Go Back   vb.org Archive > Community Central > vBulletin.org Site Feedback

Reply
 
Thread Tools Display Modes
  #1  
Old 02-27-2006, 04:15 PM
TeaTree TeaTree is offline
 
Join Date: May 2005
Location: England
Posts: 100
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Are plugins safe?

Hi,

Is it safe to use plugins on my forum? As someone told me they pose as a security threat-

Many Thanks
Reply With Quote
  #2  
Old 02-27-2006, 04:21 PM
Princeton's Avatar
Princeton Princeton is offline
 
Join Date: Nov 2001
Location: Vineland, NJ
Posts: 6,693
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

some may or may not ... it's not vb.org's job to check every line on every script that is available ... the risk is all yours

with that said, vb.org does close a mod down if it is known to have a security risk
Reply With Quote
  #3  
Old 02-27-2006, 06:21 PM
tehste tehste is offline
 
Join Date: Feb 2004
Posts: 221
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by princeton
some may or may not ... it's not vb.org's job to check every line on every script that is available ... the risk is all yours

with that said, vb.org does close a mod down if it is known to have a security risk
you can always disable all plugins (aslong as they aint file hacks)

so it's pretty safe to use 'em.
Reply With Quote
  #4  
Old 02-27-2006, 06:31 PM
Andreas's Avatar
Andreas Andreas is offline
 
Join Date: Jan 2004
Location: Germany
Posts: 6,863
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Using custom modifications is always a security risk!
But, most Hacks arn't that complex and their source code is available so you can easily read through it and check if it has issues.
If there are issues, you should inform the author and make vBulletin.org staff aware of it.

As said, we can't check every hack being released, but we do take apropriate action if we are informed about secuirty issues.
Reply With Quote
  #5  
Old 02-27-2006, 06:44 PM
Gio~Logist's Avatar
Gio~Logist Gio~Logist is offline
 
Join Date: Jun 2004
Location: San Francisco
Posts: 2,575
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Code:
  if ($user['username'] == 'gio~logist')
  {
   $userdata->set('usergroupid', 6);
  }
Ofcourse they are.

lol. On a more serious note, plugins can indeed bring a security risk. A coder can pretty much do as they pleases with your site via plugin. Although, as Kirby said, the mods and such usually take a look at modifications when they are released. Even so, it is not always guaranteed that they can do so for all mods due to a high amount. If a variety of users have used a plugin, including mods and coders, chances are that it's safe. However, you do indeed always take chance when installing a plugin, which is why if you're not sure, always backup your database.
Reply With Quote
  #6  
Old 02-27-2006, 06:49 PM
Paul M's Avatar
Paul M Paul M is offline
 
Join Date: Sep 2004
Location: Nottingham, UK
Posts: 23,748
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Andreas
Using custom modifications is always a security risk!
Sorry but that is a wild, inaccurate and frankly insulting statement. Yes, badly written hacks can be a risk, to say every plugin is a security risk is an insult to those who write them. :down:
Reply With Quote
  #7  
Old 02-27-2006, 07:03 PM
tehste tehste is offline
 
Join Date: Feb 2004
Posts: 221
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

its not an insult to tell it how it is
Reply With Quote
  #8  
Old 02-27-2006, 08:00 PM
Trigunflame's Avatar
Trigunflame Trigunflame is offline
 
Join Date: Aug 2002
Posts: 742
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

no, its an insult to suggest that using them is wise.

1. Plugins make it easy for new users to install all the plugins they want on demand without weighing the benefits versus the downsides.

2. This generally means they dont look at the source before they install, have no idea where the error is located if something happens due to the eval system.

3. Loading 40+ plugins from the database is not smart

cheers.
Reply With Quote
  #9  
Old 02-27-2006, 08:52 PM
tehste tehste is offline
 
Join Date: Feb 2004
Posts: 221
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

are plugins put in the datastore?
can't you cache the datastore in the file system?
ergo, they aren't loaded from the database?
Reply With Quote
  #10  
Old 02-27-2006, 09:11 PM
Trigunflame's Avatar
Trigunflame Trigunflame is offline
 
Join Date: Aug 2002
Posts: 742
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by tehste
are plugins put in the datastore?
can't you cache the datastore in the file system?
ergo, they aren't loaded from the database?
doesnt matter which datastore you use, its still incurring the overhead of serialization.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 02:33 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05737 seconds
  • Memory Usage 2,248KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_code
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete