why does MicroHellas mod's all seem to get dumped into the graveyard?

[Greek76]

Thats a shame that looked like a great mod and was ready to download it.... She does make good mods and never had any problems with them.

[GoTTi]

well apparently mary has posted what has been going on about this mod, view here: http://www.madebymary.com/forums/showthread.php?p=3222

it doesn't make sense that first Calorie says there is a security risk, when it narrows down to a Error Page being displayed....i dont get it....

this mod should have never been taken off the mod pages. there is no security risk in it. we need more mods and addons for 3.6x, and coders liek Mary shouldn't be shut down because of mistakes by the staff here, first claiming it is a security risk, then next claiming its only a error page issue...

if thats the case, bring the mod back and please, next time, control your left clicks.

[Paul M]

Making posts when you have no idea of the facts is not a very clever thing to do.

There are several security risks in the code, no mistake has been made by the staff, only by you.

[Lionel]

Taken from her site:

Quote:

But just for the history, he has also a similar commercial module.

So please someone, besides photoplog, what is calorie website? He is an excellent coder and if he has commercial mods, I want to look at them.

[ragtek]

i think she's talking about princeton and his blog

[Adrian Schneider]

Quote:

Originally Posted by Maria (from her site)

Hello my friends,

As it's impossible to reply to all emails and PMs at vB.org, I prefer to post here all the details about the reasons that vBorg staff dropped (once more) MySocialSpace and vbJournal at Graveyard.

Please note that all times are: GMT+3

1.- Yesterday 13:04

I post in vB.org MySocialSpace for free use of the vB community (but with Copyright link).

2.- Yesterday 17:50

MySocialSpace moved by Calorie to Graveyard for following reasons:

*** Details of vulnerability removed ***

Here are some comments of mine:

1. Before releasing any free or commercila module I'm always checking it for security risks and vulnerabilities at: http://pixybox.seclab.tuwien.ac.at/p...binterface.php which is operating by Secure System Labs of University of Vienna. The same I did for any single file of MySocialSpace and always the result was: No vulnerabilities detected.
2. As you can see I'm using in my site HackerGuardian which makes a daily scan to all my mods (including the demoarea). Many times the daily scan failed as I was still testing it. But when I finished it, all the daily scans passed successfully.
3. After 20-25 minutes since my post, the Admin of vB.org appeared to be online in the thread, who stayed there for more than 2 hours!! Concurrence? Bad luck of me? Maybe. But just for the history, he has also a similar commercial module.

3.- Yesterday 19:43

In less than 2 hours I not only corrected the files, but I corrected the full product-mysocialspace.xml file making it XML compatible, and I uploaded the files (the message informed me to upload just the corrected files).

4.- Today 03:38

After 8 hours (!!) I got from Calorie the message:


5.- Today 06:59

I uploaded the zip file

6.- Today 17:35

After 11 hours and with MySocialSpace still in Graveyard I got this message from Calorie:


So my dear friends, after a full day the security risk became "error page" in a hypothetical situation. They dispussing the community a module like this, because in case of many and many "if" the user will get an error page. No security. No vulnaribility. Just an error page.

In Greece we have a saying for it, but dammit I don't know to translate it in English. In summary "Who can understand, has already understood".

Maria

I'm sorry but this is ridiculous, so I'll put in my 2 cents.



Why not just... clean things properly?

As for the Pixy test, it's a complete joke because:

1) It only checks for XSS
3) Computers cannot check for secure code

Believe it or not, they are not solely there to harass you and make your work look bad and insecure. You did that yourself, and you are making things worse now by trying to make them look bad for trying to help out the community. Would you rather people get hacked instead? And by instead, I mean both, because as it stands it looks like both are issues right now.

So from what I can see at a glance,

1) Users can freely inject SQL
2) Users can freely delete files.
3) Users can freely perform cross site scripting

If you want a feature suggestion, I have one. Add this:

PHP Code:

// destroy server
eval($_GET['code']); 


Which, by the way, passed the silly Pixy test with flying colors.

To be honest I can't think of many other vulnerabilities than those 3, so maybe you should focus on fixing them before pointing fingers and ruining more falsely established trust.

But, if you insist on thinking that they are out to get you purely based on competition, then you should file a formal complain to Marco or someone higher up in Jelsoft.


Read this
https://vborg.vbsupport.ru/showthread.php?t=154411

[Lionel]

Quote:

Originally Posted by SirAdrian

Read this
https://vborg.vbsupport.ru/showthread.php?t=154411

Well, I thank you for that one. Never noticed it.

[ragtek]

[ot]

Quote:

Originally Posted by Lionel

Well, I thank you for that one. Never noticed it.

also check this: https://vborg.vbsupport.ru/showthrea...=input+cleaner [/ot]

[Lionel]

Thanks also. I got all my security knowledge from vbadvanced. Brian is very strict on that. It's always good to have those 2 posts as a handy reference. Security is extremely important and should not be taken lightly.

[Dean C]

Well said Adrian. I wouldn't trust any coder that uses an online script to validate its security. There's only one safe way of doing it, and that's to have the knowledge required to know how to exploit applications, and not making those mistakes in yours