security seems not a main priority in vb hacks

[cinq]

Perhaps, it could be worth considering a subform here to discuss security issues ?

Not of the hacks here ( that could be potentially dangerous ), but in general.
And how coders here can take steps to rectify them in their coding of hacks to ensure hacks are as secure as possible.

If not mentioned, I would never have known what an SQl injection is
And now i know, and it worries me ...

[AN-net]

Quote:

Originally Posted by Erwin

Okay, I'm no expert, but from my own observations, a simple tip is to make sure every variable goes through the internal vB check function and does not get passed as a _GET or _POST variable without this check:

For example:

a. globalize($_REQUEST, array(
'action' => STR,
'username' => STR,
'olduser' => STR,
'newuser' => STR,
'amount' => STR,
));

OR

b. globalize($_POST, array(
'action' => STR,
'username' => STR,
'olduser' => STR,
'newuser' => STR,
'amount' => STR,
));

Instead of

$action = $_GET[action];

OR

$action = $_POST[action];

Which is not secure.

A lot of hack authors just use $_GET[variable] or $_POST[variable] in their code, which is much easier to code (I admit I do this too) but this is not secure especially the $_GET/ $_REQUEST variables which are susceptible to SQL injections via the URL directly as anyone can send variables via the command line.

The developers can correct me if I am wrong. I repeat, I'm no expert.



vBulletin.org is an official site which hosts a reservoir of unofficial 3rd-party add-ons as a courtesy to licensed users. I am NOT an employee of Jelsoft, but I can say that Jelsoft is doing this as a favor for the vB admins by hosting this site - they don't have to.

the globalize feature will not protect from sql injections i believe but will correctly evaluate a field such as text, numbers, or strs. i do not think it checks for sql injection. there 2 functions that can prevent sql injection these 2 are addslashes() for text or strs which adds slashes to single qutoes or regular quotes thus blocking most forms of sql injection. second is intval() which makes sure a field that is susposed to be a number is a number. if it is not it will return false and return 0 thus nullifying any possible text put in a number field

[alkatraz]

scary stuff..

A few suggestions from a non-coder,

I think Jelsoft and all Vbulletin users would benifit from a Guide to Hacking which explains some of the common exploits/holes out there and supplies workarounds to keep things protected. (just like Erwin posted above, but more indepth)

Or possibly a "hacking contest" where Jelsoft gives a reward to coders who find holes and provide solutions to not only vb's code but the major hacks on this site.

[Revan]

Quote:

Originally Posted by AN-net

second is intval() which makes sure a field that is susposed to be a number is a number. if it is not it will return false and return 0 thus nullifying any possible text put in a number field

I believe that if you use globalize() and set a field to be => INT, it does the same as intval()
I could be very mistaken, I haven't looked closely at the globalize(), but it sounds like sense to me


//peace

[deathemperor]

Quote:

Originally Posted by cinq

No code is 100% secure, not even a default VB installation.
But that is where feedback by users is required, for the developers to fix the holes and provide solutions and patches.

And good developers work hard not just to add new features, but make sure their applications ( in this case, hacks ) are as secure as possible.

this is not always true, mate. Some hackers was just coding so carelessly, not to mention about SQL injections, the getting permission was also coded carelessly, you set the permissions but in the end everyone can manipulate it easily.

You shouldn't release hacks if yourself knew it insecure and wasn't made properly, at least you should release it as BETA state.

I hadn't known anything about this when I didn't know PHP, but now I do I realize plenty of horrible things in hacks.

We all do respect hackers' work for free products, but shouldn't they consider about security problems ?

I was about to post a thread like this when I was so furious knowing a very insecure hack, after a night it's gone away because I could understand their feelings a bit.

and please don't say that even VB3 is insecure, don't take it to your heart and saying that "Then why do my hacks have to be secure whatever?"

The comments are just for the good hacks of Vbulletin.org and a great community I believe. Don't tell me that Hack the code at your own risk means all hacks could be insecure in how much the authors want.

Tell the authors to fix it ? not every master coders want to listen to newbies' words and some of them have just gone away from here. To expect the fixes could cost you months, that's nonsense.

[deathemperor]

Quote:

Originally Posted by Revan

I believe that if you use globalize() and set a field to be => INT, it does the same as intval()
I could be very mistaken, I haven't looked closely at the globalize(), but it sounds like sense to me


//peace

that's right. I think globalize() should be used when requesting alot of $_POST,$_REQUEST or $_GET...

Quote:

Originally Posted by AN-net

the globalize feature will not protect from sql injections i believe but will correctly evaluate a field such as text, numbers, or strs. i do not think it checks for sql injection. there 2 functions that can prevent sql injection these 2 are addslashes() for text or strs which adds slashes to single qutoes or regular quotes thus blocking most forms of sql injection. second is intval() which makes sure a field that is susposed to be a number is a number. if it is not it will return false and return 0 thus nullifying any possible text put in a number field

this is exactly the globalize() does, even more. you can check it in functions.php.

[Paul M]

Quote:

Originally Posted by Erwin

but I can say that Jelsoft is doing this as a favor for the vB admins by hosting this site - they don't have to.

A favor ?? I'm sure plenty of people would happily host this site if Jelsoft don't want to.

[aussiev8]

i'm glad others have similar feelings about this,
i think cinq's suggestion about a hacking subforum would be great, and i think only members should see it. I know its hard to police hacks because they're done by 3rd parties for free, but education would be great! a lot of major cms' like phpnuke are dying now because of the flaws associated with it. i don't want vb to turn out like that.

i've pm'd a few coders with holes i've found in the software, and come on guys, i've been coding php for about 8 weeks now, and if i know this much, you guys should surely know a lot more then me!

i'm happy to help find holes, and i do it all the time on my forum, from now on i'll submit any holes to the respective author and one of the other admins, just to make sure action is taken, whether it be, fixing the hole, or alerting the guy's who installed the hack via email!

regards
mark

[cinq]

Quote:

Originally Posted by deathemperor

You shouldn't release hacks if yourself knew it insecure and wasn't made properly, at least you should release it as BETA state.

Not every coder is as proficient as yourself.
Everyone has his or her standard.

Admittedly, I am rather new to coding, but I do release hacks which I personally have gone through and deemed 'secure' to the best of my knowledge.

That is what I am trying to get across. Not everyone knows every possible security hole there is to know.

But if you feel otherwise, I guess myself, along with many other coders here should take the time to withdraw their hacks from this place because they are potentially hazardous if installed, and provide uninstallation instructions as well as an apology to all who have installed....

[T3MEDIA]

Quote:

Originally Posted by Dean C

This is hear-nigh impossible, and as a programmer you can't see how difficult something like this. Maybe with the move to OOP in the next vB3 version something like this will become more possible.

Nothing in code is impossable. If I seen it done (other software) it can be done (here).