse for your own. If you or I have an issue with how Jelsoft handles security for vBulletin it belongs over at the vb.com site, not here. We are talking about security risks in the mods available here.

Jelsoft has made it abundantly clear they have no liability for any mods on this site, period.

That means absolutely nothing and would not prevent Jelsoft from being drug into court should someone decide to sue them over a vulnerability in a mod obtained from here. It also does not necessarily mean they will win either, particularly if they were aware of a security vulnerability in a given mod and allowed it to continue to be available and did not warn those who had it installed.

Jelsoft has made it abundantly clear they have no liability for any mods on this site, period.

@Sniper: I'd focus your arguments on staff and not get sidetracked by posts from members, for what my opinion is worth :)

So the opinions of the users of these mods doesn't matter? Guess I should have already realized that from those coders who are condoning leaving the users vulnerable because announcing a flaw in their code might hurt their reputations.

I've been programming for better than 20 years and I'm quite aware that stuff happens and vulnerabilities occur. It's a fact of life when programming. What I have an issue with are those coders who are willing to leave their users hanging and at risk rather than notify them immediately of the risk and then working to get a fix out as fast as possible. That's just plain irresponsible. I have a lot more respect for the coder who thinks of their users first and their reputations second.

So the opinions of the users of these mods doesn't matter?
Feel free to have all the opinions you want. Have an opinion party. How much they count really depends on the opinion, and how well you express it.

You were defending Jelsoft policy. Since you don't work for them, doing much more than noting your opinion on the subject and moving on, isn't very productive to the discussion.

Feel free to have all the opinions you want. Have an opinion party. How much they count really depends on the opinion, and how well you express it.

You were defending Jelsoft policy. Since you don't work for them, doing much more than noting your opinion on the subject and moving on, isn't very productive to the discussion.

Yep I am defending not leaving the mod users at risk. Sorry if that seems to be a strange or unpopular choice. Where I learned programming we try to watch out for our customers rather than leave them vulnerable to attack.

I have yet to see a reasonable justification for leaving the mod users vulnerable to attack.

Yep I am defending not leaving the mod users at risk. Sorry if that seems to be a strange or unpopular choice. Where I learned programming we try to watch out for our customers rather than leave them vulnerable to attack.

I have yet to see a reasonable defense for leaving the mod users vulnerable to attack.
I've given several.

1) Calling attention to a vulnerability before a fix is available actually increases the risk to the end-user.
2) Not giving clear instructions, but simply saying 'disable' or 'uninstall' will likely not remove the vulnerability is many cases, since file edits and template edits may have been made.
3) Sending these notices out over and over again, as is starting to happen now, creates an atmosphere in which the users will simply begin to ignore them, once again increasing their risk.

Now, if a fix is not provided by the author within a reasonable time frame, then pulling the hack and notifying the users is the only logical choice. But, it is not the best choice as a first line of defense.

There are reasons why Jelsoft and other companies don't operate that way. It is logical to assume they don't want to harm their customers because that's bad for business. So to believe that the policy being used here is the correct policy, you have to believe that everyone else in the industry got it wrong.

I've given several.

1) Calling attention to a vulnerability before a fix is available actually increases the risk to the end-user.

That's not a good reason. They are still vulnerable to the attack. You don't know exactly how widespread the problem is before being finally notified about it. And are these notices detailing exactly how the exploit is occurring?

2) Not giving clear instructions, but simply saying 'disable' or 'uninstall' will likely not remove the vulnerability is many cases, since file edits and template edits may have been made.

Template edits aren't usually going to be a security issue. File edits yes I agree would. While detailed removal instructions would be good, it would be difficult for vborg to give such instructions for every mod. I agree that in the graveyard the info for proper removal/uninstall should be left so that the user can get that info if they don't already have it.

3) Sending these notices out over and over again, as is starting to happen now, creates an atmosphere in which the users will simply begin to ignore them, once again increasing their risk.

That's the end user's problem. You can't fix stupid.

Now, if a fix is not provided by the author within a reasonable time frame, then pulling the hack and notifying the users is the only logical choice. But, it is not the best choice as a first line of defense.

What exactly is a reasonable time frame for leaving a user vulnerable? Answer: No time, they should be informed immediately. Are you willing to accept the responsibility and liability for any damage or theft of information because you didn't announce the vulnerability when you first learned about it? No I thought not...But believe it or not, an end-user could quite easily decide to haul you into court for doing just that. You can post all the disclaimers in the world and it doesn't protect you.

There are reasons why Jelsoft and other companies don't operate that way. It is logical to assume they don't want to harm their customers because that's bad for business. So to believe that the policy being used here is the correct policy, you have to believe that everyone else in the industry got it wrong.

Everyone in the industry certainly does not do this. In fact, with most major applications the vulnerabilities are posted immediately on known sites to get the information out as fast as possible. This is often how the developers learn about the vulnerabilities in their own code in the first place.

Sorry but all I am seeing from this is an attempt by the mod developers to cover their reputations at the risk and expense of the user.

Sorry but all I am seeing from this is an attempt by the mod developers to cover their reputations at the risk and expense of the user.

Well, you're wrong on pretty much all accounts, but hey, free speech man.

This is true. Not all products 'disable' the way they should - especially if they contain file edits or template edits. Good point.

That's right, some hacks also have a seperate install funtion as well as the plugin which means that if you remove it via the plugin without doing the product uninstall via the product itself, the template and DB edits, etc. are still there and you can't re-download the files.

If a hack is marked as a security risk, the files should still be left so people can deal with the above issues. If they install it to use normally, that's their own bloody fault as they don't read or listen to the risks.

Can someone from vB.org please let me know if this will be possible?

If news of an exploit has been made public (by whatever route) and the modification moved to the GY, then the files will no longer be downloadable. This means all files in the thread, we cannot seperate out individual files because they happen to be instructions - in most cases there is only one zip file anyway (containing everything).

If news of an exploit has been made public (by whatever route) and the modification moved to the GY, then the files will no longer be downloadable. This means all files in the thread, we cannot seperate out individual files because they happen to be instructions - in most cases there is only one zip file anyway (containing everything).

then you are just informing people of a risk but not letting them have all the tools they may need to eliminate it? infact making their vB installation more vurnerable!

Well, they are advised to disable/uninstall it. If they don't do that, it's their problem really.
IMHO it's better to inform users imediately rather than having them run vulnerable code without knowing.
If they know, they can take appropriate actions - if they don't they cant.

As a user of a lot of modifications on this site, I say that we should be warned of the problem with a modification as soon as the problem is highlighted. If we then opt to still use the affected modification and something happens to our site then this is our problem but if we disable or remove it then we know that we are safe.

Imagine for a minute that you buy a tin of beans from a shop. Now the next day the manufactorer finds that a bit has broke off the machine. They check the batch numbers of the beans produced since the last known time that the piece was there and then issue a recall notice with the product, description, and batch details and tell you not to eat them.

Now in the same way, vB.org has told us about the product and the version that is affected by security issues. This is something that needs to be done right away. Proper testing of modifications before they are released to the trusting non-coders should be done by the coders to make sure that this doesn't happen, although there will always be some that get through anyway.

Coders then can fix the problem, or not, as they decide while the people using the modification can see it, or not, at their own risk as they are aware that there is an issue.

Really it's like everything - if you know something is dangerous would you still do it? If going down a mountain do you take the path, the cable car or jump from the top? If you opt for the cablecar then find out that the cable is frayed, would you still use it while waiting for it to be fixed?

Imagine for a minute that you buy a tin of beans from a shop. Now the next day the manufactorer finds that a bit has broke off the machine.

Really it's like everything - if you know something is dangerous would you still do it? If going down a mountain do you take the path, the cable car or jump from the top? If you opt for the cablecar then find out that the cable is frayed, would you still use it while waiting for it to be fixed?
But those examples aren't like 'everything'. They are life and death. Anytime something is a matter of life and death companies always immediately inform everyone (let's not get into automobile recalls that are not done or delayed - yes companies make evil decision, too but as a rule in life and death people are immediately informed).

Nothing on this site will kill you.

But it might kill the data that took you years to get on your site.....

Nothing on this site will kill you.but it will cause hardship .. many members devote hours to their sites - in some cases this is their livelihood that we our dealing with.

Our priority is to protect our members.

Can we find a balance between protecting members and making our coders happy?
We are discussing the matter.

I would like to hear more SOLUTIONS - instead of what's better and for whom it should favor. Who knows .. it may be something we haven't thought about.

But it might kill the data that took you years to get on your site.....

well have you considered the FACT instructing users to uninstall a mod would do the same thing, not everyone backups their data or knows that on on uninstalling the mod it would remove the related database tables. Now the mod could be a gallery or a article system etc

One of the improvements we are currently discussing (and i think this has already been mentioned in this thread) is if we can give a more tailored advice based on the type of vulnerability and the modification in question to the users. This might however not be possible as we can not be aware of all the ins and outs of a modification and how to block only access to vulnerable locations in the modification.

<i>This is just my opinion, but I think the current solution is acceptable.</i>

asking users to disable is fair enough but no doubt the same doesn't apply to hacks which require file uploads as mentioned before.

I would rather, considering the mods are are aware of the issue, when sending out the email suggest a temp fix.

e.g. The vulnerability has been discovered for hack xx, in order to fix the the vulnerability please follow these steps (write steps) or disable the product and wait for the author to upload the fixed version.

I can understand it would not be possible if there are many locations within the code but if its only two or three, it isnt much work.

Suggestion:

If it's a plugin only modification and the vulnerbilitie lies in the code or added templates, advise users to disable it
If it's a vulnerbilitie in a template modification that would still exist if all plugins are disable, advise users to revert the template(s)
If the vulnerbilitie lies in added files, advise users to disable the modification and delete all files added by the modification
If the vulnerbilitie lies in code added/modified in vBulletin files, advise users to overwrite files with the original ones

This way, it should be possible to protect users whil keeping them from loosing data.
Though, this provides more information about the type of vulnerbilitie - information that could be abused for searching the vulnerbilitie and exploiting it.

MY SOLUTION: a PR technician...

one of the guys upthere is reserved for community/coders contacts... that person is the one to contact coders when something goes wrong with any code, that person also is the one moderating these releases when things go wrong...

if the author can't be reached, the hack is stored and members alerted.

if the author is reached, the PR guy is the one to contact the coder, in the minute a exploit/problem is found, and if a solution come, they all update the release... i would suggest 24 hours, but as said earlier, usually when an exploit is found the solution came with it... we all know how to code here!...

there is 2 switches actually:

1- problem fixed: we alert everybody who have downloaded the hack to update
2- problem not fixed / author unreached: we alert everybody who download to disable the tool

it's just a question of what to say to everybody... not only the ones who clicked the INSTALL button... i never click these, and i downloaded most of the hacks released here... maybe i would miss the alert.

when Ford have to recall the entire line of a car, they do not contact only the persons who signed a newsletter, they contact all the buyers, and even make an announcement in the News...

Can we find a balance between protecting members and making our coders happy?

A first step is to inform members to Disable a product and not to uninstall it. Most members don't know that by uninstalling it they're loosing their data. I realized it from a huge amount of emails that I got from members asking me (but after uninstallation) if they lost their data.

A first step is to inform members to Disable a product and not to uninstall it. Most members don't know that by uninstalling it they're loosing their data. I realized it from a huge amount of emails that I got from members asking me (but after uninstallation) if they lost their data.

that comes because Jelsoft forgot to alert the admins of the "Uninstall" process... a simple "remember that when you uninstall this product, all related information, settings and DATA will be lost." would give a great hint of the process.. .lol

We will not be sending out emails to users with the advice to 'uninstall' anymore. We will advice non-destructive methods. If we can already give a really more tailored advice at this time i am not so sure about yet.

not only the ones who clicked the INSTALL button... i never click these
DIE!!!!

I added an option to save or delete data when uninstalling to the latest version I released and set it to keep data by default, it's well worth doing when you're adding valuable data to the database.

But those examples aren't like 'everything'. They are life and death. Anytime something is a matter of life and death companies always immediately inform everyone (let's not get into automobile recalls that are not done or delayed - yes companies make evil decision, too but as a rule in life and death people are immediately informed).

Nothing on this site will kill you.

Wow, just wow. So the damage to my business through the loss or compromise to data on my system through a security vulnerability you created means nothing. It's more important that your reputation be protected. Nice attitude.

And again trying to defend this position by basically saying, 'well others do it so I should be able to as well'...

well have you considered the FACT instructing users to uninstall a mod would do the same thing, not everyone backups their data or knows that on on uninstalling the mod it would remove the related database tables. Now the mod could be a gallery or a article system etc

That's the end user's problem not yours. As I said before you can't fix stupid. If they haven't been backing up their data, that's their fault. That aside, there is also the matter of compromised data, such as personal information being stolen, the possibility of root server accces through the vulnerability, etc.

Sorry, there is NO excuse or reasonable reasoning for not informing the end user immediately upon the discovery of a security issue.

We will not be sending out emails to users with the advice to 'uninstall' anymore. We will advice non-destructive methods. If we can already give a really more tailored advice at this time i am not so sure about yet.

Good to hear. Keep up the good work guys!

Wow, just wow. So the damage to my business through the loss or compromise to data on my system through a security vulnerability you created means nothing. It's more important that your reputation be protected. Nice attitude.

And again trying to defend this position by basically saying, 'well others do it so I should be able to as well'...
Please stop accusing me of ridiculous things I never said. I made an entire post (several posts) defending my position. How about you defend your position of being a jerk, now?

tss tss... calm down guys... you're going off-topic...

Please stop accusing me of ridiculous things I never said. I made an entire post (several posts) defending my position. How about you defend your position of being a jerk, now?

Yes and throughout you gave nothing resembling a sound reason for allowing the end user to remain at risk.

Please also note that while responding, by 'you' I am referring to coders that have mods available on this site. I am well aware that you (Hambil) have removed yours from this site. This isn't a direct attack on you, but on those who advocate putting users at risk when they themselves have nothing more than their reputations as coders on the line.

not only the ones who clicked the INSTALL button... i never click theseDIE!!!!
yes thats right!

should everbody get a mail, when in hack xx is a error? i don't think so...
why should i get extramails just because hack xyz have some unescaped variables, and i haven't heard or read something of this hack...

Feel free to discuss this topic and post your view on things, but refrain from namecalling and such, or this thread will be closed.

Please keep the discussion clean.

A first step is to inform members to Disable a product and not to uninstall it. Most members don't know that by uninstalling it they're loosing their data. I realized it from a huge amount of emails that I got from members asking me (but after uninstallation) if they lost their data.

I believe this highlights that we need to standardize the actual message that is sent, and I agree that it should now suggest disabling rather than uninstalling - this is really something left over from the past, as before we had products, the advice of uninstalling was not really a problem as few modifications actually had an uninstall function that removed data. Now that the vb product system automates this, different advice is needed.

.....and I agree that it should now suggest disabling rather than uninstalling .

Thank you for supporting my suggestion Paul. I believe that this will reduce the problem by 50%. Further more I believe that all new mods must be check by Moderators before going to public. That's adds an extra security and protect end users from rubish (don't like to say "defaces"(?).

Maria

Although it would be a solution its never going to happen unless vBulletin.org hire someone, the moderators here get paid nothing and are voluntary, most:p of them have lives too and don't have enough time to check every modification.

Anyway if the person who created the script cannot spot one how do you expect someone who has never seen the script to have a better chance at finding it!

Also you have to think that if a moderator does check it and gives it the all clear and later an exploit is found and forums get comprimised, it puts alot of pressure on vBulletin.org and on the moderator, possibly legally too.


Distance

The answer is clear people, vb will eventually charge us for these hacks....

Even if it's something that many users thought, I believe that the real reason is something else than Marco wrote before ("Lots of reports lately").

In my opinion the problem came from the new moderators who came in the field like bulls in crystall shop, trying to get their first congratulations.

To be honest, I was very upset with this situation (for many reasons) but when I seen the moderator's profile (https://vborg.vbsupport.ru/member.php?u=81286), I understood many things just by seeing his photo. By the way (this is for Cordinators and Administrator), don't you think that Moderators (in other words staff) must be more carefull on choosing their photo? "Caesar's wife dosen't need just to be good. She must look good too". At least he has the 2 fingers up and not just one :D

Maria,

I do not like to be called a liar. Also my previous post on the reason of the amount of vulnerabilities found the last few days was simply the truth, please stop trying to suggest that there is anything else to it.

The vulnerabilities have been reported by regular members/coders and staff investigated each report and took action if confirmed.

I do not like to be called a liar.

I NEVER called you liar, or at least my meaning wasn't this one. I've never called anybody liar. My meaning is (with much more simple words): "There are lots of reasons. Some of them 1st priority, some other 2nd. I do believe that there were lots of reports and the staff hasn't the time to check all of them, so everyday the queue becaming bigger and bigger. So, when the new staff started on duty, they started from there. And because (here is my point) they don't have the experiance, they did mistakes.".

I apologize if you got my meaning on the bad side.

Actually, the reports started coming in AFTER the new staff were introduced.

Actually, the reports started coming in AFTER the new staff were introduced.

The timing was just for refference. The main goal is that reports checked by the new unexperiant moderators. And to avoid any future misunderstanding: Unexperiant as Moderators. Maybe he is guru on vB.

We are not running behind in handling vulnerability reports. Until now we have been able to address each report within a day (more often within hours).

You can make a lot of assumptions, but unless you can provide some facts, they are nothing more then unfounded assumptions. Obfuscating a discussion with such assumptions does not lead to any constructive discussions.

PS The only time that Staff checked for unreported vulnerabilities in a modification has been when a larger number of modifications of the same author have already been reported. In that case staff might be looking into other modifications by the same author to see if there are similar vulnerabilities.

The timing was just for refference. The main goal is that reports checked by the new unexperiant moderators. And to avoid any future misunderstanding: Unexperiant as Moderators. Maybe he is guru on vB.
Again you are assuming that new moderators are uncapable of verifying and handling a vulnerabity report or that they have to handle such a report without the assistence of more experienced staff.

I kindly ask you to stop feeding the discussion with such unfounded acquisations.

I kindly ask you to stop feeding the discussion with such unfounded acquisations.

Unfounded? If you check the vulnerability that he found in vbDigiShop is on the file finishpayment.php which is the procedure that controls 2Checkout return value. Except if you believe that 2Checkout can return an SQL query instead of a "True" or "False".

An experiant Moderator is able to understand that this file is not important. If it was on the main vbdigishop.php as it was for vbarticles.php I can understand it. But in a routine file which has nothing to do with user inputs, I dont believe that is a vulnerability.

The unfounded relates to your remarks/suggestions that newer staff members are unable to correctly judge a vulnerability report.

I will not go into a public discussion on the details of a specific report, but you are free to contact me in private to discuss if a report is founded or not. Nobody say that we never make a mistake, and if we do i will be glad to help to sort it out.

PS All i will say in public on this, is that i just personally checked on the report and other then what you claim the file contains a serious vulnerability.

One of the most important things that we should focus upon with this thread is that progress has been made and that the end product is that both the user and author will benefit by the changes

This is good

Well done to all

:up:

Except if you believe that 2Checkout can return an SQL query instead of a "True" or "False".

Although it is unlikely to happen willingly, it might happen accidently.

But in a routine file which has nothing to do with user inputs, I dont believe that is a vulnerability.
Do you think an attacker really cares which file he must acess to break into the system?
I doubt that. The important point is: Would it be potentially possible that the input contains anything other than the expected values?
If so, this must be handeled correctly, even if it would normally only be accessed by automatic processes.

Never ever trust user input!

Do you think an attacker really cares which file he must acess to break into the system?

There is some files not accessible by the users. In any case, I'm going off the discussion, I'm not coder any more, so this thread is not for me.

@Marco
Thank you for spending your time to check the file. I'll appreciate if you PM your remarks and I'll correct them asap as I did yesterday.

Maria

@Marco
Thank you for spending your time to check the file. I'll appreciate if you PM your remarks and I'll correct them asap as I did yesterday.

PM sent.

Further more I believe that all new mods must be check by Moderators before going to public.I think I can safely say this will not happen in the forseeable future.

but when I seen the moderator's profile (https://vborg.vbsupport.ru/member.php?u=81286), I understood many things just by seeing his photo. By the way (this is for Cordinators and Administrator), don't you think that Moderators (in other words staff) must be more carefull on choosing their photo?
Sorry but this is just totally irrelevant. A moderators picture has nothing to do with their coding knowledge, or their function on vbulletin.org.

I think I can safely say this will not happen in the forseeable future.

Actually Paul, i would suggest that you never use that kind of sentence again... with the late events regarding "not happening changes" that came to be happening, i would suggest that all suggestions are taken into consideration, but not refused publically like that...

Not sure if that is such a good advice nexialys.

We can only respond with the knowledge and plans we have at the time of the reply. The best thing is to be honest, and reply that it is very unlikely or even that it will not happen in the forseeable future.

We received many complaints that we do not respond to suggestions, and now you are asking not to respond at all in public if the answer is No? That seems to be a contradiction.

it is not contradiction... Paul told us at least 4 or 5 times this week that the suggestion would never come executed... and you just posted a new thread for suggestion about our point of view - in the coders thread.... THAT is in contradiction with what Paul said to all last week...

and my suggestion is about refusing directly without anyother advice... not refusing generally.. you can refuse some suggestions, but that kind of answer is not very politically correct...

As I said in another thread - it may just be a matter of perception (god knows I have that problem, too) but those kind of responses, given how and where they were, feel like attempts to shut down discussion. Sometimes they are even accompanied by the closing of the thread.

it is not contradiction... Paul told us at least 4 or 5 times this week that the suggestion would never come executed... and you just posted a new thread for suggestion about our point of view - in the coders thread.... THAT is in contradiction with what Paul said to all last week...Not trying to get this thread turned into a word game now, but:

In the above post Paul replied to the suggestion to let staff check all modifications before making them available to the public. He responded that this is unlikely to happen in the foreseeable future. (Some reasons for this reply are simple: Not enough staff to do so - we tried to setup such a thing with volunteer members performing this in the past but that did not get enough volunteers for a longer period of time - and the fact that if we "aprove" a modification we might be implicit liable for anything vulnerability that we miss)

The thread you are reffering to is on a totally different topic (advice to users in case of a found vulnerability) and we have never said (on the contrary even) that we would not reconsider the current message sent to users.

Even if it's something that many users thought, I believe that the real reason is something else than Marco wrote before ("Lots of reports lately").

In my opinion the problem came from the new moderators who came in the field like bulls in crystall shop, trying to get their first congratulations.

To be honest, I was very upset with this situation (for many reasons) but when I seen the moderator's profile (https://vborg.vbsupport.ru/member.php?u=81286), I understood many things just by seeing his photo. By the way (this is for Cordinators and Administrator), don't you think that Moderators (in other words staff) must be more carefull on choosing their photo? "Caesar's wife dosen't need just to be good. She must look good too". At least he has the 2 fingers up and not just one :D

I beg your pardon? My profile or whatever you think you know about me by looking at my profile picture has absolutely nothing to do with your modifications containing a vulnerability. And if by some extremely inaccurate measure you think that I'm unqualified for this position simply because I'm younger, you're sadly mistaken.

You might also be interested to know that I am not the one who found the vulnerabilities in your modifications, I'm merely the one that confirmed their existence.

In any event, I suggest you focus more on coding according to vBulletin's standards instead of attempting to analyze someone based solely on the contents of their profile. :)

hum, interesting, now we're on personal attacks... flaming is not permitted here, so please, everybody, behave correctly, or just quit discutting...

Actually Paul, i would suggest that you never use that kind of sentence again...

Thank you, I'm afraid I don't think I'll be taking up that suggestion.

Paul told us at least 4 or 5 times this week that the suggestion would never come executed... and you just posted a new thread for suggestion about our point of view - in the coders thread....
I'm not sure what I've said 4 or 5 times (nothing I can think of). If you are refering to site policy then you are mistaken. Asking for suggestions on how to word something is not setting site policy.

I suggst you concentrate on posting useful suggestions instead of some of the not so useful posts you seem to be making recently - and try not to engage in pointless arguments over the wording of posts (mine or anyone elses).

So the opinions of the users of these mods doesn't matter? Guess I should have already realized that from those coders who are condoning leaving the users vulnerable because announcing a flaw in their code might hurt their reputations.

Couldn't agree more with this - I've certainly had my eyes opened a little to the motivations of at least one coder in this thread. I hasten to add that the majority of coders do an excellent job and do indeed think of their users first, but a minority seem to be thinking first of their wallets (or indeed purses).

Keep up the good work, vbulletin.org - it's good to know you'll let mod users know of vulnerabilities.

Couldn't agree more with this - I've certainly had my eyes opened a little to the motivations of at least one coder in this thread. I hasten to add that the majority of coders do an excellent job and do indeed think of their users first, but a minority seem to be thinking first of their wallets (or indeed purses).

Keep up the good work, vbulletin.org - it's good to know you'll let mod users know of vulnerabilities.
Consider for a second that most uninstalls remove data from the database. Now consider that you have to deal with numerous angry and confused users and explain to them that the data they spent months, perhaps years, building and collecting has just been wiped out because they acted on advice to uninstall for a problem you could have fixed in 5 minutes had you been given some advanced warning. It costs real time, and yes, if you don't work for free then real money, to deal with that mess. It's also very upsetting to the users. Beyond that, there are numerous already stated reasons to tweak the process from how it is done now, and even the staff agrees, which is why changes are being discussed.

Still, if you want to see the worst in something, or someone, then I can't stop you. As the famous quote goes: You can't use logic to argue someone out of a position they didn't use logic to get into.

Consider for a second that most uninstalls remove data from the database. Now consider that you have to deal with numerous angry and confused users and explain to them that the data they spent months, perhaps years, building and collecting has just been wiped out because they acted on advice to uninstall for a problem you could have fixed in 5 minutes had you been given some advanced warning. It costs real time, and yes, if you don't work for free then real money, to deal with that mess. It's also very upsetting to the users. Beyond that, there are numerous already stated reasons to tweak the process from how it is done now, and even the staff agrees, which is why changes are being discussed.

None of which has anything to do with or justifies leaving the end user vulnerable.

You say it their data can get wiped out, yes it can if they haven't backed up. That's the end user's problem not yours. Then again if they get hit due to the vulnerability while waiting for a fix they can run into a lot worse problems. I have no problem with changing how the user is notified and what they are told, it's a good idea. But it's never a good idea to leave them vulnerable. I mean how long is an adequate time to wait? What happens if the coder doesn't get the message about the vulnerability immediately because they are away from their computer, out of town, asleep, can't be bothered to update the code, etc? The end user is forced to remain at risk which is unacceptable.

A first step is to inform members to Disable a product and not to uninstall it. Most members don't know that by uninstalling it they're loosing their data. I realized it from a huge amount of emails that I got from members asking me (but after uninstallation) if they lost their data.
This sounds like the most logical solution for both sides.

After reading this thread, I don't know who on this site to trust as an actual programmer. I know that anything that Kirby or Paul or Princeston (and a select few others) programs/writes/codes, I would trust, but beyond that, I don't know whether they are some noob/novice that learned how to hack a php script and accidently got it working without any real knowledge of how it works, but released it as a hack/product or whether the individual actually knows php, does it for a living (not a hobby) and cares about the script itself and not the acolades that may or may not come with it....

As a professional programmer and database admin, it disgusts me to see people that call themselves programmers want to keep a known vulnerability from an end user/client. There is NOTHING, not a darn thing positive about this at all and is totally unprofessional. Its your responsibility when you release code to an end user/client to also protect that client from any harm by insuring that your code is to standard and does not have any potentially harmful vulnerabilities. If you don't know what you are doing and don't care, then don't pretend you do by releasing code to the public. Another part of being a programmer is to notify them ASAP of any known or posible vulnerabilities, ensure them that you are currently working on the issue(s), give them recommendations, ie, remove the hack until its fixed, continue to use the hack/code/product but inform them of what may or may not happen,(leave the option to the end user to make the decision to remove it or disable it) and get them the fix ASAP.

Most programmers and end users/clients understand that you don't want to publish what the vulnerability actually is, cause hackers search for that stuff and then can easily do more damage.... But to sit here and argu that withholding information from an end user/client about a vulnerability is good practice is beyond me. Im certainly adding this topic to my hiring check list that I use to interview potential programmers. I have and probably will in the future fire someone over this unprofessional practice. I can not believe what I've read in this thread.

Its too bad that there are not more members that REALLY care (not pretend they do) about their product. Seems like this place is getting over run by novice hackers (I can't and won't call them programmers).

I keep reading comments about the loss of data due to uninstalls, well, that goes back to the programmer getting off his back side and giving the recommendation to the client on how to prevent that from happening while a fix/solution is being worked on. This should be included in the first post when releasing a hack/script/module/product. Anyone that has been a professional programmer knows that IT departments (good ones) have what are called disaster and recovery plans. When you release a product, you also have steps on how to deal with vulnerabilities, data loss prevention, down time, recovery, disabling, removing, etc etc etc ... I can't believe I even have to bring that up.

Recommendations:

I recommend that the wording that is sent out to members that have installed a hack that is found to contain a vunerability be changed slightly (which I think Paul has already mentioned that it would be)....

1) I would not use the word "Uninstall" as the first course of action.

2) I would inform the end user of several courses of action that they can take, not just to uninstall.

3) I would recommend that the end user contact the author of the thread for further guidance by first reading the thread to see if the author has posted how to deal with vulnerabilties or if the author has posted about the reported vulnerability.

4) I would assign one of the staff members to monitor the situation of the vulnerability. This would entale the staff member working with the author to ensure that a solution is being worked on or if the author has no desire come up with a solution. This way the staff member could then tag the thread as being abandon and vBorg could inform members that no solution to the vulnerability is being worked on by the author. They could then choose to fix it themselves giving the members a solution or they could inform the members that nothing will be done and the thread locked. On the other side, they could assist the author if the author requests it.

5) I would recommend that authors include procedures on how to deal with potential vulnerabilities within the release of the product.

6) I would recommend that an article be written by one of your better writers on how to deal with vulnerabilties (to prevent the loss of important data particularly). A link to this article would be included in the email sent to the end users.

5) PLEASE DO NOT stop informing members of vulnerabilties!

Anyway, I hope that the vBorg staff continues to notify members of vulnerabilities of hacks published on this site, cause god knows, some of the authors of these hacks certainly don't care and won't.

5) PLEASE DO NOT stop informing members of vulnerabilties!
I don't know who you think is suggesting this, but as far as I know nobody has. Some of us have suggested a short delay (in my case I suggested 24 hours) between when the author is contacted and the alert is sent out, and that's assuming the knowledge hasn't gone public (been announced by someone in the hack thread, for example).

You have some good suggestions, but adding to the inaccurate and inflammatory rhetoric of some others in this thread is not helpful.

BTW: For what it's worth, I've been a professional programmer for 25+ years and written security procedures for major companies. If any of my advice gets me onto your no-hire list, then I'd consider that a positive thing.

I don't know who you think is suggesting this, but as far as I know nobody has. Some of us have suggested a short delay (in my case I suggested 24 hours) between when the author is contacted and the alert is sent out, and that's assuming the knowledge hasn't gone public (been announced by someone in the hack thread, for example).

How do you possibly justify leaving an end user vulnerable for even 24 hours after you have become aware of a security flaw in your code? What part of this do you not get? What right do you possibly believe you have to put someone at continued risk for a security flaw on their system due to your improper coding? Let not stop to forget the legal implications to both the coder and Jelsoft. Sorry, a disclaimer saying 'we take no responsibility...' doesn't usually fly to well in court if you knowingly allow it to happen.

It would be like a food processor saying 'lets wait a day or two and see if we can find the problem and get it fixed before we notify the public that our food has been contaminated. I doubt anyone will get sick'...

Nobody likes to admit there is a problem, and yes it might even have a financial impact if you are selling the product. But you have an obligation to notify those who are at risk as soon as you find out about it.

I don't know who you think is suggesting this, but as far as I know nobody has. Some of us have suggested a short delay (in my case I suggested 24 hours) between when the author is contacted and the alert is sent out, and that's assuming the knowledge hasn't gone public (been announced by someone in the hack thread, for example).

You have some good suggestions, but adding to the inaccurate and inflammatory rhetoric of some others in this thread is not helpful.

BTW: For what it's worth, I've been a professional programmer for 25+ years and written security procedures for major companies. If any of my advice gets me onto your no-hire list, then I'd consider that a positive thing.

Nobody suggested it or needed to suggest it, I made it part of my recommendation in case someone did happen to bring it up in the future, because I don't want to see that policy go away. One of the staff members asked that people provide recommendations, so I did. Not all of mine were based off arguments between members of this site.

As far as your recommendation of a delay, there is nothing positive about a delay period... Both the Author and end user should be informed as soon as the vulnerability is known. Its not your decision as a programmer whether the client wants to disable or remove the hack while you are coming up with a solution, but it is your responsibility to inform then about the vulnerability. Asking for vBorg to delay an announcement is doing just that. I've yet to see anyone provide one positive thing about a delay to the end user. Giving the programmer 24 hours to work on the solution before the end user is informed is NOT a positive thing. The only thing that a delay does is give the author time to work on the fix while the client doesn't know about it and sits there vulnerable. It seems like the attitude from some is "Who Cares about the client, its just one more day".

Hambil, this is the point where we need to agree to disagree, cause Im not about to get into a pety argument with you over this. I made my recommendations and they included all 3 parties involved (Programmer, Client and vBorg).

btw, for those that took my thread personal (since I wasn't pointing out anyone personally), you may want to take a long look in the mirror tonight as it obviously hit home.

As far as your recommendation of a delay, there is nothing positive about a delay period... Both the Author and end user should be informed as soon as the vulnerability is known.

Hambil, this is the point where we need to agree to disagree, cause Im not about to get into a pety argument with you over this. I made my recommendations and they included all 3 parties involved (Programmer, Client and vBorg).
I'm more than happy to agree to disagree. However, you didn't just disagree, you accused some coders of having an unprofessional and selfish agenda. And you did it again in this very post:


It seems like the attitude from some is "Who Cares about the client, its just one more day".

I assume you have the best interests of the user at heart, even though I don't agree with your solution. Now that, is agreeing to disagree.

I'm more than happy to agree to disagree. However, you didn't just disagree, you accused some coders of having an unprofessional and selfish agenda. And you did it again in this very post:

Leaving an end user vulnerable IS unprofessional. As to a selfish agenda, any delay in notification is only to the benefit of the coder not the user...

Leaving an end user vulnerable IS unprofessional. As to a selfish agenda, any delay in notification is only to the benefit of the coder not the user...
Immediate notification does not automatically mean the end user is safer. What part of that do you not understand? Jelsoft, and pretty much every company I have ever worked for or wrote security protocols for, does not do this unless the security flaw has already been made public, and is severe. I've already stated the reasons why. I don't care if you disagree with them, feel free. But if you continue to slander me you will regret it, as putting such things in print is illegal.

Immediate notification does not automatically mean the end user is safer.

But delayed notification certainly makes sure they remain unsecured and at risk.

I ask once again, who are you to decide upon the security of the end user's system? It is up to them to decide whether or not to continue to use the mod or to disable it or to uninstall it.

I don't care who you have worked for or what you have written. I've been in this field just as long and sorry, I've never worked for any company willing putting themselves at further legal risk by not informing a customer of a security flaw immediately. Why? Because the notification can help limit potential damages that might arise should a breech occur due to the flaw.

As for the slander comments, thanks for the laugh! Oh and it would be libel, not slander...

Immediate notification does not automatically mean the end user is safer. What part of that do you not understand? Jelsoft, and pretty much every company I have ever worked for or wrote security protocols for, does not do this unless the security flaw has already been made public, and is severe. I've already stated the reasons why. I don't care if you disagree with them, feel free. But if you continue to slander me you will regret it, as putting such things in print is illegal.

WE are not Jelsoft and the decision has already been made that Users will be notified immediately upon the discovery of a vulnerability, so debating this point is fruitless.

I'm more than happy to agree to disagree. However, you didn't just disagree, you accused some coders of having an unprofessional and selfish agenda. And you did it again in this very post:

I assume you have the best interests of the user at heart, even though I don't agree with your solution. Now that, is agreeing to disagree.

You are correct that I accused some coders of having an unprofessional and selfish agenda. This very thread shows the entire community that its an issue.. Maybe it will hit home and they will take some time to rethink about the way they code and care about their code. If they don't, they have no business releasing code to end uers.

I take it since you are so personally consumed with how I feel about this, you are feeling guilty otherwise you wouldn't be responding as such as It wouldn't pertain to you.

I gave 7 recommendations (as requested by the vBorg Staff) that covered End users, Programmers and Vborg Staff and one of them is something that you don't like. Oh well. I highly doubt that vBorg is going to delay notification to end users because they understand the importance of security vulnerabilities and won't put themselves in a compromising position just to benefit the personal agenda of a few unprofessional hackers.

Immediate notification does not automatically mean the end user is safer. What part of that do you not understand? Jelsoft, and pretty much every company I have ever worked for or wrote security protocols for, does not do this unless the security flaw has already been made public, and is severe. I've already stated the reasons why. I don't care if you disagree with them, feel free. But if you continue to slander me you will regret it, as putting such things in print is illegal.

You are correct Hambil.. Immediate notification does not automatically mean the end user is safer... what immediate action does is give the end user the option to take a course of action that they would not have by delaying the notification. The end user has just as much of a right to know of a vulnerability as the author of the code and its up to the user to decide what is the best course of action to take. You still have not given one good solid professional reason to delay notification.

You still have not given one good solid professional reason to delay notification.

ARGGGGH! I've given several, and more than once. You may not agree with them but to call them unprofessional is, well, unprofessional. I will repeat myself, yet again.

1) Notification of a security flaw before a fix is available can actually help inform those who wish to do harm. This is why vBulletin.org has already changed the wording of the notification sent to be generic, instead of specifically stating the security flaw (as they did when I first got involved in this conversation). Why would they make such a change unless there was a danger inherent in the proliferation of knowledge about security flaws? They wouldn't, period.

So, you may disagree with me on the details of this, but to call the idea that spreading information of security vulnerabilities carelessly is not dangerous unprofessional, is well... as I said - unprofessional.

link (http://www.wired.com/culture/lifestyle/news/2002/08/54328)

Some said that publicly announcing security holes before a company has a chance to fix the problem gives malicious hackers a head start on exploiting the holes.
Richard Schaeffer, deputy director of the National Security Agency, and Presidential Cybersecurity czar Richard Clarke spoke at Black Hat and Defcon. Both men agreed that the current level of software security is "terrible," as Clarke put it.
But both Schaeffer and Clarke also strongly requested that security experts act with discretion when they discover holes in software, delaying public disclosure until companies have time to release patches.
Others firmly believe that swift, open disclosure of discovered flaws serves users better than trusting the software companies to quickly deal with and publicly admit responsibility for security issues discovered in their products.

This is a seriously debatable topic, being dealt with by the top people in our field, and hardly a black and white issue. You do great injustice and potential harm to the very users you seem to think you are protecting by not giving the discussion the weight it is due.

I could list several more reasons, and have already, but that one alone should be enough to show the subject is debatable - at least to anyone who is still being rational.


@quiklink: slander, liable, either way it is wrong, and people on this board have been reprimanded for it before. I have not notified any staff or asked for their involvement, yet, because I am hoping you are mature enough to see the light on your own.

WE are not Jelsoft and the decision has already been made that Users will be notified immediately upon the discovery of a vulnerability, so debating this point is fruitless.
It's nice that a decision has been made, but productive debate should never be considered pointless. And, as seen many times already, nothing is written in stone. Ending a debate and declaring it over before it's run it's course doesn't really work in the long run, because decisions then get reversed, or worse - the staff is forced to irrationally hold to a position because they stated strongly "we won't change".

ARGGGGH! I've given several, and more than once. You may not agree with them but to call them unprofessional is, well, unprofessional. I will repeat myself, yet again.

1) Notification of a security flaw before a fix is available can actually help inform those who wish to do harm. This is why vBulletin.org has already changed the wording of the notification sent be generic, instead of specifically stating the security flaw (as they did when I first got involved in this conversation). Why would they make such a change unless there was a danger inherent in the proliferation of knowledge about security flaws? They wouldn't, period. So, you may disagree with me on the details of this, but to call the idea that spreading information of security vulnerabilities carelessly is not dangerous unprofessional, is well... unprofessional.

Not if the details of the flaw are not disclosed. And by not doing so you leave the user at risk rather than giving them an opportunity to remove the risk. And we are not discussing the change to the wording of the text. Neither of us has given issue to that. We have voice disagreement with your assertion that the best thing to do is to not inform the user until after a fix is available. And no there is nothing professional in that. It's nothing but self-serving.

This is a seriously debatable topic, being dealt with by the top people in our field, and hardly a black and white issue. You do great injustice and potential harm to the very users you seem to think you are protecting by note giving the discussion the weight it is due.

It is you who are dismissing this discussion and the risk of leaving the user vulnerable.

I could list several more reasons, and have already, but that one alone should be enough to show the subject is debatable - at least to anyone who is still being rational.

No, it just shows a callous indifference to the security of those using the mods.

@quiklink: slander, liable, either way it is wrong, and people on this board have been reprimanded for it before. I have not notified any staff or asked for their involvement, yet, because I am hoping you are mature enough to see the light on your own.

And yet I have committed neither slander or libel. Feel free to report any of my posts. I doubt I'll have any problems.

It's nice that a decision has been made, but productive debate should never be considered pointless. And, as seen many times already, nothing is written in stone. Ending a debate and declaring it over before it's run it's course doesn't really work in the long run, because decisions then get reversed, or worse - the staff is forced to irrationally hold to a position because they stated strongly "we won't change".

