Go Back   vb.org Archive > Community Central > vBulletin.org Site Feedback
Reload this Page Exposing the user to harm
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
Page 3 of 4 12 3 4
 
Thread Tools Display Modes
  #21  
Old 07-01-2007, 08:58 PM
nexialys
Guest
  
Posts: n/a
Default
Quote:
Originally Posted by smacklan View Post
I'm here for many reasons that have nothing to do with mods...as are many others
Have you ever heard of a security hole being introduced from a skin?
Hum,...psst... HTML inserts and javascripts exploits are induced by skins... can you just be neutral when you don't know...

anyway, these discussions are completely worthless... if you are not happy with an administration, create your own and start your project... you'll be the one to deal with your problems...
Reply With Quote
  #22  
Old 07-01-2007, 09:36 PM
Brad Brad is offline
 
Join Date: Nov 2001
Posts: 4,765
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by smacklan View Post
Have you ever heard of a security hole being introduced from a skin?
While it'll probably never happen...a style release could contain some very nasty stuff if not for a small portion of php code in adminfunctions_template.php.
Reply With Quote
  #23  
Old 07-01-2007, 09:39 PM
smacklan's Avatar
smacklan smacklan is offline
 
Join Date: Mar 2005
Posts: 497
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by nexialys View Post
Hum,...psst... HTML inserts and javascripts exploits are induced by skins... can you just be neutral when you don't know...
I didn't say it was impossible, I said have you ever heard of it happening? Please check your over-inflated ego at the door
Reply With Quote
  #24  
Old 07-01-2007, 10:01 PM
Dream's Avatar
Dream Dream is offline
 
Join Date: Oct 2001
Posts: 2,251
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by nexialys View Post
anyway, these discussions are completely worthless...
I agree. Not every coder in this site for hobbyists will want or have time to fix their mods, so the policy of removing them. Asking to be treated differently is an ego problem.
Reply With Quote
  #25  
Old 07-01-2007, 10:07 PM
Brandon Sheley's Avatar
Brandon Sheley Brandon Sheley is offline
 
Join Date: Mar 2005
Location: Google Kansas
Posts: 4,678
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by hambil View Post
That aside, I still think it's a flawed policy. The email that went out to all the users stated:
This modification contains a MySQL injection vulnerability

It was also put into the thread itself in nice large red letters:
This modification contains a MySQL injection vulnerability

This puts every user of the hack at risk. It also creates a nice little searchable database for anyone who might want to start hacking VB sites. It's an all around bad idea.
I think this is a great idea, this give the users who have installed the hack, ample time to remove the hack from their site.

If you don't keep up with the hacks on your site, that's your problem

just my 2cents
Reply With Quote
  #26  
Old 07-01-2007, 10:47 PM
hambil's Avatar
hambil hambil is offline
 
Join Date: Jun 2004
Location: Seattle
Posts: 1,719
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Dream View Post
I agree. Not every coder in this site for hobbyists will want or have time to fix their mods, so the policy of removing them. Asking to be treated differently is an ego problem.
I'm not asking to be treated differently. I'm stating that 1) Even if you accept that instantaneously removing a mod is a good thing, broadcasting specifics about the security flaw to the world before it is fixed, is not smart. 2) When a board policy undergoes a significant change, a process should be in place to make sure those affected are aware.
Reply With Quote
  #27  
Old 07-01-2007, 11:04 PM
nexialys
Guest
  
Posts: n/a
Default
Quote:
Originally Posted by smacklan View Post
Please check your over-inflated ego at the door
Hey, i paid for that ego, please give it a shot !!!
Reply With Quote
  #28  
Old 07-01-2007, 11:15 PM
hambil's Avatar
hambil hambil is offline
 
Join Date: Jun 2004
Location: Seattle
Posts: 1,719
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by smacklan View Post
I didn't say it was impossible, I said have you ever heard of it happening? Please check your over-inflated ego at the door
Have you heard of a board being hacked because of a security flaw in a mod? I've been doing this for years and I haven't. The few hackings that I am aware of where over flaws in vb itself.

The biggest problem facing board owners using third party software is bugs, not security flaws. And skins can, and do, introduce plenty of bugs.
Reply With Quote
  #29  
Old 07-02-2007, 12:06 AM
smacklan's Avatar
smacklan smacklan is offline
 
Join Date: Mar 2005
Posts: 497
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
This thread is about security holes. I do agree with your position about how notification takes place, however.
Reply With Quote
  #30  
Old 07-03-2007, 07:44 AM
bashy bashy is offline
 
Join Date: Nov 2005
Posts: 2,544
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by hambil View Post
That aside, I still think it's a flawed policy. The email that went out to all the users stated:
This modification contains a MySQL injection vulnerability
The email is a good idea to all installers of the hack...I certainly would prefer to receive an email to let me know!

Quote:
Originally Posted by hambil View Post
It was also put into the thread itself in nice large red letters:
This modification contains a MySQL injection vulnerability

This puts every user of the hack at risk. It also creates a nice little searchable database for anyone who might want to start hacking VB sites. It's an all around bad idea.
I agree totally, but, then again, it shouldn't be an issue if the installers of the hack
disabled it, if they haven't, then its their own fault, they have been warned, Twice...
Reply With Quote
Reply
Page 3 of 4 12 3 4

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 10:07 AM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04651 seconds
  • Memory Usage 2,256KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (10)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (3)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (8)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • postbit_imicons
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete