The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#11
|
||||
|
||||
If a modification is quarantined because of a security problem and the details of the problem were posted, then I think that would be a pretty stupid thing for us to do. It would just make it that much easier for those who have nothing better to do than hack boards to go around testing for the flaw in the mod.
If I were you, and I got a notice that a modification I had installed was quarantined, I think I would assume there is something wrong with it and disable it until a fix is posted. |
#12
|
||||
|
||||
That's just it Lynne - I dare say a good majority of times there is no fix posted. Posting the details of the problem or adding it to the email notice wouldn't be stupid - sometimes I've seen exploits posted over at milw0rm before it's even talked about on vB.org --- IDK - I just believe it's a solid idea that people who have marked a modification as installed be included in the discourse - ya know that saying about "knowledge is golden" and all... Oh wait - that's "silence is golden" -- but still the same concept I guess. Anyway - it's just frustrating to be told that a modification has been quarantined and simultaneously be told absolutely nothing at the same time.
Jacquii. |
#13
|
||||
|
||||
I still disagree that it would be a good idea to go into details about the exact exploit. I do, however, think that the email would be better done to state whether it is an exploit and then strongly recommend that users disable it. Right now, it simple suggests you may want to consider it disabling a mod, whereas I think if it is an exploit, it should recommend, not ask you to consider, disabling it. The email also doesn't say if it is an exploit or not, and I see no problem with the email saying that if that were the case. My opinion, of course.
|
#14
|
||||
|
||||
Quote:
Of course - I'm of the school that the graveyard and quarantined modifications should still be allowed download access, if only for purposes of fixing and/or improving the modification so that it may be shared once again within the vB Community. I think if one cannot access the download - then the download really has no business being shown in the first place. What? Are we trying to tease each other here? Simply put - I'm only thinking of those who have downloaded and installed such a quarantined or graveyarded modification. Perhaps not everyone should have access to the info or downloaded files (if even available) - but those who have at least clicked the install button should be given some sort of details. The idea here is to have a board which is SECURE from exploits, as well as modified to our liking. And if a modification is no longer classified as secure and quarantined as such - then it's not only the responsibility of the board owner to take appropriate action BUT it's ALSO the responsibility of vBulletin.org to provide all information available so that Members CAN take the appropriate action for the security of their forum. That's what I'm saying - and yes - It's my opinion. Anyway - I hope this better explains the reason for my original post. Jacquii. |
#15
|
|||
|
|||
Ok let me start by addressing some of the issues you raise in this thread.
There are only 2 situations in which a modification is quarantined: - A (possible) exploit has been discovered. As per our Mod Exploit Guidelines we will snet out a warning email to all that have marked the modification as installed. Such an email is only sent in case of an exploit. So if you receive such an email it is to warn you about a possible vulnerability. - The modification is breaking a rule that can be resolved. No email to the users is sent in this case as this is a private issue between vB.org (rules) and the author. Details of a possible vulnerability are only sent to the coder and not to the users. We have no intention to change this. But if you think that we should update our text to make it more clear that the email was sent because of a possible vulnerability, then feel free to suggest an alternative text. But the current text was made after discussions with members. Files are not available for download when a modification is quarantined. One of the reasons for this is not to help potential hackers to exploit such a vulnerability before a fix is provided by the author. But also the current version might not be available anymore. Files can become unavailable for many reasons, in most of the situations these files are either deleted or can not be shared anymore for copyright issues. This is not limited to a quarantined modification. For this reason it is always your own responsibility to ensure that you can uninstall a modifiction, even if the files are not available anymore. There are many ways to solve this, most people simply save a copy of a modification when they install it. You can try to make this our responsibility, but how you run your board is really your own. Now let's address your complaint on how you are treated by staff. - You start a thread on a topic that has already been discussed before, and you know this. Now i don't have a problem with someone making a suggestion again, but you bring no new arguments, you only repeat the same as in older threads on this topic. Not a surprise that you will receive the same answers. - The title of your post is not like your intentions are to make a serious suggestion, it is more the start of a rant: Concerned about another quarantine email I received. Does vB.org just not give a damn. If it had been only the first sentence it would have been fine, but by adding that vb.org doesn't give a damn you are already paving the way to get a negative response by staff. - "Why the HELL are the people who have marked the modification as installed not given the reason for the quarantine?" Why the need to use langauge like "Why the HELL". Also you are asking a question that has been answered to before. - "And it's my assumption that vB.org just does not give a damn about its Members' board security if the only thing to do is send that bogus email as quoted above." Again, no positive suggestions, only a rant. If you think these mails are bogus then this would invalidate most of your rant. If you don't want them, don't mark modifications as installed. Sending out a warning is a service we provide to our members to help them mitigate security issues. How do you think staff should respond when you only post a rant about things already discussed before in such a negative way? I won't go anyalyzing your other posts in this thread as i think i already gave enough examples from your first post in this thread, but your responses only go further down the road. |
#16
|
||||
|
||||
Suggestion - Extract the uninstall .txt file from the .zip archive and allow members to view this. Not a fully fledged solution if the file didn't come with uninstall instructions but it's something. I'm guessing that a proportion of scripts that have an exploit found within them will have a .txt file within the archive and or/post.
|
#17
|
||||
|
||||
The mod in question consists entirely of a single product, all that is needed (if you so wish) is to disable it.
|
#18
|
||||
|
||||
Quote:
I'am a member of a LOT of CMS and forum sites, and vb.org is probably the only one that sends out a notification when a security issue is found. If they did not care, they would not disable the mod and send out an email. In fact, its just the opposite, they do care. If you do not know how to uninstall a modification - that is your own fault. Always keep a backup of the modifications that you have downloaded. It is not vbulletins place to discuss security issues - you need to contact the developer about that. Better yet, remove the modification from your forum and wait for an update. The more time a developer has to spend answering emails and private messages, the less time they have to work on a fix. |
#19
|
||||
|
||||
Quote:
Quote:
Jacquii. btw - Thanks a lot for that bogus infraction. I do not see how any of my posts in this thread deserve an infraction. It's ridiculous - but I've come to expect absolutely nothing better from the likes of you Marco. --------------- Added [DATE]1252695192[/DATE] at [TIME]1252695192[/TIME] --------------- Quote:
Jacquii. --------------- Added [DATE]1252695628[/DATE] at [TIME]1252695628[/TIME] --------------- Yes it IS! This is an official vBulletin modification site. If vBulletin is not to care about the security of its Members purchased products, then who is? And yes - I know - vBulletin cannot officially blablabla offer support for modified boards blablabla... But the gist of my suggestion and others who have made the same suggestion is that vBulletin.org should have a policy in place which actually is for the security of Members' boards. I don't understand what's so difficult to grasp about the concept... And again - this is the type of comment which makes me ask, "Does vB.org just not give a damn?" --- hmmm perhaps that is an incendiary, not-quite-tactful way to phrase the question and I just did not realize it. Meh. That's not to say that it's not a damn good question though. I think it is - and obviously the vB.org Coordinator and one of the Administrator have answered with an overt, "Nope. Sure doesn't. And neither do I." Oh well... Jacquii. |
#20
|
||||
|
||||
Quote:
Is it Dodges responsibility to discuss a flaw in Goodyear tires? Nope. Is it Dells responsibility to discuss a flaw in Norton Anti-Virus? Nope. You buy a product, any modifications or add-ons you install later on are NOT the responsibility of the original manufacture. If you use cheap motor oil in your car, and your motor burns up; its not GM, Ford, Toyota, Dodge, Nissans,,, fault that you used a cheap motor oil. Jelsoft has provided you with a product - anything you do to that product besides the default install is your responsibility. |
Thread Tools | |
Display Modes | |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|