I've just gotten the following message via email:

** DO NOT REPLY TO THIS MESSAGE **

* Quarantine Notification *

The following modification has been 'quarantined' by vBulletin.org.

https://vborg.vbsupport.ru/showthread.php?t=139248

The author of the modification has been informed and asked to address the quarantine reason(s), until this is done the modification will remain in the vbulletin.org graveyard.

If you are currently using this modification then you may wish to consider disabling it.
If the modification consists of a product then disabling the product should be all that is required.
Do not uninstall the product as this may delete any data associated with it. If the modification also included new files then you may remove (or rename) them.

Once the author has responded to the issues you will be notified that it has been restored.

Thank you,

vBulletin.org Staff

So again - I will post my concern.
Why has this modification been quarantined? If the modification is installed on other vB.org Members' boards - is there a security risk? Why the HELL are the people who have marked the modification as installed not given the reason for the quarantine? If there is a security risk - how am I to completely uninstall the modification?

These are only a few questions that come to mind immediately. And it's my assumption that vB.org just does not give a damn about its Members' board security if the only thing to do is send that bogus email as quoted above. For instance - Say I had the modification installed and now want to completely remove it because of whatever reason, mainly because it's been quarantined and is likely a security issue involved and I want my forums to be secure so that some foul ass, malicious hacker cannot take advantage of said security threat. How am I to do this?

I hope that when it comes time to finally upgrade the vB.org forums to the newest release of vBulletin software, that a better system (one which is both informative and has the best interests of vBulletin paying customers' board security in mind) is implemented! Because = simply put: sending out a quarantine email is both infuriating and bogus if there is not a single bit of information shared via that email AND there's no way to access the download as to know which files to delete, making the uninstall 100% complete. A simple solution might be to allow access to the uploaded file (if it's still available) for all of those who have marked the modification as installed.

Jacquii.

You can assume what you like, it still wont make you right.

We have gone over this time and time again, and as you well know, we will not publicly post details of the issue. The author has been informed and thats the only person who will be.

I think what he means is if you quarantine the thread, all the people with the mod have no clue how to uninstall it since the instructions to do just that have been quarantined.

Thats why I ALWAYS keep a copy of the .zip file on my hard drive and on my server in case something like this happens ;)

Thats why I ALWAYS keep a copy of the .zip file on my hard drive and on my server in case something like this happens ;)
Exactly. Do people really NOT keep a copy of the mods they have installed? I have all my zip files, and if different versions were released, I have copies of every version I downloaded and installed.

many times the install/uninstall are on the 1st post of the mod thread.

I always take screenshots of every post within all the threads of every mod I download just incase it ever gets graveyarded so this is never an issue for me. Then I back up the screenshot jpgs on 2 different thumbdrives in case my hard drive crashes or 1 of the thumbdrives crash in case. Its the best solution in case your mods ever get graveyarded so you can uninstall easily. I suggest everyone do this since the entire threads vanish off vb.org when they get graveyarded.

I have all my zip files, and if different versions were released, I have copies of every version I downloaded and installed. Same here. But alot of people don't keep copies.

It would be smart to just in case though. Because at anytime, the author could also request that the modification be removed, and we're back to the same problem

jacquii as a paying customer you have every right to give suggestions to improve a product.

jacquii as a paying customer you have every right to give suggestions to improve a product.

I think so too - and that's what my post is about - it's about improving the vB.org community - I think it's a valid suggestion anyway. I wouldn't have posted it again if I didn't think it was an important one - and honestly - I was a bit insulted by Paul's flippant comment. I suppose it's a good thing I do not wear my emotions on my sleeve LOL

Anyway - I do quite hope that the suggestion is just not dismissed as the ranting of Jacquii ((sigh...))

Jacquii.

If a modification is quarantined because of a security problem and the details of the problem were posted, then I think that would be a pretty stupid thing for us to do. It would just make it that much easier for those who have nothing better to do than hack boards to go around testing for the flaw in the mod.

If I were you, and I got a notice that a modification I had installed was quarantined, I think I would assume there is something wrong with it and disable it until a fix is posted.