That decision has been made. But, by all means, feel free to continue.

The decision has been made. But, by all means, feel free to continue.
Thank you.

In addition, many more things are being discussed in this thread other than just to delay or not delay. That decision may be made for now, but we all seem to agree the process in general needs work, and probably will continue to need work and improvement. Discussion is good for that.

I agree. It just seems that several people keep going back to whether or not users should be immediately notified when an exploit is discovered; I just wanted to make it clear that a decision on the matter was made, and it would therefore be better if they moved on to the other issues at hand.

In any event, I suggest you focus more on coding according to vBulletin's standards instead of attempting to analyze someone based solely on the contents of their profile. :)

Your reply confirmed my opinion:
1.- First of all I nowhere wrote that you're not a good coder, or you dont have knownledge. What I wrote (in my other posts too), is that you don't have experiance to see deeply a situation.
2.- As for the photo, even if I believe that a photo is 1000 words, it's something that I wasn't the first one got this opinion. There is a post in my site, much more before my post, where someone has the same opinion. And finally a profile (anywhere) is for giving a general view for the person.

as a Member or User:

i wish to be informed of a vulnerabilty... please

and also i wish a little more information about the vulnerabilty:

will it destroy the Server ?
will it destroy the database ?
will it destroy then vBulletin ?
will it destroy the mod ?
will it ..... ?

or ist there only a theoretical chance that some one can inject or whatever

without showing the real vulnerability.

So i have a better chance to deside to deactivate, deinstall, or close my whole system

thanks

Alfred

Your reply confirmed my opinion:
2.- As for the photo, even if I believe that a photo is 1000 words, it's something that I wasn't the first one got this opinion. There is a post in my site, much more before my post, where someone has the same opinion. And finally a profile (anywhere) is for giving a general view for the person.

O RLY?

https://vborg.vbsupport.ru/external/2007/07/5.jpg

This is getting a little childish and unnecessarily personal not to mention approaching irrelevancy.

Back to the subject at hand, as someone said there are good reason to notify before a fix is issued and afterwards and it's perfectly possible to take a strong and valid stance either way. I don't particularly agree with being subject to stricter standards than vBulletin themselves (or at least I think those who have marked their modifications as supported could be given an immediate opportunity to do so) but that's OK. It's not unreasonable.

I think the most obvious change that could be made is allowing the modification authors (only) to post in the graveyard thread, which is a simple default switch to be flicked. They can then provide whatever information necessary if they so wish. If they don't, no problem.

Well, this is most probably for Coder's Forum but as I rejected that title, I'm posting it here as it's relative to this thread.

Everything is ok, most posts are under logic, but seems that all we forgot something. That part about "Reported by a Member". And I'm wondering:

"Has an average member the knowledge to check a mod for security risks? In my opinion checking for security risks it's much more difficult than programming. So, the reporter is not the average enduser who downloads the mod for his own use, but is a coder who download it for ....what really?"

I thought about it seeing where my security risk was for vbDigiShop. It was in the file which hundles the post back from the payment gateway. So someone gave special attention to that file for one of the following reasons:

To make changes so my mod to work with PayPal. By doing this he/she was breaking my copyright which clear stated that developing payment to work with PayPal is prohibited even if it was for his/her own use. I gave for free to public a full script by deactivating only the PayPal payments.
To get the code for use somewhere else. Something which is also breaks my copyright.And now the critical question: "Do the Moderators plan to give me the details of a person who broke my copyright rules?"

Maria,

Please calm down now.

"Has an average member the knowledge to check a mod for bugs? In my opinion checking for bugs it's much more difficult than programming. So, the reporter is not the average enduser who downloads the mod for his own use, but is a coder who download it for ....what really?"
I never used the word "average" ;)
A coder is also a regular member on this forum, as opposed to a staff member.

Why the focus on who reported it? How does this knowledge help you or the users?

In my view it is a non-issue who was the person that reported a vulnerability, all that counts is that someone found a possible vulnerability and took the time (luckily) to bring it under the attention of us so we can take actions to get things resolved. The result is all that counts. You (and the users of your work) should be glad that someone took the time.

I thought about it seeing where my security risk was for vbDigiShop. It was in the file which hundles the post back from the payment gateway. So someone gave special attention to that file for one of the following reasons:

To make changes so my mod to work with PayPal. By doing this he/she was breaking my copyright which clear stated that developing payment to work with PayPal is prohibited even if it was for his/her own use. I gave for free to public a full script by deactivating only the PayPal payments.
To get the code for use somewhere else. Something which is also breaks my copyright.And now the critical question: "Do the Moderators plan to give me the details of a person who broke my copyright rules?"
To answer your last question first: no we will not give out the name of the person that reported this.

Also you seem to have been jumping to some conclusions about how this person found the vulnerability and his intentions. I have no proof whatsoever that this person was trying to break your copyright. If you have such proof, please let me know and i will review this.

You seem to forget that we also have members that maybe consider installing a modification on their site and have the habbit of first checking the code before putting any third-party coding on their website.

Well, this is most probably for Coder's Forum but as I rejected that title, I'm posting it here as it's relative to this thread.

Everything is ok, most posts are under logic, but seems that all we forgot something. That part about "Reported by a Member". And I'm wondering:

"Has an average member the knowledge to check a mod for security risks? In my opinion checking for security risks it's much more difficult than programming. So, the reporter is not the average enduser who downloads the mod for his own use, but is a coder who download it for ....what really?"

I thought about it seeing where my security risk was for vbDigiShop. It was in the file which hundles the post back from the payment gateway. So someone gave special attention to that file for one of the following reasons:

To make changes so my mod to work with PayPal. By doing this he/she was breaking my copyright which clear stated that developing payment to work with PayPal is prohibited even if it was for his/her own use. I gave for free to public a full script by deactivating only the PayPal payments.
To get the code for use somewhere else. Something which is also breaks my copyright.And now the critical question: "Do the Moderators plan to give me the details of a person who broke my copyright rules?"
How do you figure someone who reviewed your code from our site is breaking copyright laws? :confused:

How do you figure someone who reviewed your code from our site is breaking copyright laws? :confused:

First of all someone who reviewed my code (or revied anything, not only code) is not only breaking copyright laws. He is breaking the law about reviews, which is saying that to perform a review (in anything) and to post somewhere the results of this review is prohibited without the written permission of the author (in case for code) or the owner (in case of a product).

Make a simple google search for "reporting vulnerabilities" and you'll find it as many other useful information. Among the others (there are real examples there) the Reporter (who can never been anonymus) must give details like:

Why he decided to make the review
Why he choosen especially this software (if its about code)
To prove that he founds only this vulnerability and that he hasn't hide in the past vulnerabilities that he found and didn't reported.

as a Member or User:

i wish to be informed of a vulnerabilty... please

and also i wish a little more information about the vulnerabilty:

will it destroy the Server ?
will it destroy the database ?
will it destroy then vBulletin ?
will it destroy the mod ?
will it ..... ?


or ist there only a theoretical chance that some one can inject or whatever

without showing the real vulnerability.


