vb.org Archive
Page 2 of 16 1 2 3412 Last »
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin.org Site Feedback (https://vborg.vbsupport.ru/forumdisplay.php?f=7)
-   -   Sending of Hacks to the Graveyard (https://vborg.vbsupport.ru/showthread.php?t=153206)

Clayton 07-24-2007 08:02 AM
Quote:
Originally Posted by Marco van Herwaarden (Post 1299891)
if a vulnerability is found our primary goal is to protect the members.
and for this we are absolutely appreciative

what led to my concern was the timing and the amount of hacks which have been found to be vulnerable only now

I am sure you can see concerns by users of these forums?

Zachery 07-24-2007 08:05 AM
I cant?

Maybe there are a surge of bored coders?
Maybe coding pratcies by coders are getting worse?
Maybe there are more people using the modifications who are finding said issues?

Marco van Herwaarden 07-24-2007 08:09 AM
Quote:
Originally Posted by Clayton (Post 1299895)
what led to my concern was the timing and the amount of hacks which have been found to be vulnerable only now

I am sure you can see concerns by users of these forums?
I already replied to that. There have been a sudden increase of modifications being reported by members lately, and we do nothing more then follow up on these reports.

Clayton 07-24-2007 08:11 AM
OK .. here is an example of 1

VBGooglemap Member Edition

Released: 06. Aug 2006 Last Update: 16. Sep 2006 Installs: 522

Not Supported DB Changes Uses Plugins Template changes Additional files

--------------------------------------------------

yesterday's date 23rd July we receive an email to uninstall

This Modification is no longer available or supported.
This thread is in the Modification Graveyard and is available for information purposes only.

the above is now placed on the thread ..

10 months after 522 installs we now have a vulnerability

there are further examples

I have tried to contact the author of the hack and await a reply

as mentioned it is the timing of things

surely we would not like vB.com now to offer these add ons in the very near future?

:D ;)

hambil 07-24-2007 08:12 AM
Quote:
Originally Posted by Zachery (Post 1299899)
I cant?

Maybe there are a surge of bored coders?
Maybe coding pratcies by coders are getting worse?
Maybe there are more people using the modifications who are finding said issues?
The first hack I ever wrote, sat here for three years with a security vulnerability in it. It had 50 - 60 installs. It was only reported very recently. I don't think coding practices have changed, or anyone is getting lazy. I think more vulnerabilities are being found is all. Who is finding them is unclear, but it's a good thing, so who cares?

BTW: To staff - thank you for listening and changing the procedure to not announce the nature of the vulnerability other than to the author.

Clayton 07-24-2007 08:22 AM
Quote:
Originally Posted by hambil (Post 1299908)
BTW: To staff - thank you for listening and changing the procedure to not announce the nature of the vulnerability other than to the author.
this is excellent, however are the authors of the hacks being notified via email as well, please?

my major concern is about the solution to the vulnerability

that is my bottom line

Zachery 07-24-2007 08:24 AM
I was just coming up with 2 random, and one logical suggestion.

Way back in the day lots of highly skilled coders lived and shared their work here, sadly lots of them found something that took them away. Now we've been in a cycle of rebuilding year after year.

If anyone makes a living though vBulletin.org or though peoples hacks, its my belief that they should be able to take a look at a modifications code and make sure it is safe. Though this rarely happens anymore :( alot more things might get fixed this way.

hambil 07-24-2007 08:24 AM
Quote:
Originally Posted by Clayton (Post 1299917)
this is excellent, however are the authors of the hacks being notified via email as well, please?

my major concern is about the solution to the vulnerability

that is my bottom line
I guess it depends on their PM settings. I get an email every time I get a PM, so in my case, yes. Er, if I had any releases :)

Clayton 07-24-2007 08:31 AM
@ hambil pml


zach .. there are only so many hours in the day ;)

one day we will get there ;)

MaryTheG(r)eek 07-24-2007 08:33 AM
Quote:
Originally Posted by Marco van Herwaarden (Post 1299891)
@MicroHellas
2. With our current procedures we will inform both the users that have installed a modification and the author at the same time if the vulnerability found is serious. The reason members are notified by email and the author by PM is merely using the tools we have available. The author is also informed on the details of the vulnerability found. We have no way of knowing if an author will read his email faster then a PM, and he/she could have email notifications of a PM. Also the author could have disabled Email as contact method, so the best way to contact them (that will always work) is by PM.
I just re-read your Mod Vulnerability Guidelines located at:
https://vborg.vbsupport.ru/info.php?do=security
and the order that it says, didn't followed. You can check the timestamps of the emails and PMs. Firstly the users informed and then the author.

In any case, I don't have the power to argue anymore. By signing here I accepted the rules, so no reason to talk. The only that I want to say is that on the sames Mod Vulnerability Guidelines says that you've the right to provide a fix (&4) and then to put it back to public (&5). You can do &4 for all users who've installed it already, but please I don't want to have it back to public.

Thank you.


All times are GMT. The time now is 03:47 AM.
Page 2 of 16 1 2 3412 Last »
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01212 seconds
  • Memory Usage 1,745KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (6)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (3)pagenav_pagelink
  • (1)pagenav_pagelinkrel
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete