[toastyman]

I totally get "don't give out what the actual exploit is", but the email didn't give us enough information to actually know what to do.

It didn't say that it was removed for security reasons at all. I couldn't tell if this was a "remove this now, it's urgent!" problem, a "the latest version that was uploaded by the author is breaking installs, we don't want people messing up their forum by continuing to download it" problem, or a copyright claim or whatever.

If it was removed for security reasons, is just disabling it enough? Do the files actually have to be removed because it's still exploitable even if the product is disabled? The email says "If the modification consists of a product then disabling the product should be all that is required.", but past security problems with mods has shown that not to always be true. The email follows up with "If the modification also included new files then you may remove (or rename) them." which seems to contradict that disabling is good enough.

The URL listed in the email sent out just linked to the thread with no information about the quarantine either.


I'm not trying to complain about the wonderful service you guys are doing, but trying to explain from the perspective of a recipient of the quarantine email why you're getting so much angst over it. It's kinda like the evening TV news saying "There's something in your kitchen that could kill you!" and not elaborating. A very vague warning about a mod without anything other than "it has been quarantined" raises way more questions than provides answers, and left me unsure what I really needed to do.


If I were writing the email, I'd say something more like:

Quote:

Subject: Action needed - Security issue with ibProArcade - professional Arcade System

The ibProArcade - professional Arcade System modification has been 'quarantined' by vBulletin.org, due to a security issue that requires your immediate action to ensure your forum's security.

You downloaded this modification at the following thread, which has now been archived until further notice.

https://vborg.vbsupport.ru/showthread.php?t=101554

This modification has been quarantined due to a serious security issue that has been brought to our attention. Our policy is not to discuss security issues publicly. However, the author of the modification has been informed and asked to address the quarantine reason(s). Until this is done, the modification will remain in the vbulletin.org graveyard. Once the author has responded to the issues you will be notified that it has been restored.

With the information we have at the current time, we believe this security issue can be completely prevented by disabling the modification in your Admin Control Panel. Go to "Plugins & Products", then "Manage Products" then disable this modification.

We do not believe removing this modification's additional files (if any) or uninstalling it is necessary to prevent exploitation of the security issue. Please keep in mind that if you uninstall this modification anyway, you may delete any data associated with it.

Explain the problem, explain what's being done about it, and list what actions a forum owner needs to take a bit more authoritatively.