vb.org Archive
Page 5 of 16 « First 34 5 6715 Last »
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin.org Site Feedback (https://vborg.vbsupport.ru/forumdisplay.php?f=7)
-   -   Sending of Hacks to the Graveyard (https://vborg.vbsupport.ru/showthread.php?t=153206)

Clayton 07-24-2007 01:57 PM
Quote:
Originally Posted by deezelpope (Post 1300180)
Noooo, he's not saying that at all. I believe he's saying that he would rather have a board with zero modifications, rather than have a board that was defaced by hackers due to exploited modifications or modifications with security issues.
to be absolutely honest, if were not for vb.org and the various hacks then vbulletin would be simply another set of forums

@marco

adding fuel to fire should be left to trolls ;)


thanks jammiegirl for a level headed approach

:D

as mentioned hopefully this can be avoided in the future

deezelpope 07-24-2007 02:51 PM
Quote:
Originally Posted by MicroHellas (Post 1300192)
Funny!! That's why I wrote "I apologize etc etc". I don't know the meaning of "deface". I got the meaning of "full of" as the other member wrote above.
I'm sorry...I used the term "defaced" in my post, not realizing you did not know. Defacing is a very bad thing...
Quote:
Originally Posted by Clayton (Post 1300197)
to be absolutely honest, if were not for vb.org and the various hacks then vbulletin would be simply another set of forums

@marco

adding fuel to fire should be left to trolls ;)


thanks jammiegirl for a level headed approach

:D

as mentioned hopefully this can be avoided in the future
Oh, you're absolutely right! Even though I'm through modifying my own board (I think), I still love coming here to see the new mods. But seeing good mods end up in The Graveyard makes me sad.:(

You're welcome...I try!:D Hehe...you called me "jammiegirl"...how cute!:D

hambil 07-24-2007 05:52 PM
Quote:
Originally Posted by Clayton (Post 1300051)
finding a solution to the problems are number one, which should be always be the aim

however

as mentioned by microhellas, you don't find vBulletin sending out an email to all their users, when they find a vulnerability, to uninstall their software. They work to first find a solution.

to see how an email was sent out to all the users of Microhellas' hacks before finding a solution with the author was (imo) irresponsible and it has led to a valid contributor now making her hacks unavailable to the users of vb.org

I can see her point, the email sent out creates alarm (which from a business point of view for her is plain destructive) and causes the users of her products to get the impression that there is something inferior or wrong with her products

in this instance a solution was easily found by the author and this whole scenario could have been avoided

hopefully those involved can learn from this

Thank you everyone for working to provide a service of value to all users
Been here, had this argument, lost it, and that's why my hacks are no longer available here either. Glad to see I'm not alone in feeling this way, though :)

Paul M 07-24-2007 06:47 PM
Quote:
Originally Posted by Clayton (Post 1300081)
when exploits are found with vBulletin they do not send out an email to all their users telling them to uninstall.
What Jelsoft do is not relevant - they own and write vbulletin, so they simply fix any exploits and advise you to upgrade.

vbulletin.org do not own/control/write the modifications so they advise you to uninstall - whether you take that advice is entirely up to you.

Quote:
This modification contains an xxxxx vulnerability. You are hereby advised to uninstall this modification until such time that the author provides a fix.
-- vBorg Staff

Wayne Luke 07-24-2007 07:31 PM
Wouldn't it be much better for the people involved to do this:

1) Modification is reported with an exploit and it is verified.

2) Staff member puts a "Exploit found" flag on the modification. Within a notes field, the staff member can document the exploit and add any other necessary comments. When they save it, an email is fired off to the Author(s) of the addon.

3) The flag above also puts a notice on the addon and prohibits new users from downloading it until a new version is uploaded by the author. People who have already marked it as installed can still download it but a warning is shown on the first post in nice bright, eye-catching letters. This could also send the email out to users who have installed it. The text of which could be modified to something like:

Quote:
An vulnerability in XXX modification has been reported and confirmed. We have notified the author about this and are awaiting a fix for the issue. At this time it is advised to disable this addon on your site. To get more infomation about this issue please visit the modification support thread at:

4) Staff looks at new version, if okay then flag is removed and everyone goes about their merry business.

This would prevent moving addons to the "graveyard", give authors time to fix the problem and not make the exploit available to new users. Current customers can continue to get support. Addon authors keep their work and such and less work overall for the staff here. Seems likes it would be win-win-win all-around.

It seems most of this system is in place. Just a little different way of handling it

hambil 07-24-2007 07:51 PM
Quote:
Originally Posted by Wayne Luke (Post 1300470)
Wouldn't it be much better for the people involved to do this:

1) Modification is reported with an exploit and it is verified.

2) Staff member puts a "Exploit found" flag on the modification. Within a notes field, the staff member can document the exploit and add any other necessary comments. When they save it, an email is fired off to the Author(s) of the addon.

3) The flag above also puts a notice on the addon and prohibits new users from downloading it until a new version is uploaded by the author. People who have already marked it as installed can still download it but a warning is shown on the first post in nice bright, eye-catching letters. This could also send the email out to users who have installed it. The text of which could be modified to something like:




4) Staff looks at new version, if okay then flag is removed and everyone goes about their merry business.

This would prevent moving addons to the "graveyard", give authors time to fix the problem and not make the exploit available to new users. Current customers can continue to get support. Addon authors keep their work and such and less work overall for the staff here. Seems likes it would be win-win-win all-around.

It seems most of this system is in place. Just a little different way of handling it
For what it's worth, I would fully support this. Thanks Wayne.

-=Sniper=- 07-24-2007 08:32 PM
That would be much better but as the author I still want to have the opportunity to FIX the issue and send the security issue message at the SAME TIME. Rather than leaving users waiting for a fix! If I don't update it yeh sure send the message but the opportunity needs to be there.

dsotmoon 07-24-2007 09:08 PM
i think wayne should be running things here because his ideas make alot more sense than whats happening right now

Neal-UK 07-24-2007 09:11 PM
Please leave the install .txt file on graveyarded modifications and a list of files that would have been added to the server and their location.

If it's a file that causes the problem, then by removing the plugin only will not stop the risk, IMO.

hambil 07-24-2007 09:12 PM
Quote:
Originally Posted by Neal-UK (Post 1300571)
Please leave the install .txt file on graveyarded modifications and a list of files that would have been added to the server and their location.

If it's a file that causes the problem, then by removing the plugin only will not stop the risk, IMO.
This is true. Not all products 'disable' the way they should - especially if they contain file edits or template edits. Good point.


All times are GMT. The time now is 03:32 AM.
Page 5 of 16 « First 34 5 6715 Last »
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01205 seconds
  • Memory Usage 1,757KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (9)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (1)pagenav_pagelinkrel
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete