Modification Security [Archive]

View Full Version : Modification Security

|Jordan|

05-26-2011, 10:15 PM

With the recent SQL Injection issues present in a lot of plugins, it would be great if there were a way for VB.org to automate modification security audits (on attaching files to thread), this way it would save you the time of manually auditing and us getting our forums hacked.

Disasterpiece

05-26-2011, 10:26 PM

There is a plugin out there, implementing cracker tracker, which is a php-allround-security solution.
https://vborg.vbsupport.ru/showthread.php?t=110030

I just checked the code, it should work with all current vbulletin versions as well, since it doesn't rely much on vbulletin structures. You might want to check that out if you're that concerned.

BirdOPrey5

05-27-2011, 06:29 PM

With the recent SQL Injection issues present in a lot of plugins...

I wasn't aware it was a lot? I thought it was one. :confused:

Disasterpiece

05-27-2011, 07:22 PM

I think I'm gonna start a security plugin tomorrow. Can't believe there isn't something around here yet.

Lynne

05-27-2011, 07:22 PM

|Jordan|

06-21-2011, 07:06 AM

Automated modification security? I can't even imagine writing the script to do that. Besides that, we like mods to be uploaded as zip files so all the files are together in one place.

And, as Joe stated, we've had one plugin lately that had a security problem. The last time we had something quarantined for a security reason was last June.

Modification security could just unzip the attachment, analyze every line and check if they're SQL statements are escaped properly.

According to the vb.com thread (https://www.vbulletin.com/forum/showthread.php/379260-Did-anyone-find-the-animus-exploit-instructions-yet) about the latest SQL injection issues, a ton of plugins are currently susceptible, but no one really knows until they get hacked. A few plugins that were confirmed to be insecure (some got fixed) were "Advanced Rules" and "Admin Log In As User".