The Arcive of Official vBulletin Modifications Site.

MaryTheG(r)eek · #**101** 07-26-2007, 08:03 AM

Quote:

Originally Posted by Marco van Herwaarden

I kindly ask you to stop feeding the discussion with such unfounded acquisations.

Unfounded? If you check the vulnerability that he found in vbDigiShop is on the file finishpayment.php which is the procedure that controls 2Checkout return value. Except if you believe that 2Checkout can return an SQL query instead of a "True" or "False".

An experiant Moderator is able to understand that this file is not important. If it was on the main vbdigishop.php as it was for vbarticles.php I can understand it. But in a routine file which has nothing to do with user inputs, I dont believe that is a vulnerability.

Marco van Herwaarden · #**102** 07-26-2007, 08:22 AM

The unfounded relates to your remarks/suggestions that newer staff members are unable to correctly judge a vulnerability report.

I will not go into a public discussion on the details of a specific report, but you are free to contact me in private to discuss if a report is founded or not. Nobody say that we never make a mistake, and if we do i will be glad to help to sort it out.

PS All i will say in public on this, is that i just personally checked on the report and other then what you claim the file contains a serious vulnerability.

Clayton · #**103** 07-26-2007, 08:34 AM

One of the most important things that we should focus upon with this thread is that progress has been made and that the end product is that both the user and author will benefit by the changes

This is good

Well done to all

:up:

Andreas · #**104** 07-26-2007, 08:39 AM

Quote:

Originally Posted by MicroHellas

Except if you believe that 2Checkout can return an SQL query instead of a "True" or "False".

Although it is unlikely to happen willingly, it might happen accidently.

Quote:

But in a routine file which has nothing to do with user inputs, I dont believe that is a vulnerability.

Do you think an attacker really cares which file he must acess to break into the system?
I doubt that. The important point is: Would it be potentially possible that the input contains anything other than the expected values?
If so, this must be handeled correctly, even if it would normally only be accessed by automatic processes.

Never ever trust user input!

MaryTheG(r)eek · #**105** 07-26-2007, 09:57 AM

Quote:

Originally Posted by Andreas

Do you think an attacker really cares which file he must acess to break into the system?

There is some files not accessible by the users. In any case, I'm going off the discussion, I'm not coder any more, so this thread is not for me.

@Marco
Thank you for spending your time to check the file. I'll appreciate if you PM your remarks and I'll correct them asap as I did yesterday.

Maria

Marco van Herwaarden · #**106** 07-26-2007, 10:13 AM

Quote:

Originally Posted by MicroHellas

@Marco
Thank you for spending your time to check the file. I'll appreciate if you PM your remarks and I'll correct them asap as I did yesterday.

PM sent.

Paul M · #**107** 07-26-2007, 12:16 PM

Quote:

Originally Posted by MicroHellas

Further more I believe that all new mods must be check by Moderators before going to public.

I think I can safely say this will not happen in the forseeable future.

Quote:

Originally Posted by MicroHellas

but when I seen the moderator's profile, I understood many things just by seeing his photo. By the way (this is for Cordinators and Administrator), don't you think that Moderators (in other words staff) must be more carefull on choosing their photo?

Sorry but this is just totally irrelevant. A moderators picture has nothing to do with their coding knowledge, or their function on vbulletin.org.

#**108** 07-26-2007, 12:20 PM

Quote:

Originally Posted by Paul M

I think I can safely say this will not happen in the forseeable future.

Actually Paul, i would suggest that you never use that kind of sentence again... with the late events regarding "not happening changes" that came to be happening, i would suggest that all suggestions are taken into consideration, but not refused publically like that...

Marco van Herwaarden · #**109** 07-26-2007, 12:34 PM

Not sure if that is such a good advice nexialys.

We can only respond with the knowledge and plans we have at the time of the reply. The best thing is to be honest, and reply that it is very unlikely or even that it will not happen in the forseeable future.

We received many complaints that we do not respond to suggestions, and now you are asking not to respond at all in public if the answer is No? That seems to be a contradiction.

#**110** 07-26-2007, 12:43 PM

it is not contradiction... Paul told us at least 4 or 5 times this week that the suggestion would never come executed... and you just posted a new thread for suggestion about our point of view - in the coders thread.... THAT is in contradiction with what Paul said to all last week...

and my suggestion is about refusing directly without anyother advice... not refusing generally.. you can refuse some suggestions, but that kind of answer is not very politically correct...

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.04420 seconds Memory Usage 2,257KB Queries Executed 11 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (8)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (1)pagenav (1)pagenav_curpage (4)pagenav_pagelink (10)post_thanks_box (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (10)post_thanks_postbit_info (10)postbit (8)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!