Go Back   vb.org Archive > News and Announcements > News and Announcements
FAQ Community Calendar Today's Posts Search

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 05-15-2006, 08:59 AM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Important: It is all about trust

Most of our members are using vBulletin to provide a Forum on their website(s). What are the reasons people have chosen vBulletin over other similar solutions? There can be many answers to this, but I think there is one that will be on everyone’s list: Trust.

You have bought software from a company that you trust, you are confident that they will provide you with quality software, with no known security issues. If a security issue is found, you’re confident that it will be addressed as soon as possible. Knowing this you can concentrate on your community, instead of being worried about security issues.

As your community grows you will find that you have needs for non-standard functionality, or just extra’s that will put your community ahead of your competition. Now here vBulletin.org comes in the picture.

Where the vBulletin software itself is created, maintained and supported by ‘professionals’, the vBulletin.org community relies solely on volunteer coders. This gives enthusiast coders to opportunity to contribute to the community and enhance the vBulletin product, making the life of running your own community easier.

Where the coders on vBulletin.org might give you professional solutions, they are in some level anonymous, it is not a company that has much to loose in case of a broken trust relationship. They will offer you software solutions, often free of charge, for your Board that you might install without ever seeing (all) of the code that is getting installed on your server. This is even more true with vBulletin 3.5 where most modification are done by simply installing a product file, instead of manually doing code changes.

Now where is this post going? You install probably numerous modifications on your board, provided by different coders. By installing software, you give total control of your board in the hands of these ‘anonymous’ coders. This requires a high level of trust towards them.

Where common sense, reading other users responses and testing on a Test Board can prevent you from disasters caused by coding errors (hey we are all human) or differences in the environment, there is another vulnerability that you can not so easy protect yourself against: Hidden functionality in the installed modification.

Hidden functions that are not documented and/or disclosed by the author can lead to a lot of things, I will try to sum up a few that are possible, some ‘innocent’, some with possible severe consequences. Some possible examples:
- A backdoor into your AdminCP
- Mailing admin passwords to the authors account.
- Call-home functions
- Usage tracking
- Disruption of service or data
- Any other technique that is used in Spyware/Malware type of software.

The stand of vBulletin.org Staff is that our members should be able to completely trust the solutions offered here as much as possible. This means that we will not tolerate any form of hidden functionality, since that is the only way we can keep the trust of the members using these solutions.

The reason for this thread is that, to our own shame, we received recently reports that there are coders who do incorporate hidden functionalities in their modifications. Lucky the type of hidden functions could be considered as relative harmless, but we will nevertheless not tolerate this. I would like to emphasize that this did not sent any security or privacy related information, nor did it in anyway brake the security of your site.

The discovered hidden functionality where aimed at a backdoor in the services of vBulletin.org itself, and have by now been closed. The effect of this functionality will be corrected by us soon. There has been no negative effects on the boards that are using any of these modifications.

From the time of this post on we will take the following actions upon discovery of such modifications:
- All users who have clicked Install for this modification will be notified about the issue.
- The offending modification will be withdrawn immediatly.
- Depending on the severity, all modifications submitted by this author could be withdrawn immediate, and the user account of the author could be closed.
- Admin will contact the author by mail to inform him and hear his/her side of the story.

The vBulletin.org team wants to apologize for any breach of trust this has caused. We hope that our members will be confident that we are addressing these issues seriously and as good as we can and that you can continue to have a trust relation with the authors that offer solutions here at vBulletin.org.

vBulletin.org Team
 


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 08:38 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.16160 seconds
  • Memory Usage 3,663KB
  • Queries Executed 12 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (18)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (41)post_thanks_box
  • (41)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (41)post_thanks_postbit_info
  • (41)postbit
  • (41)postbit_onlinestatus
  • (41)postbit_wrapper
  • (1)showthread_list
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_threadedmode.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids_threaded
  • showthread_threaded_construct_link
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete