vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin.org Site Feedback (https://vborg.vbsupport.ru/forumdisplay.php?f=7)
-   -   Modification Security (https://vborg.vbsupport.ru/showthread.php?t=264261)

|Jordan| 05-26-2011 10:15 PM
Modification Security
 
With the recent SQL Injection issues present in a lot of plugins, it would be great if there were a way for VB.org to automate modification security audits (on attaching files to thread), this way it would save you the time of manually auditing and us getting our forums hacked.

Disasterpiece 05-26-2011 10:26 PM
There is a plugin out there, implementing cracker tracker, which is a php-allround-security solution.
https://vborg.vbsupport.ru/showthread.php?t=110030

I just checked the code, it should work with all current vbulletin versions as well, since it doesn't rely much on vbulletin structures. You might want to check that out if you're that concerned.

BirdOPrey5 05-27-2011 06:29 PM
Quote:
Originally Posted by |Jordan| (Post 2200379)
With the recent SQL Injection issues present in a lot of plugins...
I wasn't aware it was a lot? I thought it was one. :confused:

Disasterpiece 05-27-2011 07:22 PM
I think I'm gonna start a security plugin tomorrow. Can't believe there isn't something around here yet.

Lynne 05-27-2011 07:22 PM
Automated modification security? I can't even imagine writing the script to do that. Besides that, we like mods to be uploaded as zip files so all the files are together in one place.

And, as Joe stated, we've had one plugin lately that had a security problem. The last time we had something quarantined for a security reason was last June.

|Jordan| 06-21-2011 07:06 AM
Quote:
Originally Posted by Lynne (Post 2200671)
Automated modification security? I can't even imagine writing the script to do that. Besides that, we like mods to be uploaded as zip files so all the files are together in one place.

And, as Joe stated, we've had one plugin lately that had a security problem. The last time we had something quarantined for a security reason was last June.
Modification security could just unzip the attachment, analyze every line and check if they're SQL statements are escaped properly.

According to the vb.com thread about the latest SQL injection issues, a ton of plugins are currently susceptible, but no one really knows until they get hacked. A few plugins that were confirmed to be insecure (some got fixed) were "Advanced Rules" and "Admin Log In As User".


All times are GMT. The time now is 01:10 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.00929 seconds
  • Memory Usage 1,720KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (6)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete