vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin.org Site Feedback (https://vborg.vbsupport.ru/forumdisplay.php?f=7)
-   -   Official Policy: When Security Vulnerabilities in Hacks are Found (https://vborg.vbsupport.ru/showthread.php?t=92236)

sabret00the 06-16-2005 11:16 PM
Official Policy: When Security Vulnerabilities in Hacks are Found
 
good idea, hope it proves successful :)

eXtremeTim 06-16-2005 11:16 PM
Sounds good.

memobug 06-17-2005 01:22 AM
Great idea!

Maybe you could also create a special topic category on the Contact Us for "Security Issue" currently there is just Site Feedback and Registration topics.

Regards,

Matt

James T Brock 06-17-2005 01:28 AM
Great idea! Thanks guys.

Paul M 06-17-2005 01:40 AM
Looks good overall - just one point ;

7 days is a bit short - authors can be away for that long simply due to being on holiday. If you move to step 5 after this small a time you may be wasting effort.

:)

nexialys 06-17-2005 01:43 AM
/me LIKE Policies...

Marco van Herwaarden 06-17-2005 03:50 AM
7 days might seem short from a coders point of view, but it can be long from the end-users point of view, depending on how serious the risk is.

Paul M 06-17-2005 04:27 AM
Oh well, it just seems that you are commiting yourselves to removing a hack, and someone spending time on fixing someone elses bug(s), when the author would be quite willing, but was simply away for a few days. Two weeks just seems a more reasonable time. :)

Colin F 06-17-2005 04:34 AM
Quote:
Originally Posted by Paul M
Oh well, it just seems that you are commiting yourselves to removing a hack, and someone spending time on fixing someone elses bug(s), when the author would be quite willing, but was simply away for a few days. Two weeks just seems a more reasonable time. :)
The author is of course also allowed to contact us with an updated version of the hack whenever he has time, even if it's after these 7 days.

As a precaution, and to stop more people installing this (bugged) hack, we feel it is our duty to temporarily remove it.

Logikos 06-17-2005 04:41 AM
I'm with it!

Erwin 06-17-2005 04:53 AM
Quote:
Originally Posted by Paul M
Oh well, it just seems that you are commiting yourselves to removing a hack, and someone spending time on fixing someone elses bug(s), when the author would be quite willing, but was simply away for a few days. Two weeks just seems a more reasonable time. :)
In 7 days, if there is no response, we will remove the files to the hack - in 7 days a LOT of people may have installed a hack with a security hole. :) The author can fix it after that and we can always put the files back.

Reeve of shinra 06-17-2005 05:28 AM
I think this is a double edged sword. I kind of agree with everything here but at the same time I think the nature of the vulnerability should be made known to the people that have installed it at least. Perhaps some of them can patch it.

The better question is what if its not a serious vulnerability or if its an issue that would only affect a specific yet minor group? Like say people running the hack on ISS would be vulnerable but on apache it wouldn't or something.

? Like say for instance it only affects a

Revan 06-17-2005 07:23 AM
Quote:
Originally Posted by Reeve of shinra
I think this is a double edged sword. I kind of agree with everything here but at the same time I think the nature of the vulnerability should be made known to the people that have installed it at least.
It is possible to say "This hack has been removed due to a SQL Injection Vulnerability" instead of saying "This hack has been removed due to a SQL Injection Vulnerability in clancp.php?do=join, where a malformed input (such as [example]) would allow an user to show/modify anything from the database" ;)

I applaud this, and just hope I have managed to fix all holes so this never happens to me XD

Marco van Herwaarden 06-17-2005 07:25 AM
The kind of information on the risk that we give, will be based on the kind of vulnerability.

Erwin 06-18-2005 07:28 AM
Quote:
Originally Posted by Reeve of shinra
I think this is a double edged sword. I kind of agree with everything here but at the same time I think the nature of the vulnerability should be made known to the people that have installed it at least. Perhaps some of them can patch it.

The better question is what if its not a serious vulnerability or if its an issue that would only affect a specific yet minor group? Like say people running the hack on ISS would be vulnerable but on apache it wouldn't or something.

? Like say for instance it only affects a
We will decide what to tell the users who installed it. You can appreciate the fact that some people may click install but have not installed it just to keep updates of when a vulnerability is found, and then if they know what it is, to take advantage of it.

Members who we trust who contact us may be given full information though. It's a case by case thing - we can't make rules for every case but we can make general protocols.

Azhrialilu 06-18-2005 08:08 AM
Speaking as someone who did have a hack installed on a forum which did have a vulnerability which gave people access to the admincp (obviously keeping this vague because I don't want to upset the person who wrote the hack) I applaud this idea! :)

Reeve of shinra 06-19-2005 08:02 PM
Quote:
We then proceed to inform all members who have installed the hack.
If it comes to this step, can this be announced by the staff using the update announcer?

I didnt even notice the journal issue until I was reading through the thread just now.

Erwin 06-19-2005 10:48 PM
Quote:
Originally Posted by Reeve of shinra
If it comes to this step, can this be announced by the staff using the update announcer?

I didnt even notice the journal issue until I was reading through the thread just now.
Yes, that is how we will do it. Which makes the "Installed" button even more important.

ManagerJosh 06-20-2005 04:29 AM
What about exceptions Erwin, like another party other than the original author(s) step in and provides a decent patch or fix to the problem?

Erwin 06-20-2005 05:30 AM
Quote:
Originally Posted by ManagerJosh
What about exceptions Erwin, like another party other than the original author(s) step in and provides a decent patch or fix to the problem?
That is allowed and even encouraged. :)

Dan 06-20-2005 11:07 AM
Sounds like a good solution if a problem like this is ever found.

noppid 06-20-2005 02:14 PM
Good to see this new policy in place. Great news.

Paul M 06-20-2005 11:19 PM
I must have missed the bit that says you will close the thread - what exactly does this achieve besides denying anyone further support ?

Andreas 06-20-2005 11:23 PM
Quote:
Originally Posted by Erwin
If there is no response from the author or the author provides an insufficient fix within a 7 days, we will remove the FILES out of the hack support thread, post a public warning in the thread regarding the problem (without any details to prevent others from taking advantage), an close the thread.
Closing the thread helps to prevent ppl posting exploits for example.

Paul M 06-20-2005 11:30 PM
Quote:
Originally Posted by KirbyDE
Closing the thread helps to prevent ppl posting exploits for example.
Um, right ...... I think that's a little far fetched tbh. I can imagine people are now goinig to create new threads when they want support for said hack (and could also post exploits in a new thread if it comes to that). It's your policy I suppose, but I can't see the benefit in closing the support thread. The main thing is to remove the files, which has happened. Just my opinion. :)

noppid 06-21-2005 01:23 AM
Any policy will need refining, but putting the code on hold and trying to avoid the exploit being spelled out till fixes are applied is a good idea.

Erwin 06-21-2005 02:48 AM
Quote:
Originally Posted by Paul M
Um, right ...... I think that's a little far fetched tbh. I can imagine people are now goinig to create new threads when they want support for said hack (and could also post exploits in a new thread if it comes to that). It's your policy I suppose, but I can't see the benefit in closing the support thread. The main thing is to remove the files, which has happened. Just my opinion. :)
Leaving the thread open will lead to members speculating as to what the exploit is - a bright spark will probably inadvertently post it and before it gets removed people would read about it. Like we said - if we get a fix, we will send it to the people who have already installed it (rather than posting it in the open for example). The aim is to do damage control, not to make things worse.

MrZeropage 06-21-2005 08:38 AM
very good !

GraphicW 06-27-2005 12:01 PM
I like the policy and the fact that exploits are not fully discussed in public. I am just glad I have always clicked "INSTALL" and I think this policy will further encourage all members to always click "INSTALL" with every hack they use.

Princeton 06-27-2005 12:28 PM
I think this is a great idea!

I would also encourage the vb.org staff to write a short tutorial on
what to look for, preventing, what is ??, etc, etc

something short and to the point ... at the very least, it will make your job easier

DementedMindz 04-20-2006 12:05 AM
sorry to bring back such a old thread but i take it they dont do this anymore??? cause from what i see [AJAX] vBShout v2.0 has numerous Security Vulnerabilities and it seems the author dont even reply nor does he update it...

Zachery 04-20-2006 01:01 AM
Report the hack, and we will look into it.

Paul M 04-20-2006 01:19 AM
ZT has not been online since Jan 2006, so he's not likely to answer any queries.

DementedMindz 04-20-2006 01:21 AM
yeah thats what i mean and any new person will say great hack but they fail to realize that there are numerous flaws in it...

Zachery 04-20-2006 04:10 AM
It would have been nice for you to report said flaws so I didn't have to spend 30 min looking though the thread :p but I've outlined the issues I saw, and we will take a look at it.


All times are GMT. The time now is 04:44 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01392 seconds
  • Memory Usage 1,805KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (10)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (35)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete