vb.org Archive
Page 3 of 4 12 3 4
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin.org Site Feedback (https://vborg.vbsupport.ru/forumdisplay.php?f=7)
-   -   Exposing the user to harm (https://vborg.vbsupport.ru/showthread.php?t=151083)

nexialys 07-01-2007 08:58 PM
Quote:
Originally Posted by smacklan (Post 1280801)
I'm here for many reasons that have nothing to do with mods...as are many others ;)
Have you ever heard of a security hole being introduced from a skin?
Hum,...psst... HTML inserts and javascripts exploits are induced by skins... can you just be neutral when you don't know...

anyway, these discussions are completely worthless... if you are not happy with an administration, create your own and start your project... you'll be the one to deal with your problems...

Brad 07-01-2007 09:36 PM
Quote:
Originally Posted by smacklan (Post 1280801)
Have you ever heard of a security hole being introduced from a skin?
While it'll probably never happen...a style release could contain some very nasty stuff if not for a small portion of php code in adminfunctions_template.php.

smacklan 07-01-2007 09:39 PM
Quote:
Originally Posted by nexialys (Post 1280826)
Hum,...psst... HTML inserts and javascripts exploits are induced by skins... can you just be neutral when you don't know...
I didn't say it was impossible, I said have you ever heard of it happening? Please check your over-inflated ego at the door :rolleyes:

Dream 07-01-2007 10:01 PM
Quote:
Originally Posted by nexialys (Post 1280826)
anyway, these discussions are completely worthless...
I agree. Not every coder in this site for hobbyists will want or have time to fix their mods, so the policy of removing them. Asking to be treated differently is an ego problem.

Brandon Sheley 07-01-2007 10:07 PM
Quote:
Originally Posted by hambil (Post 1280602)
That aside, I still think it's a flawed policy. The email that went out to all the users stated:
This modification contains a MySQL injection vulnerability

It was also put into the thread itself in nice large red letters:
This modification contains a MySQL injection vulnerability

This puts every user of the hack at risk. It also creates a nice little searchable database for anyone who might want to start hacking VB sites. It's an all around bad idea.
I think this is a great idea, this give the users who have installed the hack, ample time to remove the hack from their site.

If you don't keep up with the hacks on your site, that's your problem ;)

just my 2cents :D

hambil 07-01-2007 10:47 PM
Quote:
Originally Posted by Dream (Post 1280859)
I agree. Not every coder in this site for hobbyists will want or have time to fix their mods, so the policy of removing them. Asking to be treated differently is an ego problem.
I'm not asking to be treated differently. I'm stating that 1) Even if you accept that instantaneously removing a mod is a good thing, broadcasting specifics about the security flaw to the world before it is fixed, is not smart. 2) When a board policy undergoes a significant change, a process should be in place to make sure those affected are aware.

nexialys 07-01-2007 11:04 PM
Quote:
Originally Posted by smacklan (Post 1280851)
Please check your over-inflated ego at the door :rolleyes:
Hey, i paid for that ego, please give it a shot !!!

hambil 07-01-2007 11:15 PM
Quote:
Originally Posted by smacklan (Post 1280851)
I didn't say it was impossible, I said have you ever heard of it happening? Please check your over-inflated ego at the door :rolleyes:
Have you heard of a board being hacked because of a security flaw in a mod? I've been doing this for years and I haven't. The few hackings that I am aware of where over flaws in vb itself.

The biggest problem facing board owners using third party software is bugs, not security flaws. And skins can, and do, introduce plenty of bugs.

smacklan 07-02-2007 12:06 AM
This thread is about security holes. I do agree with your position about how notification takes place, however.

bashy 07-03-2007 07:44 AM
Quote:
Originally Posted by hambil (Post 1280602)
That aside, I still think it's a flawed policy. The email that went out to all the users stated:
This modification contains a MySQL injection vulnerability
The email is a good idea to all installers of the hack...I certainly would prefer to receive an email to let me know!

Quote:
Originally Posted by hambil (Post 1280602)
It was also put into the thread itself in nice large red letters:
This modification contains a MySQL injection vulnerability

This puts every user of the hack at risk. It also creates a nice little searchable database for anyone who might want to start hacking VB sites. It's an all around bad idea.
I agree totally, but, then again, it shouldn't be an issue if the installers of the hack
disabled it, if they haven't, then its their own fault, they have been warned, Twice...


All times are GMT. The time now is 03:54 PM.
Page 3 of 4 12 3 4
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01184 seconds
  • Memory Usage 1,744KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (10)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (3)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete