I totally support the decisions to immediately remove all offending modifications, all modifications from the offending authors, and to ban the offending authors.

IMO, there is no reason why anyone should be doing anything untowards with their modifications. There are no excuses. Most coders release their code according to the guidlines, but yet again it is a select few who spoil it for the rest of us.

When one coder does something untowards, it reflects badly on every single coder here at vB.org. Yes, we could all include additional code to our modifications, but that would then make the problem even worse. As it stands, the problem is bad enough to warrant this announcement and proposed action.

For those who have installed modifications, be in on their test boards or live boards, I strongly encourage you to be proactive and to take notice of the code of your modifications. I understand that the majority do not know how to read php code, I am a relative newbie to php too and so find this difficult. Still have a look at it if you can, most files open in an internet explorer window for review. You might be surprized at what you learn.

Again, to emphasise my stance on this:

• All offending coders MUST be banned;
• All offending modifications MUST be removed immediately;
• All modification from offending coders, regardless of vB version, MUST be removed;
• There must be no exceptions to this. There are no excuses.

This does sound harsh, I will admit, but there are the long term implications of this on the rest of the coding community, and the trust factor for the members to be considered.

No action means nothing. Strong and severe action must be taken

@ LiveWire: This is not what's being disputed indeed.

This is basically a plugin inside a plugin, creating undocumented and hidden functionallity. Not what people expect when they download something.

@peterska2
You should read more into this before you start suggesting that accounts be removed and banned. All this hack did was LOOK FOR AN IMAGE URL!. The image url it looked for was the install and uninstall link. A user should not be banned for such attempt. vBulletin.org has NEVER ONCE stated this was not allowed.

peterska2's post is the EXACT reason why I stated this...
You push users in thinking in a compleley diffrent way and discriminate any coders status.

@ LiveWire

How far into this do you want me to read? Don't go shooting off at me for having an opinion. I have read very far into this already, and fully support the staff on this.

Does that make me unpopular? Probably
Do I care? No

ALL code added to modifications that is not actually required for the modification is a potential security risk.

This should not be permitted and dealt with severly as it is a complete breach of trust, which is the whole issue, and the basis on which vB.org runs.

In which case I think I will rest easy, as this clearly does not refer to anything of mine.

This whole thing is about modifications having a function that looks for an install link. This is not basically a plugin inside a plugin. You should make this clear as your making users think otherwise.

@peterska2
Then you shouldn't use vBulletin as your forum product. As everytime you log into your admincp, a callhome function is required.

As previously mentioned in detail by Floris, that is mentioned in part of the licence agreement, which I have agreed to. If I didn't agree to that, I would never have purchased vBulletin.

May i post here as well?

First of all: Noone is being banned here.
The staff has discussed about that issue for a long time, since we got informed about the first mods using this.

Ken is absolutelly right here, that it was not in the rules that a procedure like that isn't allowed. So as those mods did NOT break the rules written down here, and therefore obviously noone will be banned.

As the threadtitle clearly states it is all about trust, and actually i considered this as an unwritten rule before. As a lot of users here cannot code themselves, they won't notice these things, and therefore have been warned with that thread here now.

Actually i think methods like those used here throw a very bad light on the coders who do so, and i didn't really think that someone would do so, so i thought we don't need such a rule, but as the experience showed my moral standarts were a bit to high here, and therefore we have had made it a rule now.

is this all down to the vBsoccer RSS hack?

if so his reasoning is about right, there's no free Football RSS score feeds available for a reason and even if he was to resyndicate the content, it would just seap to out of vBulletin use and his server would be hammered.

if not, then share the secret? :p

From what some of the staff members have told me, this has to do with a certain user creating a function that will automaticly click the install link when you upload the product.

As you can clearly see. The only thing this does is look for an image that is hosted on vBulletin.org. When I created my vBSighosting hack. I created an install.html document. The images in that document are hosted from vBulletin.com. Does this mean that I am making users prone to security vulnerabilities?

findreplace with and then we'll talk :p

only joking.

lol This was taking stright from the users plugin code. He should fix that. :p

Nope, I think it's about the code that tries to call the vb.org "install" link when a product is first installed. This is something I (and a few others) added recently after a discussion about it in mid April.

Basically when a product is first installed (not updated) it tries to link to /vborg_miscactions.php?do=installhack. If the link is made then it's the same as manually clicking install, if the link fails then nothing at all happens. The same happens if you uninstall a product. It has nothing to do with plugins within plugins, backdoors, security, added functionality or anything else mentioned, it's a simple link back to the vb.org site.

As far as I can tell - it will also fail unless you are logged into vb.org at the time, meaning it's not actually that useful, the majority of people still actually have to click the links manually.

If this thead really is about this then it's unbelievably over the top - reading the first post gives the impression of some major security threat or alert, not some minor call back to vb.org.

I think it's also a preemptory warning. Spyware (because that's what it is when you get down to it, doing an action the user didn't consent to) won't be tolerated.

Parts of first post:

@Paul, thats why this thread is here. Because you and a few others added a link back to the vb.org site.

exactly!

Thanks for telling us :)

agreed 200%

This is, as you say, about trust, therefore the list of known affected hacks MUST be disclosed, without question.

So do you still feel that Paul M and a few others should be banned because they added an image link back to vb.org?

Paul,

You keep pushing, and searching for ways out.

You have been answered by vBulletin.org Staff that a modification like you describe would fall under this policy.

Floris can comment (and did in response to your post) on Jelsoft and/or vBulletin.com issues. He is not vBulletin.org Staff, so keep trying until you find someone who post something that you can use in your favour, will not change anything on the fact that vBulletin.org Staff will consider what you described as something that falls under this policy.

I am confident that the hacks will be disclosed, but the staff are first giving chance for the coders concerned to rectify the problem.

It takes a lot more than a handful of complaining users to change my opinion. The only person that will influence my opinion is me. I don't care who disagrees with me. And if you have such a problem with my stance, I recommend the useage of this link

Wouldn't the above code simply show the button? To have made the call, it would have had to of spawned the URL in another window, redirected the page entirely or used fopen.

Simply showing the button would have been no different than linking to a logo offsite or something or am I missing something?

It doesn't show the button, it just hits the install button.

@The Geek: They are using an image to get the users browser to call the functionality here on vBorg that adds the install count. The image is invalid (nothing will display) and invisible anyway (height = 1, width = 1).

Kinda like how some hit counters work.

This is what it's all about. Nothing more. Nothing less.

You can color-code it all you want. The actions we take is about the community as a whole -- its' never about any particular person or a particular group.

@peterska2 - I was asking if your opinion on this situation was still the same as you stating before, not whether or not I and other users convinced you that you have changed your mind.

Is that really what this thread is about?

If so, I change my stance. I don't have a problem with the above at all. Part of the deal in installing a hack is that you click the install button.

My only suggestion would be that this is made clear as part of the installation process, other than that no issues at all.

As I previously stated:

If that doesn't explain it, then I'm sorry, but that is my stance in conjuction with my earlier post in this thread.

Thank you Mark B! Finally someone who understands what is going on.

Since Paul has to remove that line of code from his hack. Should I remove this line of code from mine?

I use that here: https://vborg.vbsupport.ru/showthread.php?t=63841 in my install.html file. I'm acually seriously asking this and not being sarcastic.

That image is not performing an action, just displaying a static image. That is the difference.

duh. Should have looked at the code a little closer.

Seriously though - not a big deal in my book. If that is indeed a reason to get banned, then its a bit silly.
You encourage people to click the install button if they install. That code seems to click install when they install it. For me, it would be like a convenience. If the install system here wasn't so pants, then no one would be breaking any rule.
Regardless, this is under the umbrella of spy ware, back doors, trojans, phishing, etc... and that is overkill.

I agree with the general sentiments that people doing malicious things with release code here should be treated seriously - hitting the install button for you isn't a malicious thing. Installing a modification and not hitting install is malicious. Hell, go ban those guys :D

crap. Forgot my other point:

That to me doesnt qualify as undocumented functionality.
Plus, most hacks have undocumented functionality. Hell, a number of stuff round here has NO documentation making the whole freaking thing undocumented functionality.

Sure... gotta love symantics :D

Very true. And if the likes of Paul M and others are in fact banned, coupled with the other issues with other coders leaving or not being generally happy, it will be a dark time for this site and vBulletin the software generally.

Then they pull this months HOTM: https://vborg.vbsupport.ru/showthrea...wpost&t=115667 without notifify anyone about there actions. I happen to see a fellow coder that was in the running with me post it in the feedback for.

Great way to start a more positive vibe around here.

This thread isn't all about the auto-install click thing. It's a warning.

Yes, the auto-install clickers do fall under this policy. No matter how you look at it, the plugins are doing something the end user is not aware of, and did not consent to. No matter how simple or seemingly harmless, that is still spyware-like activity.

No one will be banned unless they continue to include such functionality. Obviously Paul M and the others will remove the offending code instead of being banned.

As for HOTM, it's been stated (I think?) the same hacks will return next month if they conform to the new policy.

Pulling the HOTM now is much better then leaving it till later when more people have taken part.

Do you not remember the month when one of the choices was removed about half way through and a significant number of people had to PM one of the staff to get their votes changed?

That would be more disruptive, and as such, removing it now and having a month of in light of this announcement is much more productive.

The site will evolve. It is just a cycle. New coders are joining the ranks all the time.

I feel I should point something out in the interests of fairness.

I respect her opinion and the work she does.

removed unnecessary "waffle" ;)

That explaines a lot Mark. Personal vendettas everywhere now. It's ashame people have to come to this level of ignorance over something so silly.

About the HOTM, I'll only talk about that in the thread that was created. I make my points there in regards to the HOTM.

[high]* sabret00the grabs :Popcorn:
[/high]

IMO this whole thread is a non issue, you add a line in your mod saying that upon installation it clicks install and this becomes a nothing. can't we get over it.

Or we could just put Amy in charge of this thread and she could tell you all about the importance of being able to code and thus being able to read code and that if you didn't read the code before you installed it and it started behaving irratically it's your own fault :p

(please no one get offended by this post, it was meant to be light hearted)