That's just it Lynne - I dare say a good majority of times there is no fix posted. Posting the details of the problem or adding it to the email notice wouldn't be stupid - sometimes I've seen exploits posted over at milw0rm before it's even talked about on vB.org --- IDK - I just believe it's a solid idea that people who have marked a modification as installed be included in the discourse - ya know that saying about "knowledge is golden" and all... Oh wait - that's "silence is golden" -- but still the same concept I guess. Anyway - it's just frustrating to be told that a modification has been quarantined and simultaneously be told absolutely nothing at the same time.

Jacquii.

I still disagree that it would be a good idea to go into details about the exact exploit. I do, however, think that the email would be better done to state whether it is an exploit and then strongly recommend that users disable it. Right now, it simple suggests you may want to consider it disabling a mod, whereas I think if it is an exploit, it should recommend, not ask you to consider, disabling it. The email also doesn't say if it is an exploit or not, and I see no problem with the email saying that if that were the case. My opinion, of course.

I still disagree that it would be a good idea to go into details about the exact exploit.... The email also doesn't say if it is an exploit or not, and I see no problem with the email saying that if that were the case.

I think what I'm trying to espouse is that "no info" is simply horrid. For me "all-inclusive info share" is ideal - because I honestly think there's absolutely no point in even sending out the quarantine email if there is no further info included with it. That's like saying, "The mod you've downloaded/installed is no longer available for download/install. But HA! We're not gonna tell you what's wrong with it. In fact - FU!" -- That's probably very crass - but that's exactly how I've translated the scenario...

Of course - I'm of the school that the graveyard and quarantined modifications should still be allowed download access, if only for purposes of fixing and/or improving the modification so that it may be shared once again within the vB Community. I think if one cannot access the download - then the download really has no business being shown in the first place. What? Are we trying to tease each other here?

Simply put - I'm only thinking of those who have downloaded and installed such a quarantined or graveyarded modification. Perhaps not everyone should have access to the info or downloaded files (if even available) - but those who have at least clicked the install button should be given some sort of details. The idea here is to have a board which is SECURE from exploits, as well as modified to our liking. And if a modification is no longer classified as secure and quarantined as such - then it's not only the responsibility of the board owner to take appropriate action BUT it's ALSO the responsibility of vBulletin.org to provide all information available so that Members CAN take the appropriate action for the security of their forum.

That's what I'm saying - and yes - It's my opinion. Anyway - I hope this better explains the reason for my original post.

Jacquii.

Ok let me start by addressing some of the issues you raise in this thread.

There are only 2 situations in which a modification is quarantined:

- A (possible) exploit has been discovered. As per our Mod Exploit Guidelines (https://vborg.vbsupport.ru/info.php?do=security) we will snet out a warning email to all that have marked the modification as installed. Such an email is only sent in case of an exploit. So if you receive such an email it is to warn you about a possible vulnerability.
- The modification is breaking a rule that can be resolved. No email to the users is sent in this case as this is a private issue between vB.org (rules) and the author.

Details of a possible vulnerability are only sent to the coder and not to the users. We have no intention to change this. But if you think that we should update our text to make it more clear that the email was sent because of a possible vulnerability, then feel free to suggest an alternative text. But the current text was made after discussions with members.

Files are not available for download when a modification is quarantined. One of the reasons for this is not to help potential hackers to exploit such a vulnerability before a fix is provided by the author. But also the current version might not be available anymore.

Files can become unavailable for many reasons, in most of the situations these files are either deleted or can not be shared anymore for copyright issues. This is not limited to a quarantined modification. For this reason it is always your own responsibility to ensure that you can uninstall a modifiction, even if the files are not available anymore. There are many ways to solve this, most people simply save a copy of a modification when they install it. You can try to make this our responsibility, but how you run your board is really your own.

Now let's address your complaint on how you are treated by staff.

- You start a thread on a topic that has already been discussed before, and you know this. Now i don't have a problem with someone making a suggestion again, but you bring no new arguments, you only repeat the same as in older threads on this topic. Not a surprise that you will receive the same answers.
- The title of your post is not like your intentions are to make a serious suggestion, it is more the start of a rant: Concerned about another quarantine email I received. Does vB.org just not give a damn. If it had been only the first sentence it would have been fine, but by adding that vb.org doesn't give a damn you are already paving the way to get a negative response by staff.
- "Why the HELL are the people who have marked the modification as installed not given the reason for the quarantine?" Why the need to use langauge like "Why the HELL". Also you are asking a question that has been answered to before.
- "And it's my assumption that vB.org just does not give a damn about its Members' board security if the only thing to do is send that bogus email as quoted above." Again, no positive suggestions, only a rant. If you think these mails are bogus then this would invalidate most of your rant. If you don't want them, don't mark modifications as installed. Sending out a warning is a service we provide to our members to help them mitigate security issues.

How do you think staff should respond when you only post a rant about things already discussed before in such a negative way?

I won't go anyalyzing your other posts in this thread as i think i already gave enough examples from your first post in this thread, but your responses only go further down the road.

Suggestion - Extract the uninstall .txt file from the .zip archive and allow members to view this. Not a fully fledged solution if the file didn't come with uninstall instructions but it's something. I'm guessing that a proportion of scripts that have an exploit found within them will have a .txt file within the archive and or/post.

The mod in question consists entirely of a single product, all that is needed (if you so wish) is to disable it.

Does vB.org just not give a damn


I'am a member of a LOT of CMS and forum sites, and vb.org is probably the only one that sends out a notification when a security issue is found. If they did not care, they would not disable the mod and send out an email. In fact, its just the opposite, they do care.

If you do not know how to uninstall a modification - that is your own fault. Always keep a backup of the modifications that you have downloaded.

It is not vbulletins place to discuss security issues - you need to contact the developer about that. Better yet, remove the modification from your forum and wait for an update. The more time a developer has to spend answering emails and private messages, the less time they have to work on a fix.

Ok let me start by addressing some of the issues you raise in this thread.

There are only 2 situations in which a modification is quarantined:

- A (possible) exploit has been discovered. As per our Mod Exploit Guidelines (https://vborg.vbsupport.ru/info.php?do=security) we will snet out a warning email to all that have marked the modification as installed. Such an email is only sent in case of an exploit. So if you receive such an email it is to warn you about a possible vulnerability.
- The modification is breaking a rule that can be resolved. No email to the users is sent in this case as this is a private issue between vB.org (rules) and the author.

Details of a possible vulnerability are only sent to the coder and not to the users. We have no intention to change this. But if you think that we should update our text to make it more clear that the email was sent because of a possible vulnerability, then feel free to suggest an alternative text. But the current text was made after discussions with members.

Files are not available for download when a modification is quarantined. One of the reasons for this is not to help potential hackers to exploit such a vulnerability before a fix is provided by the author. But also the current version might not be available anymore.

Files can become unavailable for many reasons, in most of the situations these files are either deleted or can not be shared anymore for copyright issues. This is not limited to a quarantined modification. For this reason it is always your own responsibility to ensure that you can uninstall a modifiction, even if the files are not available anymore. There are many ways to solve this, most people simply save a copy of a modification when they install it. You can try to make this our responsibility, but how you run your board is really your own.

Now let's address your complaint on how you are treated by staff.

- You start a thread on a topic that has already been discussed before, and you know this. Now i don't have a problem with someone making a suggestion again, but you bring no new arguments, you only repeat the same as in older threads on this topic. Not a surprise that you will receive the same answers.
- The title of your post is not like your intentions are to make a serious suggestion, it is more the start of a rant: Concerned about another quarantine email I received. Does vB.org just not give a damn. If it had been only the first sentence it would have been fine, but by adding that vb.org doesn't give a damn you are already paving the way to get a negative response by staff.
- "Why the HELL are the people who have marked the modification as installed not given the reason for the quarantine?" Why the need to use langauge like "Why the HELL". Also you are asking a question that has been answered to before.
- "And it's my assumption that vB.org just does not give a damn about its Members' board security if the only thing to do is send that bogus email as quoted above." Again, no positive suggestions, only a rant. If you think these mails are bogus then this would invalidate most of your rant. If you don't want them, don't mark modifications as installed. Sending out a warning is a service we provide to our members to help them mitigate security issues.

How do you think staff should respond when you only post a rant about things already discussed before in such a negative way?

I won't go anyalyzing your other posts in this thread as i think i already gave enough examples from your first post in this thread, but your responses only go further down the road.

Marco - My intentions with posting this thread was NOT TO START A FLAME WAR - it was to make a suggestion! Instead of treating this thread as some "ranting of Jacquii" as you obviously have done - you can analyze the content of my SUGGESTION:

The idea here is to have a board which is SECURE from exploits, as well as modified to our liking. And if a modification is no longer classified as secure and quarantined as such - then it's not only the responsibility of the board owner to take appropriate action BUT it's ALSO the responsibility of vBulletin.org to provide all information available so that Members CAN take the appropriate action for the security of their forum.

If you cannot see that as a valid - then YES - It seems as if vB.org just not give a damn- in fact - why not just close the thread as AGAIN it's quite apparent that another suggestion for the betterment of vBulletin.org and for the security of Members' forums will not be considered.

Jacquii.

btw - Thanks a lot for that bogus infraction. I do not see how any of my posts in this thread deserve an infraction. It's ridiculous - but I've come to expect absolutely nothing better from the likes of you Marco.

--------------- Added 1252695192 at 1252695192 ---------------

The mod in question consists entirely of a single product, all that is needed (if you so wish) is to disable it.

Paul - This thread is not about "the mod in question" -- This thread is regarding ANY AND ALL modifications which may have been quarantined and/or graveyarded. Your comment is exactly the kind which lead to the 2nd sentence of the thread title "Does vB.org just not give a damn" --- Meh.

Jacquii.

--------------- Added 1252695628 at 1252695628 ---------------

It is not vbulletins place to discuss security issues....

Yes it IS! This is an official vBulletin modification site. If vBulletin is not to care about the security of its Members purchased products, then who is? And yes - I know - vBulletin cannot officially blablabla offer support for modified boards blablabla... But the gist of my suggestion and others who have made the same suggestion is that vBulletin.org should have a policy in place which actually is for the security of Members' boards.

I don't understand what's so difficult to grasp about the concept... And again - this is the type of comment which makes me ask, "Does vB.org just not give a damn?" --- hmmm perhaps that is an incendiary, not-quite-tactful way to phrase the question and I just did not realize it. Meh. That's not to say that it's not a damn good question though. I think it is - and obviously the vB.org Coordinator and one of the Administrator have answered with an overt, "Nope. Sure doesn't. And neither do I."

Oh well...

Jacquii.

Yes it IS! This is an official vBulletin modification site. If vBulletin is not to care about the security of its Members purchased products, then who is?

Jacquii.

Is it Fords responsibility to discuss a flaw in Firestone tires? Nope.
Is it Dodges responsibility to discuss a flaw in Goodyear tires? Nope.
Is it Dells responsibility to discuss a flaw in Norton Anti-Virus? Nope.

You buy a product, any modifications or add-ons you install later on are NOT the responsibility of the original manufacture.

If you use cheap motor oil in your car, and your motor burns up; its not GM, Ford, Toyota, Dodge, Nissans,,, fault that you used a cheap motor oil.

Jelsoft has provided you with a product - anything you do to that product besides the default install is your responsibility.

Also, you will find in the ToS here (https://vborg.vbsupport.ru/info.php?do=terms):

8. IN NO EVENT SHALL VBULLETIN.ORG BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED

1. WITH THE USE OR PERFORMANCE OF THIS WEB SITE,
2. WITH THE DELAY OR INABILITY TO USE THIS WEB SITE,
3. WITH THE PROVISION OF OR FAILURE TO PROVIDE SERVICES, OR
4. FOR ANY INFORMATION, SOFTWARE, PRODUCTS, SERVICES AND RELATED GRAPHICS OBTAINED THROUGH THIS WEB SITE, OR OTHERWISE ARISING OUT OF THE USE OF THIS WEB SITE, WHETHER BASED ON CONTRACT, TORT, STRICT LIABILITY OR OTHERWISE, EVEN IF VBULLETIN.ORG HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.

I've read the TOS - I understand the concept of cheap motor oil. But at the same time - do you guys seriously think that implementing a system which will ultimately benefit the vB.org Memberbase is a BAD thing? I mean - Seriously?

Again - I will say - I did not post this thread so that we can argue the virtues of "Sorry bud, you're on your own. You've purchased the product. Good luck with the maintenance, especially if you've modified your product..." --- I think we each understand responsibility.

I'm simply suggesting that the .org might implement a simple policy of information share with Members who have installed a product. It's not about liability Redlinemotors - I'm not trying to take Jelsoft to court - are you kidding - can barely afford to pay my electricity bill - What the hell can I do with a lawyers invoice accept to ball it up and toss it in the trash LOL

Meh - maybe it's just a horrible suggestion and just too dang difficult for a community of coders to implement and I just don't realize it? I tell you one thing I do realize though is that I'm a bit peeved at the notion that the current policy is to simply send out an email with absolutely no information in it. IMO it kinda defeats the purpose of sending out the email in the first place. And yes - I do realize that the email itself is infact a courtesy.

All I'm saying is that the system can be bettered. I think Lynne said it can be bettered as well... And for me = bettered in favor of the vB.org Member is aces in my book.

Jacquii.

If they didn't care, they wouldn't send an email about it and they certainly wouldn't quarantine it.

All the information you need to know is that is contains a security hole large enough to warrant a quarantine and you should disable it until a fix is posted.

Suggestion - Extract the uninstall .txt file from the .zip archive and allow members to view this. Not a fully fledged solution if the file didn't come with uninstall instructions but it's something. I'm guessing that a proportion of scripts that have an exploit found within them will have a .txt file within the archive and or/post.

yes, this.

Thats why I ALWAYS keep a copy of the .zip file on my hard drive and on my server in case something like this happens ;)

I do the same. I can't rely on the file being here under any circumstance. The author could just delete it one night while I am sleeping. It has happened in the past so one has to protect themselves. Anyway, I treat each and every download on this site as if it could vaporize the second after I download it.

Also one should consider any quarantine a serious matter and continue running an addon in such a state as a security risk to your site.

just a thaught on my part, seeing as issues with mods are encouraged to be discussed in threads under the modification, a vulnerability should also be considered an issue as the same. By all rights, it should be shared so others can learn from it as well. and know to not repeat someone else's mistake. I do understand not wanting to share the info so others that see it can exploit it. this is a two way street that has a dead end in both directions. Ultimately we end up with more modifications that are vulnerable because of lack of knowlege.

Like i said, just a thaught. :erm:

How about this, in the notification email, saying it's been quarantined, also list the files contained in the quarantined mod, so that the user would be able to fully uninstall it..

So something like this

** DO NOT REPLY TO THIS MESSAGE **

* Quarantine Notification *

The following modification has been 'quarantined' by vBulletin.org.

https://vborg.vbsupport.ru/showthread.php?t=1

The author of the modification has been informed and asked to address the quarantine reason(s), until this is done the modification will remain in the vbulletin.org graveyard.

If you are currently using this modification then you may wish to consider disabling it.
If the modification consists of a product then disabling the product should be all that is required. Do not uninstall the product as this may delete any data associated with it. If the modification also included new files then you may remove (or rename) them.

The files which were included in the quarantined modification were;


mikey.php
admincp/mikey.php
includes/xml/bitfield_mikeyrocks.xml
includes/xml/cpnav_mikeyrocks.xml
product_mikeyisthebest.xml


Once the author has responded to the issues you will be notified that it has been restored.

Thank you,

vBulletin.org Staff

Etc

^ That's actually a very nice idea Mikey
Simple, yet effective and has more information added for the enduser.
I'd also like to see info about why the modification has been quarantined or graveyarded as well.

Jacquii.

includes/xml/bitfield_mikeyrocks.xml?!?!? HAHAHA - too funny https://vborg.vbsupport.ru/

I think so too - and that's what my post is about - it's about improving the vB.org community - I think it's a valid suggestion anyway. I wouldn't have posted it again if I didn't think it was an important one - and honestly - I was a bit insulted by Paul's flippant comment. I suppose it's a good thing I do not wear my emotions on my sleeve LOL

Anyway - I do quite hope that the suggestion is just not dismissed as the ranting of Jacquii ((sigh...))

Jacquii.

When you post in such an aggressive manner using words like "hell", no-one will take you seriously Jacquii. Try posting your suggestions in a more polite way and people may listen, although I think you may have already burned most of your bridges here with your actions in the past :)

Please do not patronize me Dean, though I do appreciate your feedback on the suggestion at hand. And if a group of people such as vB.org Members who I have personally witnessed using stronger words than "hell" are condemning me for doing the same - well - it's not I who have the issue dude ;) --- And I particularly would like to say, "Grow up and stop being hypocrits!" --- So yes - If you have a comment on the suggestion I've made - then feel free to make it or otherwise I would advise that you not post in this thread at all.

Jacquii.

I think it's less about the language and more about the aggressive tone.

Well - perhaps I'm an aggressive person who likes to get things done? IDK - but if someone is too stuck on the tone of my suggestion to appreciate the content of it - then I apologize for the misconception, as it was not my intent at all to start an argument or a flamewar.

But still - I do truly believe the suggestions I've made in this thread are important ones and suggestions that will truly benefit the vB.org Memberbase. Obviously I do - or I wouldn't have posted this thread in the first place. I'm a poet and a linguicist - I'm not about mincing/wasting words here - so please - why do we not all try to stop analyzing Jacquii Cooke and consider the suggestions made as a betterment for vB.org ;)

Jacquii.

Jacquii, any member is free to repond to a thread, please do not tell members what they can and can't do.

Meh - I was just offering a friendly advise to someone who's only purpose in posting in this thread was to condescend to me. I was NOT telling dude what he can and/or cannot do!

Jacquii.

You are the one being the most condescending and obnoxious in this thread. How can you expect anyone to take you or any suggestion you make seriously? Your personality overshadows any relevance your posts may have.

I see a valid point in not publishing the exploit or reason for the quarantined to limit further compromises.
I also try and keep a backup of every mod and screenshot of every template edit I use (in pdf form)

You have no one to blame but yourself if you don't, and at least vb.org lets us know there is an issue with the hack.

my 2 cents :)

You are the one being the most condescending and obnoxious in this thread. How can you expect anyone to take you or any suggestion you make seriously? Your personality overshadows any relevance your posts may have.

Allright - I'm an obnoxious twit with an overpowering, agressive personality that people find intimidating... Meh.

@ the vB.org Staff Close the thread!
I'll promise never to give a damn ever again about vB.org enough to make a suggestion that could benefit the memberbase.

Jacquii.

Yes, no one 'gives a damn' about VB.org but you. All these people voluntarily devote their time and effort maintaining this place because they do not 'give a damn' about it or the other members here. This shows your level of respect for others and what they do.

Yeah - You're absolutely right - [blip...] --- But yeah - I made the suggestion with no intent on a flamewar - apparently people (including you) have interpretted my intent wrongly. For that I apologize again - and I request that the thread be closed.

Jacquii.

btw - Thanks for being nice - you are so kind that I would not request the Administration ban you.
What a joke! :-/

Actually not taking sides here, I kinda have to side with Jacqui.

In the rare instances that a mod is pulled, it would be beneficial:

If the MOD details, within the forum, were updated accordingly, with Installation and de-installation issues.

In essence, I think all coders, when implementing a mod or hack, should by rights, provide a text file for installation and for removal.

In the case of a mod, which is under scrutiny, then this text file, should automatically be added to the original MODS, 1st post. As an admin extra or whatever.

Reason being, and we DO keep all mods neatly packaged and folderised... I am not always working on one pc, and often working away from the office on a spare pc/laptop whatever..

So merely disabling products/plugins isnt nearly enough info for us, as we would also like to see remotely, what file changes/ template hacks were done , so that we may remove all traces.

Ste

.... and I request that the thread be closed.

Since it seems to be going downhill, done.