The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
|||
|
|||
Important: It is all about trust
Most of our members are using vBulletin to provide a Forum on their website(s). What are the reasons people have chosen vBulletin over other similar solutions? There can be many answers to this, but I think there is one that will be on everyone’s list: Trust.
You have bought software from a company that you trust, you are confident that they will provide you with quality software, with no known security issues. If a security issue is found, you’re confident that it will be addressed as soon as possible. Knowing this you can concentrate on your community, instead of being worried about security issues. As your community grows you will find that you have needs for non-standard functionality, or just extra’s that will put your community ahead of your competition. Now here vBulletin.org comes in the picture. Where the vBulletin software itself is created, maintained and supported by ‘professionals’, the vBulletin.org community relies solely on volunteer coders. This gives enthusiast coders to opportunity to contribute to the community and enhance the vBulletin product, making the life of running your own community easier. Where the coders on vBulletin.org might give you professional solutions, they are in some level anonymous, it is not a company that has much to loose in case of a broken trust relationship. They will offer you software solutions, often free of charge, for your Board that you might install without ever seeing (all) of the code that is getting installed on your server. This is even more true with vBulletin 3.5 where most modification are done by simply installing a product file, instead of manually doing code changes. Now where is this post going? You install probably numerous modifications on your board, provided by different coders. By installing software, you give total control of your board in the hands of these ‘anonymous’ coders. This requires a high level of trust towards them. Where common sense, reading other users responses and testing on a Test Board can prevent you from disasters caused by coding errors (hey we are all human) or differences in the environment, there is another vulnerability that you can not so easy protect yourself against: Hidden functionality in the installed modification. Hidden functions that are not documented and/or disclosed by the author can lead to a lot of things, I will try to sum up a few that are possible, some ‘innocent’, some with possible severe consequences. Some possible examples: - A backdoor into your AdminCP - Mailing admin passwords to the authors account. - Call-home functions - Usage tracking - Disruption of service or data - Any other technique that is used in Spyware/Malware type of software. The stand of vBulletin.org Staff is that our members should be able to completely trust the solutions offered here as much as possible. This means that we will not tolerate any form of hidden functionality, since that is the only way we can keep the trust of the members using these solutions. The reason for this thread is that, to our own shame, we received recently reports that there are coders who do incorporate hidden functionalities in their modifications. Lucky the type of hidden functions could be considered as relative harmless, but we will nevertheless not tolerate this. I would like to emphasize that this did not sent any security or privacy related information, nor did it in anyway brake the security of your site. The discovered hidden functionality where aimed at a backdoor in the services of vBulletin.org itself, and have by now been closed. The effect of this functionality will be corrected by us soon. There has been no negative effects on the boards that are using any of these modifications. From the time of this post on we will take the following actions upon discovery of such modifications: - All users who have clicked Install for this modification will be notified about the issue. - The offending modification will be withdrawn immediatly. - Depending on the severity, all modifications submitted by this author could be withdrawn immediate, and the user account of the author could be closed. - Admin will contact the author by mail to inform him and hear his/her side of the story. The vBulletin.org team wants to apologize for any breach of trust this has caused. We hope that our members will be confident that we are addressing these issues seriously and as good as we can and that you can continue to have a trust relation with the authors that offer solutions here at vBulletin.org. vBulletin.org Team |
#2
|
|||
|
|||
To all the coders that have currently released modifications that contain such hidden functionality: you are given until June 1st to either remove your modifications or to upload a new version. All modifications found after June 1st with hidden functionality, will be addressed according the steps outlined above!
Staff is still discussing how to handle the benefits that these authors had from releasing this code. Expect the Staff to come with a decision on this soon. |
#3
|
|||
|
|||
Is there any possibility that we can get informed witch hacks this is ment to bee?
Ore that the coders can inform in the hacks, that this is happining in theyre hacks? |
#4
|
||||
|
||||
wow, my curiosity is killing me!
|
#5
|
||||
|
||||
Quote:
I am glad you have raised this Marco and for what it is worth you and the vBorg staff have my full support in this. |
#6
|
|||
|
|||
Will you be providing a list of all such (known) hacks - some people may not have clicked on install? I think I have for all the hacks I've installed BUT I'd rather be certain.
|
#7
|
|||
|
|||
Quote:
Coders are always free to inform the users in their hack threads, but then it wouldn't be hidden functionality anymore |
#8
|
||||
|
||||
what hack in question should we be weary of please??
|
#9
|
|||
|
|||
Like mentioned before, we will not disclose this at the present time. Maybe we will disclose it later.
|
#10
|
|||
|
|||
You've even got me interested now Can you give us further details of what the "hidden function" was? Without revealing the name of the hack/author of course.
ie, did it just do usage tracking? increase the hack thread view count? send an e-mail to the author saying where it had been installed? etc? Thanks, Alan. |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|