vb.org Archive
Page 11 of 16 « First 910 11 1213 Last »
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin.org Site Feedback (https://vborg.vbsupport.ru/forumdisplay.php?f=7)
-   -   Sending of Hacks to the Graveyard (https://vborg.vbsupport.ru/showthread.php?t=153206)

MaryTheG(r)eek 07-26-2007 08:03 AM
Quote:
Originally Posted by Marco van Herwaarden (Post 1301988)
I kindly ask you to stop feeding the discussion with such unfounded acquisations.
Unfounded? If you check the vulnerability that he found in vbDigiShop is on the file finishpayment.php which is the procedure that controls 2Checkout return value. Except if you believe that 2Checkout can return an SQL query instead of a "True" or "False".

An experiant Moderator is able to understand that this file is not important. If it was on the main vbdigishop.php as it was for vbarticles.php I can understand it. But in a routine file which has nothing to do with user inputs, I dont believe that is a vulnerability.

Marco van Herwaarden 07-26-2007 08:22 AM
The unfounded relates to your remarks/suggestions that newer staff members are unable to correctly judge a vulnerability report.

I will not go into a public discussion on the details of a specific report, but you are free to contact me in private to discuss if a report is founded or not. Nobody say that we never make a mistake, and if we do i will be glad to help to sort it out.

PS All i will say in public on this, is that i just personally checked on the report and other then what you claim the file contains a serious vulnerability.

Clayton 07-26-2007 08:34 AM
One of the most important things that we should focus upon with this thread is that progress has been made and that the end product is that both the user and author will benefit by the changes

This is good

Well done to all

:up:

Andreas 07-26-2007 08:39 AM
Quote:
Originally Posted by MicroHellas (Post 1301997)
Except if you believe that 2Checkout can return an SQL query instead of a "True" or "False".
Although it is unlikely to happen willingly, it might happen accidently.

Quote:
But in a routine file which has nothing to do with user inputs, I dont believe that is a vulnerability.
Do you think an attacker really cares which file he must acess to break into the system?
I doubt that. The important point is: Would it be potentially possible that the input contains anything other than the expected values?
If so, this must be handeled correctly, even if it would normally only be accessed by automatic processes.

Never ever trust user input!

MaryTheG(r)eek 07-26-2007 09:57 AM
Quote:
Originally Posted by Andreas (Post 1302021)
Do you think an attacker really cares which file he must acess to break into the system?
There is some files not accessible by the users. In any case, I'm going off the discussion, I'm not coder any more, so this thread is not for me.

@Marco
Thank you for spending your time to check the file. I'll appreciate if you PM your remarks and I'll correct them asap as I did yesterday.

Maria

Marco van Herwaarden 07-26-2007 10:13 AM
Quote:
Originally Posted by MicroHellas (Post 1302056)
@Marco
Thank you for spending your time to check the file. I'll appreciate if you PM your remarks and I'll correct them asap as I did yesterday.
PM sent.

Paul M 07-26-2007 12:16 PM
Quote:
Originally Posted by MicroHellas (Post 1301872)
Further more I believe that all new mods must be check by Moderators before going to public.
I think I can safely say this will not happen in the forseeable future.

Quote:
Originally Posted by MicroHellas (Post 1301957)
but when I seen the moderator's profile, I understood many things just by seeing his photo. By the way (this is for Cordinators and Administrator), don't you think that Moderators (in other words staff) must be more carefull on choosing their photo?
Sorry but this is just totally irrelevant. A moderators picture has nothing to do with their coding knowledge, or their function on vbulletin.org.

nexialys 07-26-2007 12:20 PM
Quote:
Originally Posted by Paul M (Post 1302138)
I think I can safely say this will not happen in the forseeable future.
Actually Paul, i would suggest that you never use that kind of sentence again... with the late events regarding "not happening changes" that came to be happening, i would suggest that all suggestions are taken into consideration, but not refused publically like that...

Marco van Herwaarden 07-26-2007 12:34 PM
Not sure if that is such a good advice nexialys.

We can only respond with the knowledge and plans we have at the time of the reply. The best thing is to be honest, and reply that it is very unlikely or even that it will not happen in the forseeable future.

We received many complaints that we do not respond to suggestions, and now you are asking not to respond at all in public if the answer is No? That seems to be a contradiction.

nexialys 07-26-2007 12:43 PM
it is not contradiction... Paul told us at least 4 or 5 times this week that the suggestion would never come executed... and you just posted a new thread for suggestion about our point of view - in the coders thread.... THAT is in contradiction with what Paul said to all last week...

and my suggestion is about refusing directly without anyother advice... not refusing generally.. you can refuse some suggestions, but that kind of answer is not very politically correct...


All times are GMT. The time now is 09:36 PM.
Page 11 of 16 « First 910 11 1213 Last »
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01218 seconds
  • Memory Usage 1,745KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (8)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete