Sending of Hacks to the Graveyard
 

Hi there, has there been a sudden surge of attacks that a number of hacks have been sent to the graveyard, please?

this is the notice in the email

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This modification currently contains a vulnerability. It is recommended you uninstall it until further notice.
- vBulletin.org Staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

this reason has been given for a number of hacks
is there a place where we can get further feedback on this, because certain hacks are an integral part of the various sites that have these hacks, please?

Thank you in advance

Yes please - the same...

can not find a reason nor solution than uninstall...

My suggestion if it's something you need on your forum either wait for the author to update it fixing the vulnerability, fix it yourself, or hire someone to fix it.

If we could have a little further feedback regarding the problems, such as the attacks that these hacks have been receiving, then we know a little more.

currently it seems as though this has been a blanket reason/approach given for a number of hacks, is this true?

is it a coincidence that this has taken pace, after

1 .. Jelsoft takeover and 2. new sheriffs in town ?

As a user of a number of hacks on a number of forums developed, it would be appreciated that an impression is not being created that the vulnerabilities have occurred due to the 2 points mentioned and questioned above

whereas we may not want to publicly display the vulnerabilities etc, it would also go a long way in reassuring users that what has taken place is not because of over zealous new Mods etc?

or so as not to start a conspiracy theory .. that this is not a policy to prepare users for the new Add-ons that vbulletin.com will be releasing in the future, so kill off any opposition in good old Microsoft style. This is not the case, right?

in mentioning this you can see our concern as users

No, we will not be giving out the details of the exploit to anyone other then the author of the modification. This is to protect those that still have such a modification installed.

Your insinuations really don't make sense. Because Jelsoft was acquired and we have a few new staff members, there suddenly are vulnerable modifications?? Either a modification is vulnerable or not, no company take-over or new staff can change that.

There have been a large number of (valid) reports by members on vulnerable modifications lately, once reported staff will investigate and if correct take actions. That is all that is to it.

Just some questions to Moderators:

1. I bought my first vB licence at Oct 2003. Since then, there are lots of patches for vulnerabilities in vBulletin itself. Why I never got a similar type of email saying "....uninstall vBulletin till future notice"? And why I never informed as client at the time that the vulnerability found, but only when you had ready the patch?
2. Do you count as fair to inform members (now I'm talking for mods) who have installed it by email (faster) and the author by ...PM?? What should happen if the author has to visit your site for days?

That's for the history. Could you please remove my other mods too?

Thank you
Maria Avlatzi
Loutron 41
57200 Lagadas
Tel +30-23940-20117
Greece
Just to avoid sayings that I'm talking in anonymous mode.

Hi Marco

this is certainly not a case of insinuations, it has a great deal to do with someone using a product which is related to work and clients. This is not a game for some of us but a livelihood

when all of a sudden certain things start occurring we as users of hacks need to be a reassured that what is taking place does not coincide with the 2 points mentioned, maybe I should have placed question marks (will edit post) as then it is a question and will not be seen as an insinuation which obviously has negative connotations attached to it

Thank you

I think that I've put questionmarks. Also at the top I'm talking about "questions". Or I misunderstood you post??

Yes, these are concerned questions put to the community and vBulletin.org

I have seen the forums go through many swings and changes over the years

@MicroHellas

1. vB.org staff does not have control over the procedures used when a vulnerability is found in vBulletin itself. If you want to discuss the Jelsoft procedures, then please post it as a suggestion at vbulletin.com.

2. With our current procedures we will inform both the users that have installed a modification and the author at the same time if the vulnerability found is serious. The reason members are notified by email and the author by PM is merely using the tools we have available. The author is also informed on the details of the vulnerability found. We have no way of knowing if an author will read his email faster then a PM, and he/she could have email notifications of a PM. Also the author could have disabled Email as contact method, so the best way to contact them (that will always work) is by PM.

We are however at this time prepairing new procedures making it easier to communicate with the author when a vulnerability is found.

