Go Back   vb.org Archive > News and Announcements > News and Announcements
  #171  
Old 05-22-2006, 05:31 AM
Logikos Logikos is offline
 
Join Date: Jan 2003
Posts: 2,924
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

[high]* Logikos hands Boofo a tissue [/high]
  #172  
Old 05-22-2006, 05:35 AM
kall's Avatar
kall kall is offline
 
Join Date: Apr 2004
Location: New Zealand
Posts: 2,608
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Boofo
That explains why my install count is always down by one. I thought we... I need a minute here to collect myself, I'm sorry...
Oh yeah, you gotta watch that Boofo guy.. I installed the /you code hack once, and found that my bank account was emptied, my rubbish bins overturned and my cat pregnant.

That was a doozy of a backdoor, that was.
  #173  
Old 05-22-2006, 05:36 AM
Boofo's Avatar
Boofo Boofo is offline
 
Join Date: Mar 2002
Location: Des Moines, IA (USA)
Posts: 15,776
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by kall
Oh yeah, you gotta watch that Boofo guy.. I installed the /you code hack once, and found that my bank account was emptied, my rubbish bins overturned and my cat pregnant.

That was a doozy of a backdoor, that was.
Wait till you see my next version dubbed, the /kall code hack. You think your cat had problems...
  #174  
Old 05-22-2006, 05:38 AM
DementedMindz DementedMindz is offline
 
Join Date: Jan 2006
Posts: 1,474
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Boofo
Wait till you see my next version dubbed, the /kall code hack. You think your cat had problems...
:surprised: you better lock your dog up now
  #175  
Old 05-22-2006, 07:00 AM
wsdeluxe wsdeluxe is offline
 
Join Date: Mar 2006
Posts: 49
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
The issue here is that some coders implemented a way to automatically click "Install" on vb.org whenever a product/plug-in was uploaded.
Almost every plugin or product i have installed has done that...didnt realise it could be deemed a security threat.
  #176  
Old 05-22-2006, 09:11 AM
kall's Avatar
kall kall is offline
 
Join Date: Apr 2004
Location: New Zealand
Posts: 2,608
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Oh man, when I read this in my email, I thought the post above mine was in response to post #172.

How I laughed.
  #177  
Old 05-22-2006, 09:24 AM
peterska2 peterska2 is offline
 
Join Date: Oct 2003
Location: Manchester, UK
Posts: 6,504
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by wsdeluxe
Almost every plugin or product i have installed has done that...didnt realise it could be deemed a security threat.
That is why the issue has now been raised, before it got to all of them.

A small number of coders were doing this, so the majority of releases never have had any issues relating to this.

Quote:
Originally Posted by kall
Oh man, when I read this in my email, I thought the post above mine was in response to post #172.

How I laughed.
That's just the sort of thing that I do. It makes a serious thread really funny.
  #178  
Old 05-22-2006, 11:15 AM
FASherman's Avatar
FASherman FASherman is offline
 
Join Date: Aug 2002
Posts: 289
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Boofo
The issue has been dealt with and plans or in the works to make sure this never happens again. As was said in this thread, it was a small non-intrusive item but we are working to avoid ANY such instances in the future.
How? Will all code that is submitted for download go though rigorous testing before being made available to the public? Anything short of that means nothing is being done about it.

You can out rules in place and a reporting procedure to notify of violations, but steps like that are meant to protect your legal exposure, not our vulnerability to exploitation.

What are you going to do?
  #179  
Old 05-22-2006, 11:19 AM
Boofo's Avatar
Boofo Boofo is offline
 
Join Date: Mar 2002
Location: Des Moines, IA (USA)
Posts: 15,776
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by FASherman
How? Will all code that is submitted for download go though rigorous testing before being made available to the public? Anything short of that means nothing is being done about it.

You can out rules in place and a reporting procedure to notify of violations, but steps like that are meant to protect your legal exposure, not our vulnerability to exploitation.

What are you going to do?
Let's just say it will be avoided in the future.
  #180  
Old 05-22-2006, 11:31 AM
FASherman's Avatar
FASherman FASherman is offline
 
Join Date: Aug 2002
Posts: 289
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Boofo
Let's just say it will be avoided in the future.
Thats not exactly comforting, nor is it sufficient. Lets review.

Some authors were inserting, albeit harmless, hidden function code in their programs.

Those functions went unnoticed for months. The staff here didn't find the problematic code for some time, even though it affected their own site.

The points out a glaring security hole in the methodology of this site. Anyone with malicious intent, having read this thread, now knows the best way to exploit VB websites: release code here with hidden functionality.

Thats the issue that needs addressing. And you can't dismiss it with a promise that "something" that we don't get to hear about will be done.

VB.Org opened this can of worms by making it public. You've raised a secuity and business data protection issue, the highest concern in all of IT. Many forums being run support real business, not hobbiests. Your answers are insufficient for that population.

You must come forward, sooner rather than later, and explain how you will verify the integrity of the code available here.
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 01:40 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.06574 seconds
  • Memory Usage 2,260KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (9)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (1)pagenav_pagelinkrel
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete