The Arcive of Official vBulletin Modifications Site.

AWS · #**131** 05-18-2006, 03:16 AM

When I read the first post my first thought was someone put a backdoor in a hack. The post reads like a virus warning. The first post does indeed scream "doom and gloom"
Having said that no person should install any hack without first looking through the code. You want to do this to make sure the code is secure and doesn't contain any backdoors. In all honesty you shouldn't be installing hacks if you have no knowledge of php. While I have trust in the authors of the hacks here it would be very easy for one of them to put in a backdoor that would give them control of your forum or your whole server.

Chroder · #**132** 05-18-2006, 03:21 AM

Quote:

Originally Posted by AWS

While I have trust in the authors of the hacks here it would be very easy for one of them to put in a backdoor that would give them control of your forum or your whole server.

This is true. I think maybe we should create some sort of "verified" system. When we upload attachments, they are marked as unverified (but still downloadable). Then maybe have a team that goes around and checks newly uploaded or updated attachments for unsafe code. Once it's passed the check, display a "verified" badge on the attachment.

Evil X · #**133** 05-18-2006, 03:41 AM

why was my post deleted? was it too real for you

IceBurn3000 · #**134** 05-18-2006, 03:42 AM

Quote:

Originally Posted by Chroder

This is true. I think maybe we should create some sort of "verified" system. When we upload attachments, they are marked as unverified (but still downloadable). Then maybe have a team that goes around and checks newly uploaded or updated attachments for unsafe code. Once it's passed the check, display a "verified" badge on the attachment.

That sounds like an excellent idea!

akanevsky · #**135** 05-18-2006, 09:27 AM

Quote:

Originally Posted by Chroder

This is true. I think maybe we should create some sort of "verified" system. When we upload attachments, they are marked as unverified (but still downloadable). Then maybe have a team that goes around and checks newly uploaded or updated attachments for unsafe code. Once it's passed the check, display a "verified" badge on the attachment.

Ironically, this is the idea I put forth quite some time ago... Unfortunately, it was not accepted.

Maybe now is the time to rethink.

Marco van Herwaarden · #**136** 05-18-2006, 09:35 AM

It is a very good idea.

But it also has been suggested (members and within Staff) many times before, and it was in some way even implemented once (not as far as really putting verified or not).

It always failed because there are no volunteers that want to go through all the submitted code (and every time an update is done). This is not only a huge task, but what if you verify a source, and later to find out you missed some nasty code somewhere, are you/we liable?

There are many aspects to this, but maybe it is the right time now to give it another try.

Smiry Kin's · #**137** 05-19-2006, 04:20 PM

Quote:

Originally Posted by MarcoH64

At this time Staff has not decided yet if we will name the Hacks/Authors involved in public. Like mentioned before the found issues don't cause any real harm to the users, if it would have harmed users, we would already have disclosed it probably.

Coders are always free to inform the users in their hack threads, but then it wouldn't be hidden functionality anymore

i think we have a right to know.. for our own security..

noppid · #**138** 05-19-2006, 04:46 PM

Quote:

Originally Posted by amykhar

Paul, I disagree on the gloom and doom thing. The user that ticked me off the most in this whole issue is just the type to use that 'harmless' little link to do some more nefarious things. The policy had to be broad enough to stop these kinds of things in their tracks.

I still think this was handled very politely by staff. No fingers were pointed, no names were named. The new rule was spelled out and time was given to comply.

So is that to say if there is a bug in the vBulletin software the public announcement should be, there is a bug or backdoor in the software. We are not going to say which verision, but don't worry, we are counting on hackers to be good?

Not agreeing with Paul on this one is absurd. The hacks in question should have been used to mass notifiy the hack users. That cloak and dagger announcement was completely irresponsible. That's why it's imperitive to click install. The staff should be using these resources. This could have been handled much better with tools that already exist.

Ohiosweetheart · #**139** 05-19-2006, 05:06 PM

Quote:

Originally Posted by Chroder

This is true. I think maybe we should create some sort of "verified" system. When we upload attachments, they are marked as unverified (but still downloadable). Then maybe have a team that goes around and checks newly uploaded or updated attachments for unsafe code. Once it's passed the check, display a "verified" badge on the attachment.

that's what they do at phpbb.com. They, of course, also have the hacks database. Sad to say they are way ahead of vB.

Quote:

Originally Posted by Psionic Vision

Ironically, this is the idea I put forth quite some time ago... Unfortunately, it was not accepted.

Maybe now is the time to rethink.

if you suggested this and it was denied, then they need to look again. As I said, phpbb.com has had this system implemented for quite some time now, as well as a hack database. Being a free software, it's a shame that they are so far ahead of vB in that regard.

amykhar · #**140** 05-19-2006, 05:27 PM

Quote:

Originally Posted by noppid

So is that to say if there is a bug in the vBulletin software the public announcement should be, there is a bug or backdoor in the software. We are not going to say which verision, but don't worry, we are counting on hackers to be good?

Not agreeing with Paul on this one is absurd. The hacks in question should have been used to mass notifiy the hack users. That cloak and dagger announcement was completely irresponsible. That's why it's imperitive to click install. The staff should be using these resources. This could have been handled much better with tools that already exist.

Noppid, there is a procedure in place to deal with security problems in a mod. So, the existing system would be used in that case.

This was a case of some mod authors using code that is in poor taste but was not technically against the rules. The rules have now been updated and I'm sure the mods will follow through and update users and remove the offending code after the deadline.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.04311 seconds Memory Usage 2,268KB Queries Executed 13 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (8)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (1)pagenav (1)pagenav_curpage (4)pagenav_pagelink (1)pagenav_pagelinkrel (10)post_thanks_box (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (10)post_thanks_postbit_info (10)postbit (10)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!