The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
|
|||||||
Quarantined? Details »»
|
|||||||||||||||||||||||||
Are there any more details on this and why it was quarantined?
thanks. Show Your Support
|
|||||||||||||||||||||||||
About Developer
Visit Web Site
No support by the author.| Comments |
|
#22
08-30-2011, 12:51 AM
|
|||
|
|||
Quote:
|
|
#23
08-30-2011, 02:31 AM
|
||||
|
||||
|
Wow guys. Any administration, developer, etc. worth a grain of salt will not give out (even potential) security vulnerabilities to harm their members. For those who are curious, you can find out by looking at the patch once it comes out or try finding it yourself prior.
There is no reason you need to know what the vulnerability is until it's been fixed. If you're concerned, disable the product. Simple. Ugh, I feel for the staff here. Dealing with other admins or developers is the worst when they think they always know best.  Keep up the good work guys. The response you SHOULD be getting is a huge thanks for looking out for us. Cheers
|
| 5 благодарности(ей) от: | ||
| basskiller, BirdOPrey5, Eric, Gemma, Juggernaut | ||
|
#24
08-30-2011, 04:24 AM
|
|||
|
|||
|
I agree 100% with Adrian on this. The reason why they're not saying much about this is because not many people know about the exploit, it's not even lurking on hack forums/sites. This mod can be exploited if they release details on this, the mods or mod owner need time to get this sorted. I know all of you want to be given a reason, but you guys need to understand that's not the best route at them moment. For now, disable the mod and remove all the php files associated with the mod.
|
| Благодарность от: | ||
| BirdOPrey5 | ||
|
#25
08-30-2011, 04:53 AM
|
|||
|
|||
|
I totally get "don't give out what the actual exploit is", but the email didn't give us enough information to actually know what to do.
It didn't say that it was removed for security reasons at all. I couldn't tell if this was a "remove this now, it's urgent!" problem, a "the latest version that was uploaded by the author is breaking installs, we don't want people messing up their forum by continuing to download it" problem, or a copyright claim or whatever. If it was removed for security reasons, is just disabling it enough? Do the files actually have to be removed because it's still exploitable even if the product is disabled? The email says "If the modification consists of a product then disabling the product should be all that is required.", but past security problems with mods has shown that not to always be true. The email follows up with "If the modification also included new files then you may remove (or rename) them." which seems to contradict that disabling is good enough. The URL listed in the email sent out just linked to the thread with no information about the quarantine either. I'm not trying to complain about the wonderful service you guys are doing, but trying to explain from the perspective of a recipient of the quarantine email why you're getting so much angst over it. It's kinda like the evening TV news saying "There's something in your kitchen that could kill you!" and not elaborating. A very vague warning about a mod without anything other than "it has been quarantined" raises way more questions than provides answers, and left me unsure what I really needed to do. If I were writing the email, I'd say something more like: Quote:
|
|
#26
08-30-2011, 06:52 AM
|
||||
|
||||
|
I completely support the vb.org staff's decision of not releasing additional details without a fix being developed and released first. Doing so will only make a hackers job easier and leave users of the mod more vulnerable.
|
| Благодарность от: | ||
| BirdOPrey5 | ||
|
#27
08-30-2011, 07:53 AM
|
|||
|
|||
|
Do i have to disable it in plugins/products or is using the mod's off switch enough?
EDIT Nevermind! Turning it off has no effect what so ever... I'll disable it. Disabling it still leaves it accessable! What's going on?
|
|
#28
08-30-2011, 08:14 AM
|
||||
|
||||
|
Quote:
If I wasn't serious - I likely wouldn't have posted it. And though the language I used may be a bit strong for the subject matter at hand.... The suggestion that members here who have installed a modification be given a weeee bit more info than, "exploit. disable mod until further notice" is as well. It's a solid idea and it's a strong idea and you can see that it's a valid idea by the bulk of commentary in this thread. Also - FWIW - I appreciate very much the all volunteer staff here at vB.org - I always have and as long as my boards are running vBulletin = I always will. But being an all volunteer staff isn't an excuse for providing little to absolutely-no information to the users of modifications here. That's all - and hopefully my posts will inspire a conversation amongst the staff members regarding this ridiculous no-info-upon-graveyard policy. Specifically - how to better it so that the Jacquii's of the world won't have a reason to +++++  -- Drama queen? Not hardly. Someone curious about what the exploit is and why we're not given one iota of a detail regarding it? Sure.  J. --------------- Added [DATE]1314696161[/DATE] at [TIME]1314696161[/TIME] --------------- Quote:
You should probably just turn the entire arcade off via Arcade Main Settings. Perhaps to go a step further would be to rename your arcade.php file to something else until a fix is announced. Of course such info might have been helpful if included in the super-useful quarantine email... J.
|
|
#29
08-30-2011, 08:25 AM
|
|||
|
|||
|
Quote:
Tried turning it off via the settings too. I can still play arcade games like that. I think I'm going to chmod the arcade.php file to 000 or something.
|
|
#30
08-30-2011, 08:28 AM
|
||||
|
||||
|
Quote:
--- the "______" was for dramatic effect. So I suppose drama queen was appropriate. But even more appropriate than the name-calling, is the call to provide actual information in the "quarantine" email - otherwise the email is pretty useless to those of us who can read.It has absolutely nothing to do with mania or anyone's cat lighting on fire, which is really a horrible thing lmao --------------- Added [DATE]1314696627[/DATE] at [TIME]1314696627[/TIME] --------------- Quote:
Rename arcade.php to something like blablabla.php -- something that only you will know -- and then once a fix has been posted - change the name back - then users browsing to your arcade.php file should be redirected to 404 error...?
|
|
#31
08-30-2011, 08:35 AM
|
|||
|
|||
|
Quote:
I went one better. I inserted Code:
die("This file is offline for now");
To the best of my knowege, that'll cause the file to fail to load but when an update is released, uploading it will automatically replace the file and save me the trouble of remembering to rename it back :P
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
|
|
All times are GMT. The time now is 11:27 PM.