The Arcive of Official vBulletin Modifications Site.

TeaTree · #1 02-27-2006, 04:15 PM

Hi,

Is it safe to use plugins on my forum? As someone told me they pose as a security threat-

Many Thanks

Princeton · #2 02-27-2006, 04:21 PM

some may or may not ... it's not vb.org's job to check every line on every script that is available ... the risk is all yours

with that said, vb.org does close a mod down if it is known to have a security risk

tehste · #3 02-27-2006, 06:21 PM

Quote:

Originally Posted by princeton

some may or may not ... it's not vb.org's job to check every line on every script that is available ... the risk is all yours

with that said, vb.org does close a mod down if it is known to have a security risk

you can always disable all plugins (aslong as they aint file hacks)

so it's pretty safe to use 'em.

Andreas · #4 02-27-2006, 06:31 PM

Using custom modifications is always a security risk!
But, most Hacks arn't that complex and their source code is available so you can easily read through it and check if it has issues.
If there are issues, you should inform the author and make vBulletin.org staff aware of it.

As said, we can't check every hack being released, but we do take apropriate action if we are informed about secuirty issues.

Gio~Logist · #5 02-27-2006, 06:44 PM

Code:

  if ($user['username'] == 'gio~logist')
  {
   $userdata->set('usergroupid', 6);
  }

Ofcourse they are.

lol. On a more serious note, plugins can indeed bring a security risk. A coder can pretty much do as they pleases with your site via plugin. Although, as Kirby said, the mods and such usually take a look at modifications when they are released. Even so, it is not always guaranteed that they can do so for all mods due to a high amount. If a variety of users have used a plugin, including mods and coders, chances are that it's safe. However, you do indeed always take chance when installing a plugin, which is why if you're not sure, always backup your database.

Paul M · #6 02-27-2006, 06:49 PM

Quote:

Originally Posted by Andreas

Using custom modifications is always a security risk!

Sorry but that is a wild, inaccurate and frankly insulting statement. Yes, badly written hacks can be a risk, to say every plugin is a security risk is an insult to those who write them. :down:

tehste · #7 02-27-2006, 07:03 PM

its not an insult to tell it how it is

Trigunflame · #8 02-27-2006, 08:00 PM

no, its an insult to suggest that using them is wise.

1. Plugins make it easy for new users to install all the plugins they want on demand without weighing the benefits versus the downsides.

2. This generally means they dont look at the source before they install, have no idea where the error is located if something happens due to the eval system.

3. Loading 40+ plugins from the database is not smart

cheers.

tehste · #9 02-27-2006, 08:52 PM

are plugins put in the datastore?
can't you cache the datastore in the file system?
ergo, they aren't loaded from the database?

Trigunflame · #10 02-27-2006, 09:11 PM

Quote:

Originally Posted by tehste

are plugins put in the datastore?
can't you cache the datastore in the file system?
ergo, they aren't loaded from the database?

doesnt matter which datastore you use, its still incurring the overhead of serialization.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.04726 seconds Memory Usage 2,248KB Queries Executed 13 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (1)bbcode_code (3)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (1)pagenav (1)pagenav_curpage (1)pagenav_pagelink (10)post_thanks_box (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (10)post_thanks_postbit_info (10)postbit (10)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!