So i have a better chance to deside to deactivate, deinstall, or close my whole system

thanks

Alfred
We will NEVER send out details of any vulnerability as this can cause people to abuse that information and exploit it.

Just a random article as an example:
http://www.cerias.purdue.edu/weblogs/pmeunier/policies-law/post-38/

First of all someone who reviewed my code (or revied anything, not only code) is not only breaking copyright laws. He is breaking the law about reviews, which is saying that to perform a review (in anything) and to post somewhere the results of this review is prohibited without the written permission of the author (in case for code) or the owner (in case of a product).

You released the modification here (to the public) for anyone to download. Therefore anyone can look at it and find any exploits it may have. No laws are broken doing this. Copyright laws are about stopping people from copying code and releasing it as their own (hence their name).

As for reviews - please show us this "review" law you refer to, becasue there is no such thing I know of (apart from which no review has been published anyway).

You released the modification here (to the public) for anyone to download.

to download for use.. For nothing more....

As for reviews - please show us this "review" law you refer to, becasue there is no such thing I know of (apart from which no review has been published anyway).

I wrote it above. Actually is the perfect example for this topic. Also don't forget to follow the links in article's body. There are much more interesting facts to read there.

We will NEVER send out details of any vulnerability as this can cause people to abuse that information and exploit it.

Thanks, and the affected is standing in the rain.

So, if a vulnerability of an mod is reported and i receive a e-mail to deinstall the mod,
my decision must be, to deinstall the whole vBulletin itself ! Because i do not know and can not decide if the vulnerability of the mod also breaks (or has broken) a leak in vBulletin itself :eek:

So, if you are not willing to give any (also low) detail to vulnerability of a modification - so as a part of informing the customers i appreciate to hear a loud and clear opinion that after deinstalling the mod (or what ever is to do) it has no harm to vBulletin and the system itself.

Thats only a point of view from a customer...

to download for use.. For nothing more....



I wrote it above. Actually is the perfect example for this topic. Also don't forget to follow the links in article's body. There are much more interesting facts to read there.
That's someone's blog, not a law.

That's someone's blog, not a law.

Finally it became a word's game. I wrote to follow the links. Especially one links to a newspaper. Read the article from the news.

Finally it became a word's game. I wrote to follow the links. Especially one links to a newspaper. Read the article from the news.
I'm not trying to play word games. That would be especially pointless since English isn't your first language, and we'd only end up misunderstanding each other even worse. I'm just trying to understand where you are coming from, and what you want to accomplish here. You're angry, I get that (I'm obviously occasionally hot headed myself). But we seemed to have moved past anger into other more confusing things.

to download for use.. For nothing more....
If you allow it to be downloaded, and it's visible source, then people can read it. This is not against copyright law (or any other law).

to download for use.. For nothing more....

You cannot release a modification here and stipulate that its backend can't be looked at; that's not only illogical but incredibly bad practice (for end-users).

Further, one need not modify your code to see that it contains vulnerabilities...

First of all someone who reviewed my code (or revied anything, not only code) is not only breaking copyright laws. He is breaking the law about reviews, which is saying that to perform a review (in anything) and to post somewhere the results of this review is prohibited without the written permission of the author (in case for code) or the owner (in case of a product).

Make a simple google search for "reporting vulnerabilities" and you'll find it as many other useful information. Among the others (there are real examples there) the Reporter (who can never been anonymus) must give details like:

Why he decided to make the review
Why he choosen especially this software (if its about code)
To prove that he founds only this vulnerability and that he hasn't hide in the past vulnerabilities that he found and didn't reported.If there are any word games in this thread, then these start with this post.

http://dictionary.cambridge.org/define.asp?key=67665&dict=CALD

review
verb [T]

1 to consider something in order to make changes to it, give an opinion on it or study it:
The committee is reviewing the current arrangement/situation.
Let's review (= talk about) what has happened so far.
He reviewed (= thought about) his options before making a final decision.

If someone is looking into code, then obviously the word 'review' is used in the above meaning.

2 If critics review a book, play, film, etc. they write their opinion of it:
I only go to see films that are reviewed favourably.

This is the type of review that you are aiming your angre at. Nothing like that happened on this website.

I have mentioned in the thread earlier that I have seen changes over the years on vb.org and how things ebb and flow

however what has been shown in this thread is how people with authority respond and their autocratic manner.

At one point this thread had reached a solution and I recall posting, thanking everyone for making progress, since then it seems to have become a dog's breakfast which highlights the joys of such forums where so many persons with opinions get involved

it also seems as though microhellas has certain gripes relating to the way she has been treated over time by vbulletin staff and its representatives and feels that she has been unfairly treated on a number of occasions, to her this may be perception however only time will show. It makes me wonder whether one can ask whether vbulletin have plans to launch add-ons very similar to what microhellas has already put out?

because if this is indeed so then I suppose she had reason for her gripes

only time will tell

as for this thread, for me I have seen enough and actually don't really care much as its better the devil you know than the one you don't know

mazel tov

It makes me wonder whether one can ask whether vbulletin have plans to launch add-ons very similar to what microhellas has already put out?
Now that they are releasing paid add-ons, I am sure they will be stepping on some toes. It's unavoidable. How aggressive they are going to be, it's hard to say. Most of us are pretty defenseless. But, if they come up against vbSEO or PhotoPost, it could get interesting.

This thread now seems to be moving into the realms of fantasy, vbulletin.org do not treat reports of an exploit in any modification differently beacuse of some vague possible future clash with a potential/posible/maybe future Jelsoft product, that's just ridiculous.

The last few pages of this topic have gone nowhere really (just in circles) and it's heading towards closure.

it reached its climax around page 4 or 5 when Wayne Luke gave a solution

thereafter we have had a clear display of various behaviour from both sides no matter what one side may think

This thread now seems to be moving into the realms of fantasy, vbulletin.org do not treat reports of an exploit in any modification differently beacuse of some vague possible future clash with a potential/posible/maybe future Jelsoft product, that's just ridiculous.

The last few pages of this topic have gone nowhere really (just in circles) and it's heading towards closure.

I never said that. I was responding rationally to the somewhat OT comment about vBulletin releasing paid add-ons. Geesh, do you have to be so heavy handed in everything you post, all the time, Paul?

I just will like to say that i never install a hack to my board before checking the code. I also first install all mods to my test server and check possible bugs etc before making any change on my live server. Therefore i review all the codes i have in my board ( expect vBSEO because the code is not visible ) . The only point in here is there has been a vulnerability found in a coders mods. The coder also sell the same products . Because the vulnerability found in her mod and also her coding structure is not similar to vBulletin way she loose some money because of possible angry customers. And then she comes here and throws her anger all around which i believe she has no right to do. Because this site is based on sharing and the staff also have a responsibility about the members since lots of users data are on danger. The procedure can be developed but i believe the key point shall only be protecting members.

Geesh, do you have to be so heavy handed in everything you post, all the time, Paul?

I think that confirms that this thread has out-lived it's sell by date, completely off topic.

I'm off on holiday now so my last action before leaving is to close it.