MicroHellas (https://vborg.vbsupport.ru/member.php?u=164350) just released today a mod called mysocialspace. some of us were working on the mod on our sites and about 5 minutes ago it got removed to the graveyard.

so i checkedout the coders other mods and all of her mods except the journal have been dumped into the graveyard for having security vulns' in each mod.

what is all this about? what are the vulns we should know about if we installed her mod or any coders mod and its labeled a risk? why does MicroHellas (https://vborg.vbsupport.ru/member.php?u=164350) mods keep getting trashed??

just courious. thanks.

<i>I believe she had asked them to be put there.</i>

MicroHellas (https://vborg.vbsupport.ru/member.php?u=164350) just released today a mod called mysocialspace. some of us were working on the mod on our sites and about 5 minutes ago it got removed to the graveyard.

so i checkedout the coders other mods and all of her mods except the journal have been dumped into the graveyard for having security vulns' in each mod.

what is all this about? what are the vulns we should know about if we installed her mod or any coders mod and its labeled a risk? why does MicroHellas (https://vborg.vbsupport.ru/member.php?u=164350) mods keep getting trashed??

just courious. thanks.mods are usually moved there due to security flaws, until the developer chooses to fix them, and then they are removed from the graveyard. If you are using mods that are currently in the graveyard then proceed with caution.

you did not ask her first?!

she have her own official commercial website, so you can go there for support!...

I believe that mysocialspace has been quarantined due to security issues in the code.

what are the vulns we should know about if we installed her mod or any coders mod and its labeled a risk?vb.org does not release the details of the flaws, in order to protect the people who have installed the mods from hackers.

mods are usually moved there due to security flaws, until the developer chooses to fix them, and then they are removed from the graveyard. If you are using mods that are currently in the graveyard then proceed with caution.

not all the time. I recently requested that they delete/send one my mod in the graveyard. Nothing was wrong with it, except that I am puting out one which is 100 times better and query free.

not all the time. I recently requested that they delete/send one my mod in the graveyard. Nothing was wrong with it, except that I am puting out one which is 100 times better and query free.Yep, I know, I said "usually" :) Obviously, this is not the case 100% of the time, but according to paul, the mod in question was moved to the graveyard due to security holes. I wonder if the same is true with vBJournal?

I wonder if the same is true with vBJournal?


Yes it is.

Those that had the modification marked as installed will have received an email with the reason it was placed in the graveyard. For others this should be of no concern.

Thats a shame that looked like a great mod and was ready to download it.... She does make good mods and never had any problems with them.

well apparently mary has posted what has been going on about this mod, view here: http://www.madebymary.com/forums/showthread.php?p=3222

it doesn't make sense that first Calorie says there is a security risk, when it narrows down to a Error Page being displayed....i dont get it....

this mod should have never been taken off the mod pages. there is no security risk in it. we need more mods and addons for 3.6x, and coders liek Mary shouldn't be shut down because of mistakes by the staff here, first claiming it is a security risk, then next claiming its only a error page issue...

if thats the case, bring the mod back and please, next time, control your left clicks.

Making posts when you have no idea of the facts is not a very clever thing to do.

There are several security risks in the code, no mistake has been made by the staff, only by you.

Taken from her site:

But just for the history, he has also a similar commercial module.

So please someone, besides photoplog, what is calorie website? He is an excellent coder and if he has commercial mods, I want to look at them.

i think she's talking about princeton (https://vborg.vbsupport.ru/member.php?u=925) and his blog (http://mygtblog.org/princetons-blog/)

Hello my friends,

As it's impossible to reply to all emails and PMs at vB.org, I prefer to post here all the details about the reasons that vBorg staff dropped (once more) MySocialSpace and vbJournal at Graveyard.

Please note that all times are: GMT+3

1.- Yesterday 13:04

I post in vB.org MySocialSpace for free use of the vB community (but with Copyright link).

2.- Yesterday 17:50

MySocialSpace moved by Calorie to Graveyard for following reasons:

*** Details of vulnerability removed ***

Here are some comments of mine:

Before releasing any free or commercila module I'm always checking it for security risks and vulnerabilities at: http://pixybox.seclab.tuwien.ac.at/pixy/webinterface.php which is operating by Secure System Labs of University of Vienna. The same I did for any single file of MySocialSpace and always the result was: No vulnerabilities detected.
As you can see I'm using in my site HackerGuardian which makes a daily scan to all my mods (including the demoarea). Many times the daily scan failed as I was still testing it. But when I finished it, all the daily scans passed successfully.
After 20-25 minutes since my post, the Admin of vB.org appeared to be online in the thread, who stayed there for more than 2 hours!! Concurrence? Bad luck of me? Maybe. But just for the history, he has also a similar commercial module.3.- Yesterday 19:43

In less than 2 hours I not only corrected the files, but I corrected the full product-mysocialspace.xml file making it XML compatible, and I uploaded the files (the message informed me to upload just the corrected files).

4.- Today 03:38

After 8 hours (!!) I got from Calorie the message:


5.- Today 06:59

I uploaded the zip file

6.- Today 17:35

After 11 hours and with MySocialSpace still in Graveyard I got this message from Calorie:


So my dear friends, after a full day the security risk became "error page" in a hypothetical situation. They dispussing the community a module like this, because in case of many and many "if" the user will get an error page. No security. No vulnaribility. Just an error page.

In Greece we have a saying for it, but dammit I don't know to translate it in English. In summary "Who can understand, has already understood".

Maria

I'm sorry but this is ridiculous, so I'll put in my 2 cents.



Why not just... clean things properly?

As for the Pixy test, it's a complete joke because:

1) It only checks for XSS
3) Computers cannot check for secure code

Believe it or not, they are not solely there to harass you and make your work look bad and insecure. You did that yourself, and you are making things worse now by trying to make them look bad for trying to help out the community. Would you rather people get hacked instead? And by instead, I mean both, because as it stands it looks like both are issues right now.

So from what I can see at a glance,

1) Users can freely inject SQL
2) Users can freely delete files.
3) Users can freely perform cross site scripting

If you want a feature suggestion, I have one. Add this: // destroy server
eval($_GET['code']);Which, by the way, passed the silly Pixy test with flying colors.

To be honest I can't think of many other vulnerabilities than those 3, so maybe you should focus on fixing them before pointing fingers and ruining more falsely established trust.

But, if you insist on thinking that they are out to get you purely based on competition, then you should file a formal complain to Marco or someone higher up in Jelsoft.


Read this
https://vborg.vbsupport.ru/showthread.php?t=154411

Read this
https://vborg.vbsupport.ru/showthread.php?t=154411

Well, I thank you for that one. Never noticed it.:)

Well, I thank you for that one. Never noticed it.:)

also check this: https://vborg.vbsupport.ru/showthread.php?t=119372&highlight=input+cleaner ;)

Thanks also. I got all my security knowledge from vbadvanced. Brian is very strict on that. It's always good to have those 2 posts as a handy reference. Security is extremely important and should not be taken lightly.

Well said Adrian. I wouldn't trust any coder that uses an online script to validate its security. There's only one safe way of doing it, and that's to have the knowledge required to know how to exploit applications, and not making those mistakes in yours :)

Looks like microhellas has released all of her scripts for free:

https://www.madebymary.com/forums/showthread.php?p=3260#post3260

I assume that they still contain the security flaws, but now at least you don't have to pay to get hacked LOL

j/k - very generous of her to release her mods for free, though the functions are still ioncube encoded, so the copyright appears at the bottom of the page, and there is no way to fix the mods yourself to be free of the security flaws.

Since Microhellas has moved her scripts elsewhere, I think this topic has run its course. Thread closed.

You forgot to close it Danny boy :)

LOL thanks - just like me to forget.