vb.org Archive
Page 2 of 4 1 2 34
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin.org Site Feedback (https://vborg.vbsupport.ru/forumdisplay.php?f=7)
-   -   Official Policy: When Security Vulnerabilities in Hacks are Found (https://vborg.vbsupport.ru/showthread.php?t=92236)

Erwin 06-17-2005 04:53 AM
Quote:
Originally Posted by Paul M
Oh well, it just seems that you are commiting yourselves to removing a hack, and someone spending time on fixing someone elses bug(s), when the author would be quite willing, but was simply away for a few days. Two weeks just seems a more reasonable time. :)
In 7 days, if there is no response, we will remove the files to the hack - in 7 days a LOT of people may have installed a hack with a security hole. :) The author can fix it after that and we can always put the files back.

Reeve of shinra 06-17-2005 05:28 AM
I think this is a double edged sword. I kind of agree with everything here but at the same time I think the nature of the vulnerability should be made known to the people that have installed it at least. Perhaps some of them can patch it.

The better question is what if its not a serious vulnerability or if its an issue that would only affect a specific yet minor group? Like say people running the hack on ISS would be vulnerable but on apache it wouldn't or something.

? Like say for instance it only affects a

Revan 06-17-2005 07:23 AM
Quote:
Originally Posted by Reeve of shinra
I think this is a double edged sword. I kind of agree with everything here but at the same time I think the nature of the vulnerability should be made known to the people that have installed it at least.
It is possible to say "This hack has been removed due to a SQL Injection Vulnerability" instead of saying "This hack has been removed due to a SQL Injection Vulnerability in clancp.php?do=join, where a malformed input (such as [example]) would allow an user to show/modify anything from the database" ;)

I applaud this, and just hope I have managed to fix all holes so this never happens to me XD

Marco van Herwaarden 06-17-2005 07:25 AM
The kind of information on the risk that we give, will be based on the kind of vulnerability.

Erwin 06-18-2005 07:28 AM
Quote:
Originally Posted by Reeve of shinra
I think this is a double edged sword. I kind of agree with everything here but at the same time I think the nature of the vulnerability should be made known to the people that have installed it at least. Perhaps some of them can patch it.

The better question is what if its not a serious vulnerability or if its an issue that would only affect a specific yet minor group? Like say people running the hack on ISS would be vulnerable but on apache it wouldn't or something.

? Like say for instance it only affects a
We will decide what to tell the users who installed it. You can appreciate the fact that some people may click install but have not installed it just to keep updates of when a vulnerability is found, and then if they know what it is, to take advantage of it.

Members who we trust who contact us may be given full information though. It's a case by case thing - we can't make rules for every case but we can make general protocols.

Azhrialilu 06-18-2005 08:08 AM
Speaking as someone who did have a hack installed on a forum which did have a vulnerability which gave people access to the admincp (obviously keeping this vague because I don't want to upset the person who wrote the hack) I applaud this idea! :)

Reeve of shinra 06-19-2005 08:02 PM
Quote:
We then proceed to inform all members who have installed the hack.
If it comes to this step, can this be announced by the staff using the update announcer?

I didnt even notice the journal issue until I was reading through the thread just now.

Erwin 06-19-2005 10:48 PM
Quote:
Originally Posted by Reeve of shinra
If it comes to this step, can this be announced by the staff using the update announcer?

I didnt even notice the journal issue until I was reading through the thread just now.
Yes, that is how we will do it. Which makes the "Installed" button even more important.

ManagerJosh 06-20-2005 04:29 AM
What about exceptions Erwin, like another party other than the original author(s) step in and provides a decent patch or fix to the problem?

Erwin 06-20-2005 05:30 AM
Quote:
Originally Posted by ManagerJosh
What about exceptions Erwin, like another party other than the original author(s) step in and provides a decent patch or fix to the problem?
That is allowed and even encouraged. :)


All times are GMT. The time now is 06:13 AM.
Page 2 of 4 1 2 34
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.00988 seconds
  • Memory Usage 1,740KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (6)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (3)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete