Are there any more details on this and why it was quarantined?

thanks.

We do not release additional details, no sense having the exploit in the wild without a fix.

If it's quarantine it's for a reason. You should probably disable this modification on your board for the time being.

Is the recommendation to disable this mod in effect for all versions of VB? Thanks.

From what I can tell, yes. You should disable it in vb3 and in vb4. You should also remove the actual files from your website (just the php files).

We do not release additional details, no sense having the exploit in the wild without a fix.

Sorry to say - but I find this comment ridiculous....for this modification.

ibProArcade has it's own section here at vB.org - its' the most downloaded/installed modification here. This being the case - I'm sure the 8400 people who've at least clicked install would feel more secure about their vBulletin paid-product if given a reasoning behind why such modification is quarantined.

This policy about "we do not release additional details" truly could use a bit of transparency as concerns such popular modification(s) as ibProArcade! Even if said transparency takes shape in a little info-note attached to the automated(?) quarantine email.

Meanwhile -congrats vBulletin.org for continually keeping members in the dark!

I sincerely hope that MrZeroPage offers up a fix for this exploit, and QUICKLY!

J.

I'm sure they will contact MrZeroPage about this but I'm not sure he has the time anymore :(
like Zachery said why exploit

Sorry to say - but I find this comment ridiculous....for this modification.

ibProArcade has it's own section here at vB.org - its' the most downloaded/installed modification here. This being the case - I'm sure the 8400 people who've at least clicked install would feel more secure about their vBulletin paid-product if given a reasoning behind why such modification is quarantined.

This policy about "we do not release additional details" truly could use a bit of transparency as concerns such popular modification(s) as ibProArcade! Even if said transparency takes shape in a little info-note attached to the automated(?) quarantine email.

Meanwhile -congrats vBulletin.org for continually keeping members in the dark!

I sincerely hope that MrZeroPage offers up a fix for this exploit, and QUICKLY!

J.

you have to realize that consequences far outweigh the right to know what the problem actually is/
Say he does mention what the exact exploit is.. This could leave possible thousands of boards out there that maybe haven't received the message about the quarantine, vulnerable to the exploit to many new people that now know what the exploit is. And by people, I mean guys that just want to cause truoble..
so is it better for them not to say and we just disable the mod.. wait for the fix, or let you know and possibly open a bunch of boards up to now a bunch of people that didn't know, but now do ???

the smart move is just disable and wait

The problem is, we were told there was an "issue". That's it. What kind of issue? Copyright? Security? What?

I get an email saying there's an issue with a modification and it's been quarantined. Yeah. That tells me a whole lot. In truth, it tells me absolutely nothing at all.

The problem is, we were told there was an "issue". That's it. What kind of issue? Copyright? Security? What?

I get an email saying there's an issue with a modification and it's been quarantined. Yeah. That tells me a whole lot. In truth, it tells me absolutely nothing at all.

Yes exactly. The email notice was useless.

I thought they may have been cryptic because the issue was something different to security this time. I'm pretty sure in the past these quarantine notices have always stated 'for security reasons' and that its advisable to disable the product until such a time that a fix is provided. I obviously don't expect them to publish details of the flaw(s). But just a couple of simple words would suffice in letting us know there are security risks in allowing the software to remain on our servers.

you have to realize that consequences far outweigh the right to know what the problem actually is/
Say he does mention what the exact exploit is.. This could leave possible thousands of boards out there that maybe haven't received the message about the quarantine, vulnerable to the exploit to many new people that now know what the exploit is. And by people, I mean guys that just want to cause truoble..
so is it better for them not to say and we just disable the mod.. wait for the fix, or let you know and possibly open a bunch of boards up to now a bunch of people that didn't know, but now do ???

the smart move is just disable and wait

This post is justification for no-info. Your point has not fallen on deaf ears though, likewise I hope mine hasn't.

My point is ==> people now know there's an exploit. You may as well publish the details, so that those of us who can take care of the issue ourselves may do so, instead of having to wait hours, days, weeks, months, never ((hopefully not)) for the modification author to release a fix.

As it is though - I've just received the quarantine email, which for all intents and purposes could have simply been a nice vBulletin-ized photo of a man in red cape flipping the middle finger = no use to anyone. Just a little trivial something that irks our nerves.

We may as well have hoped for a crystal ball in which to read the minds of those who know the exploit particulars....so that we may take action!

J.

--------------- Added 1314661557 at 1314661557 ---------------

in other news ==> now would be as good as time as ever to do a complete site backup LOL... So off I go...

The email had suggestions on what you should do, and you should follow the actions suggested.

If you want to call it useless that is your call, but it was pretty specific on what you should do until the issue is resolved.

Previous quarantine email messages that were useful:


The following modification has had an exploit reported in it, and has been 'quarantined' by vBulletin.org.

The author of the modification has been informed and asked to provide a fix, until this fix is provided the modification will remain in the vbulletin.org graveyard.


Today's quarantine email notice:


The following modification has been 'quarantined' by vBulletin.org.

The author of the modification has been informed and asked to address the quarantine reason(s), until this is done the modification will remain in the vbulletin.org graveyard.


Security through obscurity doesn't work. I would argue the language you now think is far more suitable to use is actually going to result in more people shrugging their shoulders and ignoring your notices. And as a result, more vB forums will get hacked.

may of 2010..
there was a update intended but never released
this is not unsupported, while v2.7.1+ is to be finished I am trying hard to fix things that came up with vB4 and using its own index.php to direct to portal or forum.
There is no hook in index.php or any other place where right from the start I can implement the needed code, very bad.
I think I need to contact Jelsoft and request a hook there.

I am still irritated that this error does NOT appear on my testsite ...

Maybe anybody let me check this "on site" ? Please contact me via PM and refer to this thread, thanks

I guess he never fixed those issues because it was never released..
I sure hope he can post a fix for the issue at hand for everyone still using it..

The email had suggestions on what you should do, and you should follow the actions suggested.

If you want to call it useless that is your call, but it was pretty specific on what you should do until the issue is resolved.

That email was BALONEY! And to suggest that it wasn't is even more ridiculous than that brief (useless) burp of an email notification...

Now - before we get all defensive ==> There is not anyone in this thread who wants to argue -- except for me perhaps haha. But rather - our posts tend to be suggestive of a better way for vBulletin.org to handle quarantined/exploited/blablabla modifications as concerns it's paying customer base!

Right now - it's obvious that vBulletin.org as an entity doesn't give a flying _______.
((whatever horrible or not-so-horrible word you can think of will likely fit in the blank space))

J.

Right now - it's obvious that vBulletin.org as an entity doesn't give a flying _______.
((whatever horrible or not-so-horrible word you can think of will likely fit in the blank space))

J.

Seriously Jacquii? I (and most of the rest of the staff) are here as volunteers. We are using our own time and energy to keep vBulletin modifications safe for everyone. Even confirming it is an exploit might give people ideas and risk the security of everyone who has this installed.

Regardless of the reason the e-mail contains the suggested course of action (disable the mod). I will not have any pity for those who received the email and chose to ignore it. If anyone is that interested in fixing the mod itself then review the code and fix any exploits you find- no one is stopping you. That goes for every mod here, quarantined or not.

Drama queens everywhere.... Glad to see my board is not the only one. Of course, I knew that already.

My board is still at 3.7.2 and I haven't updated my arcade in about three years because I was dealing with a serious illness...does this exploit affect my board?

I know this is a dumb question but I'm not sure what's going on here...

edited - oh and I did disable it...I learned my lesson from the vbPlaza exploit that destroyed my board in 2007...

I'll await instructions from those who know. Thank you for sending me an email (I know it's general mail) and I appreciate it...

Seriously Jacquii? I (and most of the rest of the staff) are here as volunteers. We are using our own time and energy to keep vBulletin modifications safe for everyone. Even confirming it is an exploit might give people ideas and risk the security of everyone who has this installed.

FWIW, thanks for the heads-up. Much appreciated.

Paul posted this in another thread but it is worthy of reposting.

https://vborg.vbsupport.ru/info.php?do=security

This is the procedure on when a mod is quarantined and it shows the possible outcomes and options we have.

Seriously Jacquii? I (and most of the rest of the staff) are here as volunteers. We are using our own time and energy to keep vBulletin modifications safe for everyone. Even confirming it is an exploit might give people ideas and risk the security of everyone who has this installed.

Regardless of the reason the e-mail contains the suggested course of action (disable the mod). I will not have any pity for those who received the email and chose to ignore it. If anyone is that interested in fixing the mod itself then review the code and fix any exploits you find- no one is stopping you. That goes for every mod here, quarantined or not.

A sort of mania appears to be setting in with this quarantine. It's like everyone's cat is lighting on fire. He probably doesn't mean what he said, even though it was a _______ bag thing to say. :)

Wow guys. Any administration, developer, etc. worth a grain of salt will not give out (even potential) security vulnerabilities to harm their members. For those who are curious, you can find out by looking at the patch once it comes out or try finding it yourself prior.

There is no reason you need to know what the vulnerability is until it's been fixed. If you're concerned, disable the product. Simple.

Ugh, I feel for the staff here. Dealing with other admins or developers is the worst when they think they always know best. :(

Keep up the good work guys. The response you SHOULD be getting is a huge thanks for looking out for us.

Cheers

I agree 100% with Adrian on this. The reason why they're not saying much about this is because not many people know about the exploit, it's not even lurking on hack forums/sites. This mod can be exploited if they release details on this, the mods or mod owner need time to get this sorted. I know all of you want to be given a reason, but you guys need to understand that's not the best route at them moment. For now, disable the mod and remove all the php files associated with the mod.

I totally get "don't give out what the actual exploit is", but the email didn't give us enough information to actually know what to do.

It didn't say that it was removed for security reasons at all. I couldn't tell if this was a "remove this now, it's urgent!" problem, a "the latest version that was uploaded by the author is breaking installs, we don't want people messing up their forum by continuing to download it" problem, or a copyright claim or whatever.

If it was removed for security reasons, is just disabling it enough? Do the files actually have to be removed because it's still exploitable even if the product is disabled? The email says "If the modification consists of a product then disabling the product should be all that is required.", but past security problems with mods has shown that not to always be true. The email follows up with "If the modification also included new files then you may remove (or rename) them." which seems to contradict that disabling is good enough.

The URL listed in the email sent out just linked to the thread with no information about the quarantine either.


I'm not trying to complain about the wonderful service you guys are doing, but trying to explain from the perspective of a recipient of the quarantine email why you're getting so much angst over it. It's kinda like the evening TV news saying "There's something in your kitchen that could kill you!" and not elaborating. A very vague warning about a mod without anything other than "it has been quarantined" raises way more questions than provides answers, and left me unsure what I really needed to do.


If I were writing the email, I'd say something more like:

Subject: Action needed - Security issue with ibProArcade - professional Arcade System

The ibProArcade - professional Arcade System modification has been 'quarantined' by vBulletin.org, due to a security issue that requires your immediate action to ensure your forum's security.

You downloaded this modification at the following thread, which has now been archived until further notice.

https://vborg.vbsupport.ru/showthread.php?t=101554

This modification has been quarantined due to a serious security issue that has been brought to our attention. Our policy is not to discuss security issues publicly. However, the author of the modification has been informed and asked to address the quarantine reason(s). Until this is done, the modification will remain in the vbulletin.org graveyard. Once the author has responded to the issues you will be notified that it has been restored.

With the information we have at the current time, we believe this security issue can be completely prevented by disabling the modification in your Admin Control Panel. Go to "Plugins & Products", then "Manage Products" then disable this modification.

We do not believe removing this modification's additional files (if any) or uninstalling it is necessary to prevent exploitation of the security issue. Please keep in mind that if you uninstall this modification anyway, you may delete any data associated with it.


Explain the problem, explain what's being done about it, and list what actions a forum owner needs to take a bit more authoritatively.

I completely support the vb.org staff's decision of not releasing additional details without a fix being developed and released first. Doing so will only make a hackers job easier and leave users of the mod more vulnerable.

Do i have to disable it in plugins/products or is using the mod's off switch enough?

EDIT Nevermind! Turning it off has no effect what so ever... I'll disable it.

Disabling it still leaves it accessable! What's going on?

Seriously Jacquii?

Yes. Seriously Joe.
If I wasn't serious - I likely wouldn't have posted it. And though the language I used may be a bit strong for the subject matter at hand.... The suggestion that members here who have installed a modification be given a weeee bit more info than, "exploit. disable mod until further notice" is as well. It's a solid idea and it's a strong idea and you can see that it's a valid idea by the bulk of commentary in this thread.

Also - FWIW - I appreciate very much the all volunteer staff here at vB.org - I always have and as long as my boards are running vBulletin = I always will.

But being an all volunteer staff isn't an excuse for providing little to absolutely-no information to the users of modifications here.

That's all - and hopefully my posts will inspire a conversation amongst the staff members regarding this ridiculous no-info-upon-graveyard policy. Specifically - how to better it so that the Jacquii's of the world won't have a reason to +++++ :rolleyes: -- Drama queen? Not hardly. Someone curious about what the exploit is and why we're not given one iota of a detail regarding it? Sure. ;)

J.

--------------- Added 1314696161 at 1314696161 ---------------

Do i have to disable it in plugins/products or is using the mod's off switch enough?

EDIT Nevermind! Turning it off has no effect what so ever... I'll disable it.

Disabling it still leaves it accessable! What's going on?

Disabling it does indeed leave it accessible.
You should probably just turn the entire arcade off via Arcade Main Settings.
Perhaps to go a step further would be to rename your arcade.php file to something else until a fix is announced.

Of course such info might have been helpful if included in the super-useful quarantine email...

J.

--------------- Added 1314696161 at 1314696161 ---------------



Disabling it does indeed leave it accessible.
You should probably just turn the entire arcade off via Arcade Main Settings.
Perhaps to go a step further would be to rename your arcade.php file to something else until a fix is announced.

Of course such info might have been helpful if included in the super-useful quarantine email...

J.



Tried turning it off via the settings too. I can still play arcade games like that.

I think I'm going to chmod the arcade.php file to 000 or something.

A sort of mania appears to be setting in with this quarantine. It's like everyone's cat is lighting on fire. He probably doesn't mean what he said, even though it was a _______ bag thing to say. :)

Okay - this post is useful to the thread how? IDK - but one thing to correct you on = I'm a she :) --- the "______" was for dramatic effect. So I suppose drama queen was appropriate. But even more appropriate than the name-calling, is the call to provide actual information in the "quarantine" email - otherwise the email is pretty useless to those of us who can read.

It has absolutely nothing to do with mania or anyone's cat lighting on fire, which is really a horrible thing lmao

--------------- Added 1314696627 at 1314696627 ---------------

Tried turning it off via the settings too. I can still play arcade games like that.

I think I'm going to chmod the arcade.php file to 000 or something.

Only Admin group can access the arcade when disabled. Other usergroups will see "The administrator currently has the arcade disabled." message.

Rename arcade.php to something like blablabla.php -- something that only you will know -- and then once a fix has been posted - change the name back - then users browsing to your arcade.php file should be redirected to 404 error...?

--------------- Added 1314696627 at 1314696627 ---------------



Only Admin group can access the arcade when disabled. Other usergroups will see "The administrator currently has the arcade disabled." message.

Rename arcade.php to something like blablabla.php -- something that only you will know -- and then once a fix has been posted - change the name back - then users browsing to your arcade.php file should be redirected to 404 error...?
That explains it, Thanks.

I went one better. I inserted
die("This file is offline for now");
after the <?php

To the best of my knowege, that'll cause the file to fail to load but when an update is released, uploading it will automatically replace the file and save me the trouble of remembering to rename it back :P

Again, the best thing people can do is to follow all precautions mentioned in the email:

1) Disable the mod (via vBulletin Product Manager)
2) Rename or remove all uploaded files (mod files, not games, but the files that originally came with the mod to upload)

This is all the information you need at this time.

What I will confirm is the author has made contact and I believe this will get resolved. I will give no time estimate- maybe today, maybe tomorrow, maybe next week/month I don't know. We all hope sooner than later of course.

Again, the best thing people can do is to follow all precautions mentioned in the email:

1) Disable the mod (via vBulletin Product Manager)
2) Rename or remove all uploaded files (mod files, not games, but the files that originally came with the mod to upload)

This is all the information you need at this time.

What I will confirm is the author has made contact and I believe this will get resolved. I will give no time estimate- maybe today, maybe tomorrow, maybe next week/month I don't know. We all hope sooner than later of course.

Thanks for the update, though I'm sure we could debate rather robustly on the concept of need :P -- and yet another point of contention: some may not even know what files to even rename/remove because the archive is no longer downloadable here at the .org

IDK - I just think there has to be a better way to handle quarantined/graveyarded mods....

</drama-queen-ism>
https://vborg.vbsupport.ru/external/2011/08/2.gif

Wow guys. Any administration, developer, etc. worth a grain of salt will not give out (even potential) security vulnerabilities to harm their members. For those who are curious, you can find out by looking at the patch once it comes out or try finding it yourself prior.


Most of the users saying we are drama queens with our suggestions haven't even comprehended the point we are making. :rolleyes: Nobody is asking them to disclose the precise security vulnerabilities. We only wanted to know the mod was pulled for security reasons. EXACTLY the information they did finally disclose in this thread. In the past, modifications have been quarantined for a variety of reasons including copyright infringement and violating Jelsoft's terms. Is it reasonable for us to have to guess why they have pulled a modification from the site?

As my earlier message demonstrated, they used to tell us when a product was pulled because it was vulnerable to exploit. Why can't they continue to do this? All we're asking for is the information they went ahead and confirmed in this thread anyway. :)

I'm also aware it's a thankless task volunteering to staff a forum. I'm sure there's a good chance those we've been venting at had nothing to do with whatever policies were implemented to change the way these quarantine notifications are sent out.

MrZeropage came through with a fix and a new version..
once again thanks MrZeropage

MrZeropage came through with a fix and a new version..
once again thanks MrZeropage

Agreed. Thanks for the quick resolution!

Again, the best thing people can do is to follow all precautions mentioned in the email:

1) Disable the mod (via vBulletin Product Manager)
2) Rename or remove all uploaded files (mod files, not games, but the files that originally came with the mod to upload)

This is all the information you need at this time.

What I will confirm is the author has made contact and I believe this will get resolved. I will give no time estimate- maybe today, maybe tomorrow, maybe next week/month I don't know. We all hope sooner than later of course.

No. You completely missed the point.

What we're saying is the email was totally worthless from an Administrative standpoint. It told me nothing other than the modification was quarantined. I could care less about the details of an exploit, but that email should have stated there was a security issue to lend credence to the notification.

We're not complaining about the lack of information about the exploit itself. We're complaining about the lack of information period. We should have been told WHY the modification was quarantined. This doesn't mean you have to go into the details of the exploit, but as an administrator, I can't make informed decisions on how my site is run when I get a half baked email like I received.

No. You completely missed the point.

What we're saying is the email was totally worthless from an Administrative standpoint. It told me nothing other than the modification was quarantined. I could care less about the details of an exploit, but that email should have stated there was a security issue to lend credence to the notification.

We're not complaining about the lack of information about the exploit itself. We're complaining about the lack of information period. We should have been told WHY the modification was quarantined. This doesn't mean you have to go into the details of the exploit, but as an administrator, I can't make informed decisions on how my site is run when I get a half baked email like I received.

Quite frankly you don't need to know why you just need to know it has been.

If I confirm it is a security exploit then you will have nefarious people scan the code line by line looking for the exploit to take advantage of it. If they miss it the first time, they will keep looking because they *know* for sure it is there.

But if I don't confirm it's a security exploit they may look through the code and not see it the first time, or the second time, and give up and assume it wasn't a security issue at all- which is possible.

That is why I will never confirm it was or was not a security issue/exploit- but if I was a user of the mod I would ALWAYS assume it's an exploit and follow the recommended procedure.

I agree with the staff that the exploits should not be posted in the public. Otherwise every script kiddie/wanna be hacker will try out those exploits in every forum that they can running the arcade. We have seen this thing happen all the time in cases like this.

We all should be grateful to the vb staff here who look out for us by letting us know anytime a security issue has been discovered with any of the mods here and takes precautions immediately that no other users will put their forums at risk by installing and using something not secure. At least that is how I see it.

Yes, security-problems should not be made public, just to the developer himself to make sure he can provide a quick fix.

That's how it works well here on vb.org - I can a message telling the details, checked it and could fix it in time, and that's what the community needs. Otherwise there would fly around some usermade hotfixes, some ideas ect which do not help having a stable product with support and development, as modified trees could get out of this ect.


Everything is fine now, everybody just upgrade to v2.7.1+ :)

Um, the last time I tried to update this on my sister board, I couldn't get it to work, which is why I didn't update it on my board...

I'll try it and see...thanks for coming through, Zeropage. This is one of the best, if not THE best mods around...

if you fail, contact me ;)

It went fine but I have a few games that aren't saving but I see Hippy has a solution. I have members playing the games and will let me know if this is a wide spreading problem. If it is, I'll utilize the fix...

Thanks! You're such a sweetheart...

I have found some games don't save scores..
so if its just a few of them kill them and find new ones to add..

if they are all not saving apply the fix..

enjoy