Also please note the even though we are a community that is build upon the input of many coders, if a vulnerability is found our primary goal is to protect the members.

and for this we are absolutely appreciative

what led to my concern was the timing and the amount of hacks which have been found to be vulnerable only now

I am sure you can see concerns by users of these forums?

I cant?

Maybe there are a surge of bored coders?
Maybe coding pratcies by coders are getting worse?
Maybe there are more people using the modifications who are finding said issues?

I already replied to that. There have been a sudden increase of modifications being reported by members lately, and we do nothing more then follow up on these reports.

OK .. here is an example of 1

VBGooglemap Member Edition

Released: 06. Aug 2006 Last Update: 16. Sep 2006 Installs: 522

Not Supported DB Changes Uses Plugins Template changes Additional files

--------------------------------------------------

yesterday's date 23rd July we receive an email to uninstall

This Modification is no longer available or supported.
This thread is in the Modification Graveyard and is available for information purposes only.

the above is now placed on the thread ..

10 months after 522 installs we now have a vulnerability

there are further examples

I have tried to contact the author of the hack and await a reply

as mentioned it is the timing of things

surely we would not like vB.com now to offer these add ons in the very near future?

:D ;)

The first hack I ever wrote, sat here for three years with a security vulnerability in it. It had 50 - 60 installs. It was only reported very recently. I don't think coding practices have changed, or anyone is getting lazy. I think more vulnerabilities are being found is all. Who is finding them is unclear, but it's a good thing, so who cares?

BTW: To staff - thank you for listening and changing the procedure to not announce the nature of the vulnerability other than to the author.

this is excellent, however are the authors of the hacks being notified via email as well, please?

my major concern is about the solution to the vulnerability

that is my bottom line

I was just coming up with 2 random, and one logical suggestion.

Way back in the day lots of highly skilled coders lived and shared their work here, sadly lots of them found something that took them away. Now we've been in a cycle of rebuilding year after year.

If anyone makes a living though vBulletin.org or though peoples hacks, its my belief that they should be able to take a look at a modifications code and make sure it is safe. Though this rarely happens anymore :( alot more things might get fixed this way.

I guess it depends on their PM settings. I get an email every time I get a PM, so in my case, yes. Er, if I had any releases :)

@ hambil pml


zach .. there are only so many hours in the day ;)

one day we will get there ;)

I just re-read your Mod Vulnerability Guidelines located at:
https://vborg.vbsupport.ru/info.php?do=security
and the order that it says, didn't followed. You can check the timestamps of the emails and PMs. Firstly the users informed and then the author.

In any case, I don't have the power to argue anymore. By signing here I accepted the rules, so no reason to talk. The only that I want to say is that on the sames Mod Vulnerability Guidelines says that you've the right to provide a fix (&4) and then to put it back to public (&5). You can do &4 for all users who've installed it already, but please I don't want to have it back to public.

Thank you.

@ MicroHellas

this would be sad, as your hacks have truly been refreshing

is there no way that this matter can be sorted out in a manner that benefits all, please?

We did follow those Guidelines. The fact that #2 and #3 are done simultaniously does not change anything. And yes it might be that the Update email to the members is sent a few minutes before the PM to the author. I can not see that as not following the guidelines, but merely a practical implementation of it.

Staff may provide a solution themself, but that is not the standard procedure.

If you don't want your modifications to be released here anymore, then you can either simply not provide a solution for the users of your modification or report your thread with the request to remove it.

PS If you really want to go that way, then please remember that it is not our staff who will suffer from this.

I'm totally sure for it. Only people with sensitive feelings can suffer for situation like this. Because they can count lot of parametters and not only Guidelines. In any case the real problem is that I just realized that is already 1pm here, I'm blocked with this situation (at all) since 7am, and finally I'll have problems with my real job.

And yes, I want all my mods to be removed. I prefer "Member" than "Coder". Maye in the future I'll start publishing mods like how to move this title under the form, or how to place it on the right and I'll become coder again.

Greetings
Maria

hi,

at first, be nice ;)

ok, there is a vulnerability in the mod.
ok, there is no reason to giving out the details of the exploit
ok, there will be a fix, or not

But please dont let the Users tapping in the dark. A little more information would be nice.

And there is no reason to get rude ;)

@microhellas

are there any vulnerabilities in your Mods, please?

is this a situation for users to be concerned, please?

there may be a vulnerability in one script from Mary, but she decided to have them all dropped from the distributions... her own decision... she now support on her own site...

As I don't know where to place my post, I'm placing it here asking the understanding of Moderator. So, at least for my mods, the sucurity issues were than in 1-2 instances I run SQL queries by not placing the quotes. Also I found 1 instance that I've forgotten to add addshalshes in a $POST.

As I don't plan to continue distirbuting the free version I'll attach the corrected file in a new post here tomorrow morning. If it's not permitted, then sorry, you must visit my site to get this patch.

Thank you

The answer is clear people, vb will eventually charge us for these hacks. I bet you it is because they want a share of the pie. Unfair practice by the bigman as always. The posted hacks are optional to users. Why else would they removed them ? As good as VB is, it is nothing without these free hacks. I guess I better start looking for another alternative...VB should create their own hacks to replace the ones that they feel that are harmful...these hacks make your product better.....

free the hacks VB....

1./ vBulletin will NEVER charge anything for access to these hacks (except for the initial license fee), vBulletin CAN never charge anything. All hacks are property of their owners and they are protected under law.

2./ We only remove hacks when it contains vulnerabilities. We don't remove them for the hell of it. I'd rather have no hacks than a board defaced by hackers. And yes, we verify all vulnerabilities before removing hacks; furthermore, all accounts of reported vulnerabilities are kept.

Dismounted

@odonel, you really are out of the track here...

alert of security risks is different from controling the content of the releases... you are trying to start a new polemic, and this is not good from a new by..

finding a solution to the problems are number one, which should be always be the aim

however

as mentioned by microhellas, you don't find vBulletin sending out an email to all their users, when they find a vulnerability, to uninstall their software. They work to first find a solution.

to see how an email was sent out to all the users of Microhellas' hacks before finding a solution with the author was (imo) irresponsible and it has led to a valid contributor now making her hacks unavailable to the users of vb.org

I can see her point, the email sent out creates alarm (which from a business point of view for her is plain destructive) and causes the users of her products to get the impression that there is something inferior or wrong with her products

in this instance a solution was easily found by the author and this whole scenario could have been avoided

hopefully those involved can learn from this

Thank you everyone for working to provide a service of value to all users

It is recommended that you remove a hack because it isn't the product. If you still want to continue using the hack at the risk of an exploit, it's your own choice.

There is no "we now have " about it - the vulnerability has always been there, it's only now been reported to us. There is a big difference there.

I wont get involved in petty arguments, each person has something valid to represent

At the end of the day vBulletin is also still a product and the information gathered by the forums on my servers is our property. To protect this property from exploits is no different

when exploits are found with vBulletin they do not send out an email to all their users telling them to uninstall.

all I am saying is that this could have been dealt with differently

Hi Paul, this I understand

the timing was what I questioned

I voice my concerns regarding microhellas, it is not an attack on any party in any way but more a hope of avoiding similar scenarios in the future

I am thankful for the work done by vB.org however there are often many ways to skin a cat

:)

i like this thread... a similar one was started by my friend Hambil 2 weeks ago, and 3 weeks ago too, with the same reasons, same debate, and same result... (none)...

so it would be just time you stop complaining and start repairing your bugs when you have some...it usually take less than 1hour to do so, and then your releases go back to public...

and if you are not happy with the policies, instead of complaining, because it's useless, these are made to be unchanged because they work, you can simply release your work elsewhere better... (if you find a better place, just tell me, i'd be happy to start complaining there also!)

I apologize if I misunderstood it, but are you calling us hackers????

Huh?

Are you defacing other peoples websites?

If the answer is "Yes" then, yes he is calling you a hacker.

Funny!! That's why I wrote "I apologize etc etc". I don't know the meaning of "deface". I got the meaning of "full of" as the other member wrote above.