security seems not a main priority in vb hacks
 

this is stupid, 2 hacks (major hacks as well with over 200 installs) i've found to be covered with holes and the simplest of hacking kiddies can exploit. This is a major issue in my opinion, and i think something needs to be done about it, or VB is going to turn into a phpnuke! and i'm sure you guys don't want that.

Don't install anything that modifies vB code and you should be safe. It's extraordinarly difficult to generate a qualification system to verify a hack's security.

No code is 100% secure, not even a default VB installation.
But that is where feedback by users is required, for the developers to fix the holes and provide solutions and patches.

And good developers work hard not just to add new features, but make sure their applications ( in this case, hacks ) are as secure as possible.

Add-ons on this site are written by 3rd parties who are not endorsed or supported by Jelsoft in any way - as such Jelsoft offers no guarantees and take no responsibility of any add-ons or "hacks" that are hosted here. Jelsoft does not offer support for modified or "hacked" forums. You install hacks at your own risk. If you find security holes, take it up with the author of the add-on.

Well said, Erwin.

In simpler wording:

Hack the code at your own risk.

It is pretty simple. Jelsoft creates the product and charges you for it. It is rather secure all by itself. Numerous people, either associated or unassociated with Jelsoft, but not working on Jelsoft's behalf, create mods (or toys, if you'd prefer) to change the code.

Buy a new car, toss on a bunch of aftermarket 'high-performance' mods and watch your warranty go down the tubes. Buy a new software package, tweak the snot out of it, and watch security holes appear.

The commercial companies, which produce this type of code, test it and test it some more. The hackers produce a plug-in or a modification, make sure it works, then put it out here for us to use. Unlike the commercial companies, the mods are beta tested by you and me - if there is a problem, there is no money-back guarantee, since you didn't pay money to begin with.

Hacked or not - you've invested under $200, which is peanuts.

i believe instead of complaining about it you should inform the developer/coder of those security holes because this not the right way to go about it

yea i have done so. i think a tutorial written by one of the advanced coders about simple security holes like SQL injection should be included on here. Most of the scripts on here fail to utilise basic stripping techniques to combat such things as that. I'm not here to change the world, and i'm fully capable of creating my own advanced hacks/add ons, but think it's needed to keep VB respected. not like some of the other forum/cms systems out there!

If you could find and get permission to post such as guide, I as a dev of the RPG Hack would be most grateful.
Even though I don't know everything about SQL Injections, I know that they happen if a query is not secure enough, and since my RPG uses alot of queries, there's tons of room for such errors.
If you don't get permission to post, would you please link me to it?
TIA

//out

SQL injection and XSS is one of the biggest problems developers face. However, I'm recently finding that if you design your applications correctly, it's here-nigh impossible for anyone to do so. I can't wait to see how they've done it in the next version of vB :)

I'd like you to post the names of what hacks you know of that have holes please.


I respect Erwin, and I understand this post 100% ,
But some authors are long gone so taking it up with them can't be done. Holes should be fixed and we can't fix them if we all hide behind "install at your own risk"

not the best idea to release the names of those hacks because then hackers will know which sites they can target;)

If you dont endorse or support it why tell people to come here in the first place from vbulletin.com. That answer may work on the simple people on this site but not for me. Besides Im just getting my stuff ready.

What ever. what is wrong with the hacks.
you guys have who clicked install. tell them.

This site is helpful and a joke at the same time there should be a standard. Like to submit a hack it has to fall under x things.

Like I am not even a programmer and I know a simple solution. Have a hack installer. this is a standard all in one installer. (think of it like a gameshark) Now if you want to hack code you do. if you touch code (the installer has in its database) it will warn of a conflit. Then you must code to make it work for all hacks out there.

do that and boom no need for users to install them just click on the installer and it does it itself.

Then vb can watch the hacks and support them. Becuase the way your doing it now... you guys are setting yourself up for the fall and you guys dont even know it yet.

Installers are great but what happens when you have hack 1, hack 2, hack 3, etc. installed utilizing the same files or making additions to the DB? There are so many variables and changes, especially in a heavily modified board that having a script that says "modify if it's only unchanged" would make life really hard.

It would have to be something where every modification was considered into the script and couldn't be released otherwise and it would also need to be managed and updated constatnly. So, a large majority of hacks would most likely not make it through, especially the little tweaks and such.

As far as becoming like phpbb and open source, VB really isn't in the same boat. Sure there are probably security leaks but none of it's open to the public, even on this site you must be licensed to be able to view modifications.

Just my .02 :)

It's a disclaimer. We cannot possibly legally support or be held responsible for any modifications people make to their software. This site is for people who realise that modifications void their support, it says so in your license agreement. However, we have over 750 vB3 hacks here so far. Although I personally have not gone through and verified the security of every single one, I'd put money on it that there are very little security holes in any of them.

This is hear-nigh impossible, and as a programmer you can't see how difficult something like this. Maybe with the move to OOP in the next vB3 version something like this will become more possible.

Im sorry but some of us here struggle to get atleast 100 in their pocket. Especially when you're 13 with no job. Just as well, my site has over 400 invested in it.

Their is a very very simple solution to which I think you over looked. Everything in the world is hackable, just look at microsoft for example! :) I personally don't think any program is 100% secure. When one whole is blocked, another one is open. The world is advacing and things we thought were secure in the past, new hackers with newer technologys are finding more and more holes (Thats just how life works) With that said, just don't install any kind of hack and just leave your board completely plain. *not sure why anyone would want that though, it takes all the nice features out* It would be impossible for the vbulletin.org staff to go over each and every single hack.

Its just like a car, you add a poweradder such as a supercharger, it automatically voids your warrenty!

Okay, I'm no expert, but from my own observations, a simple tip is to make sure every variable goes through the internal vB check function and does not get passed as a _GET or _POST variable without this check:

For example:

a. globalize($_REQUEST, array(
'action' => STR,
'username' => STR,
'olduser' => STR,
'newuser' => STR,
'amount' => STR,
));

OR

b. globalize($_POST, array(
'action' => STR,
'username' => STR,
'olduser' => STR,
'newuser' => STR,
'amount' => STR,
));

Instead of

$action = $_GET[action];

OR

$action = $_POST[action];

Which is not secure.

A lot of hack authors just use $_GET[variable] or $_POST[variable] in their code, which is much easier to code (I admit I do this too) but this is not secure especially the $_GET/ $_REQUEST variables which are susceptible to SQL injections via the URL directly as anyone can send variables via the command line.

The developers can correct me if I am wrong. :) I repeat, I'm no expert.



vBulletin.org is an official site which hosts a reservoir of unofficial 3rd-party add-ons as a courtesy to licensed users. I am NOT an employee of Jelsoft, but I can say that Jelsoft is doing this as a favor for the vB admins by hosting this site - they don't have to.

I'll go ahead and speak for myself alone on this, but I'd imagine a lot of the folks here fall into this category as well. Not everyone here is that experienced. Every so often I go back and check my old hacks for glitches or holes - and I've considered deleting some of them since they are pretty old. For me at least, tinkering with vbulletin's code has been a learning process - and as I said over on the vbulletin.com site the code has made for an excellent teacher of php. I'm very thankful to the Jelsoft teach for reigniting my interest in programming which was killed a long while ago by some incompetant teachers and teaching techniques in college.

I follow the coding conventions as best I can and some of my code is no doubt atrocious to expert eyes, but I'm trying to both learn and also share what I've learned.

The only way you can even begin to get hacks that are totally consistent and secure is to go through a certification process which would no doubt shut out amateurs like me.

So, let the hacker beware. I - for myself - try to help as best I can with the stuff I've written, but if you install a hack by a member who has left or doesn't visit often you may be left on your own.

... and so we'd hope that someone else who is still here to say "hey I found a hole in.... and here's the problem, here's a fix"

Perhaps, it could be worth considering a subform here to discuss security issues ?

Not of the hacks here ( that could be potentially dangerous ), but in general.
And how coders here can take steps to rectify them in their coding of hacks to ensure hacks are as secure as possible.

If not mentioned, I would never have known what an SQl injection is :(
And now i know, and it worries me ...

the globalize feature will not protect from sql injections i believe but will correctly evaluate a field such as text, numbers, or strs. i do not think it checks for sql injection. there 2 functions that can prevent sql injection:) these 2 are addslashes() for text or strs which adds slashes to single qutoes or regular quotes thus blocking most forms of sql injection. second is intval() which makes sure a field that is susposed to be a number is a number. if it is not it will return false and return 0 thus nullifying any possible text put in a number field;)

scary stuff..

A few suggestions from a non-coder,

I think Jelsoft and all Vbulletin users would benifit from a Guide to Hacking which explains some of the common exploits/holes out there and supplies workarounds to keep things protected. (just like Erwin posted above, but more indepth)

Or possibly a "hacking contest" where Jelsoft gives a reward to coders who find holes and provide solutions to not only vb's code but the major hacks on this site.

I believe that if you use globalize() and set a field to be => INT, it does the same as intval()
I could be very mistaken, I haven't looked closely at the globalize(), but it sounds like sense to me ;)


//peace

this is not always true, mate. Some hackers was just coding so carelessly, not to mention about SQL injections, the getting permission was also coded carelessly, you set the permissions but in the end everyone can manipulate it easily.

You shouldn't release hacks if yourself knew it insecure and wasn't made properly, at least you should release it as BETA state.

I hadn't known anything about this when I didn't know PHP, but now I do I realize plenty of horrible things in hacks.

We all do respect hackers' work for free products, but shouldn't they consider about security problems ?

I was about to post a thread like this when I was so furious knowing a very insecure hack, after a night it's gone away because I could understand their feelings a bit.

and please don't say that even VB3 is insecure, don't take it to your heart and saying that "Then why do my hacks have to be secure whatever?"

The comments are just for the good hacks of Vbulletin.org and a great community I believe. Don't tell me that Hack the code at your own risk means all hacks could be insecure in how much the authors want.

Tell the authors to fix it ? not every master coders want to listen to newbies' words and some of them have just gone away from here. To expect the fixes could cost you months, that's nonsense.

that's right. I think globalize() should be used when requesting alot of $_POST,$_REQUEST or $_GET...

this is exactly the globalize() does, even more. you can check it in functions.php.

A favor ?? I'm sure plenty of people would happily host this site if Jelsoft don't want to.

i'm glad others have similar feelings about this,
i think cinq's suggestion about a hacking subforum would be great, and i think only members should see it. I know its hard to police hacks because they're done by 3rd parties for free, but education would be great! a lot of major cms' like phpnuke are dying now because of the flaws associated with it. i don't want vb to turn out like that.

i've pm'd a few coders with holes i've found in the software, and come on guys, i've been coding php for about 8 weeks now, and if i know this much, you guys should surely know a lot more then me!

i'm happy to help find holes, and i do it all the time on my forum, from now on i'll submit any holes to the respective author and one of the other admins, just to make sure action is taken, whether it be, fixing the hole, or alerting the guy's who installed the hack via email!

regards
mark

Not every coder is as proficient as yourself.
Everyone has his or her standard.

Admittedly, I am rather new to coding, but I do release hacks which I personally have gone through and deemed 'secure' to the best of my knowledge.

That is what I am trying to get across. Not everyone knows every possible security hole there is to know.

But if you feel otherwise, I guess myself, along with many other coders here should take the time to withdraw their hacks from this place because they are potentially hazardous if installed, and provide uninstallation instructions as well as an apology to all who have installed....

Nothing in code is impossable. If I seen it done (other software) it can be done (here).

its always nice to be safe;)

Umm cheat code cartridges on a console are completely different from implementing a new feature for example.

Its not the bible. Think out of the box on my example.

Your are right, globalize is a nice little function. Heres a little overview of everything it dose.

Use INT and globalize will run this on the $var

If you use STR

If you use STR_NOHTML

You can also use FILE, which takes $_FILES['$var'] and makes it $array['$var']

If you just know what you're doing, you are usually safe. Half of it is common sense and the mantra that no user is trusted. Anytime you see a variable within a query, check it...any time you access a superglobal, check it...etc.

you know i only found out what the globalize done by accident :o it's a nice little feature though :)

no thanks, the type of installer you're referring too is all too intrusive, the fact of the matter is, if you don't know how to hack manually you shouldn't be hacking your board at all, the mods here are by third party's not paid by jelsoft, it's one thing to set standards, it's another to say you must work in our way.

Good luck writing such an installer...the one I wrote for vBMS which modifies/creates/etc. templates and replacements, commits db changes, creates scheduled tasks, and more, took forever to write. vB's internal workings, especially for styles, are far more complicated than vB2.

The problem with an installer is you then have to make the files writable on your server, which then opens up even more problems

The vast majority of vB modifications can be done without editing a single stock file. It requires creativity.