|
Are plugins safe?
Hi,
Is it safe to use plugins on my forum? As someone told me they pose as a security threat- Many Thanks |
some may or may not ... it's not vb.org's job to check every line on every script that is available ... the risk is all yours
with that said, vb.org does close a mod down if it is known to have a security risk |
Quote:
so it's pretty safe to use 'em. |
Using custom modifications is always a security risk!
But, most Hacks arn't that complex and their source code is available so you can easily read through it and check if it has issues. If there are issues, you should inform the author and make vBulletin.org staff aware of it. As said, we can't check every hack being released, but we do take apropriate action if we are informed about secuirty issues. |
Code:
if ($user['username'] == 'gio~logist')lol. On a more serious note, plugins can indeed bring a security risk. A coder can pretty much do as they pleases with your site via plugin. Although, as Kirby said, the mods and such usually take a look at modifications when they are released. Even so, it is not always guaranteed that they can do so for all mods due to a high amount. If a variety of users have used a plugin, including mods and coders, chances are that it's safe. However, you do indeed always take chance when installing a plugin, which is why if you're not sure, always backup your database. |
Quote:
|
its not an insult to tell it how it is :)
|
no, its an insult to suggest that using them is wise.
1. Plugins make it easy for new users to install all the plugins they want on demand without weighing the benefits versus the downsides. 2. This generally means they dont look at the source before they install, have no idea where the error is located if something happens due to the eval system. 3. Loading 40+ plugins from the database is not smart :) cheers. |
are plugins put in the datastore?
can't you cache the datastore in the file system? ergo, they aren't loaded from the database? |
Quote:
|
File Datastore doesn't unserialize.
@Paul M I didn't say that using a certain plugin is always a security risk, I said that using custom modifications (eg. that includes all modifications) is always a security risk. If there were only two plugins, ohne that echos "Hello World" and another one that make that makes the calling user admin. Now, if there is the question "Are plugins save?", what would you answer without going into detail for specific hacks, etc.? |
Quote:
Regardless, its still loading uncompiled data in that pluginlist array which is stored in memory during the request. ps. forgot about it using var_export, ive always used eaccelerator personally. |
Quote:
I'm genuinely interested in this by the way it's not a redundant question. Maybe there should be more tick box things (in the forthcoming, elusive, hack db) like: inserts to db changes permission stuff could mess up etc. A little self regulation could help people make the right choice :) |
Quote:
|
People with multiple web servers can't really use file datastore and have to use either eA or memcache which has their own issues.
|
Even if you use no hacks it still can be a security risk lol
|
Leaving your home is a security risk.
Using the telephone is a security risk. Having friends is a security risk. Drinking tap water is a security risk. Etc,etc, etc...... |
| All times are GMT. The time now is 08:09 PM. |
Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
| X vBulletin 3.8.12 by vBS Debug Information | |
|---|---|
|
|
 More Information |
|
|
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|