The Arcive of Official vBulletin Modifications Site.

quiklink · #**131** 07-27-2007, 12:03 AM

Quote:

Originally Posted by hambil

ARGGGGH! I've given several, and more than once. You may not agree with them but to call them unprofessional is, well, unprofessional. I will repeat myself, yet again.

1) Notification of a security flaw before a fix is available can actually help inform those who wish to do harm. This is why vBulletin.org has already changed the wording of the notification sent be generic, instead of specifically stating the security flaw (as they did when I first got involved in this conversation). Why would they make such a change unless there was a danger inherent in the proliferation of knowledge about security flaws? They wouldn't, period. So, you may disagree with me on the details of this, but to call the idea that spreading information of security vulnerabilities carelessly is not dangerous unprofessional, is well... unprofessional.

Not if the details of the flaw are not disclosed. And by not doing so you leave the user at risk rather than giving them an opportunity to remove the risk. And we are not discussing the change to the wording of the text. Neither of us has given issue to that. We have voice disagreement with your assertion that the best thing to do is to not inform the user until after a fix is available. And no there is nothing professional in that. It's nothing but self-serving.

Quote:

This is a seriously debatable topic, being dealt with by the top people in our field, and hardly a black and white issue. You do great injustice and potential harm to the very users you seem to think you are protecting by note giving the discussion the weight it is due.

It is you who are dismissing this discussion and the risk of leaving the user vulnerable.

Quote:

I could list several more reasons, and have already, but that one alone should be enough to show the subject is debatable - at least to anyone who is still being rational.

No, it just shows a callous indifference to the security of those using the mods.

Quote:

@quiklink: slander, liable, either way it is wrong, and people on this board have been reprimanded for it before. I have not notified any staff or asked for their involvement, yet, because I am hoping you are mature enough to see the light on your own.

And yet I have committed neither slander or libel. Feel free to report any of my posts. I doubt I'll have any problems.

Kirk Y · #**132** 07-27-2007, 12:09 AM

Quote:

Originally Posted by hambil

It's nice that a decision has been made, but productive debate should never be considered pointless. And, as seen many times already, nothing is written in stone. Ending a debate and declaring it over before it's run it's course doesn't really work in the long run, because decisions then get reversed, or worse - the staff is forced to irrationally hold to a position because they stated strongly "we won't change".

That decision has been made. But, by all means, feel free to continue.

hambil · #**133** 07-27-2007, 12:11 AM

Quote:

Originally Posted by Kirk Y

The decision has been made. But, by all means, feel free to continue.

Thank you.

In addition, many more things are being discussed in this thread other than just to delay or not delay. That decision may be made for now, but we all seem to agree the process in general needs work, and probably will continue to need work and improvement. Discussion is good for that.

Kirk Y · #**134** 07-27-2007, 12:15 AM

I agree. It just seems that several people keep going back to whether or not users should be immediately notified when an exploit is discovered; I just wanted to make it clear that a decision on the matter was made, and it would therefore be better if they moved on to the other issues at hand.

MaryTheG(r)eek · #**135** 07-27-2007, 06:10 AM

Quote:

Originally Posted by Kirk Y

In any event, I suggest you focus more on coding according to vBulletin's standards instead of attempting to analyze someone based solely on the contents of their profile.

Your reply confirmed my opinion:
1.- First of all I nowhere wrote that you're not a good coder, or you dont have knownledge. What I wrote (in my other posts too), is that you don't have experiance to see deeply a situation.
2.- As for the photo, even if I believe that a photo is 1000 words, it's something that I wasn't the first one got this opinion. There is a post in my site, much more before my post, where someone has the same opinion. And finally a profile (anywhere) is for giving a general view for the person.

AScherff · #**136** 07-27-2007, 06:57 AM

as a Member or User:

i wish to be informed of a vulnerabilty... please

and also i wish a little more information about the vulnerabilty:

will it destroy the Server ?
will it destroy the database ?
will it destroy then vBulletin ?
will it destroy the mod ?
will it ..... ?

or ist there only a theoretical chance that some one can inject or whatever

without showing the real vulnerability.

So i have a better chance to deside to deactivate, deinstall, or close my whole system

thanks

Alfred

RedTyger · #**137** 07-27-2007, 07:41 AM

Quote:

Originally Posted by MicroHellas

Your reply confirmed my opinion:
2.- As for the photo, even if I believe that a photo is 1000 words, it's something that I wasn't the first one got this opinion. There is a post in my site, much more before my post, where someone has the same opinion. And finally a profile (anywhere) is for giving a general view for the person.

O RLY?

This is getting a little childish and unnecessarily personal not to mention approaching irrelevancy.

Back to the subject at hand, as someone said there are good reason to notify before a fix is issued and afterwards and it's perfectly possible to take a strong and valid stance either way. I don't particularly agree with being subject to stricter standards than vBulletin themselves (or at least I think those who have marked their modifications as supported could be given an immediate opportunity to do so) but that's OK. It's not unreasonable.

I think the most obvious change that could be made is allowing the modification authors (only) to post in the graveyard thread, which is a simple default switch to be flicked. They can then provide whatever information necessary if they so wish. If they don't, no problem.

MaryTheG(r)eek · #**138** 07-27-2007, 08:05 AM

Well, this is most probably for Coder's Forum but as I rejected that title, I'm posting it here as it's relative to this thread.

Everything is ok, most posts are under logic, but seems that all we forgot something. That part about "Reported by a Member". And I'm wondering:

"Has an average member the knowledge to check a mod for security risks? In my opinion checking for security risks it's much more difficult than programming. So, the reporter is not the average enduser who downloads the mod for his own use, but is a coder who download it for ....what really?"

I thought about it seeing where my security risk was for vbDigiShop. It was in the file which hundles the post back from the payment gateway. So someone gave special attention to that file for one of the following reasons:

To make changes so my mod to work with PayPal. By doing this he/she was breaking my copyright which clear stated that developing payment to work with PayPal is prohibited even if it was for his/her own use. I gave for free to public a full script by deactivating only the PayPal payments.
To get the code for use somewhere else. Something which is also breaks my copyright.

And now the critical question: "Do the Moderators plan to give me the details of a person who broke my copyright rules?"

Marco van Herwaarden · #**139** 07-27-2007, 08:20 AM

Maria,

Please calm down now.

Quote:

"Has an average member the knowledge to check a mod for bugs? In my opinion checking for bugs it's much more difficult than programming. So, the reporter is not the average enduser who downloads the mod for his own use, but is a coder who download it for ....what really?"

I never used the word "average"

A coder is also a regular member on this forum, as opposed to a staff member.

Why the focus on who reported it? How does this knowledge help you or the users?

In my view it is a non-issue who was the person that reported a vulnerability, all that counts is that someone found a possible vulnerability and took the time (luckily) to bring it under the attention of us so we can take actions to get things resolved. The result is all that counts. You (and the users of your work) should be glad that someone took the time.

Quote:

I thought about it seeing where my security risk was for vbDigiShop. It was in the file which hundles the post back from the payment gateway. So someone gave special attention to that file for one of the following reasons:

To make changes so my mod to work with PayPal. By doing this he/she was breaking my copyright which clear stated that developing payment to work with PayPal is prohibited even if it was for his/her own use. I gave for free to public a full script by deactivating only the PayPal payments.
To get the code for use somewhere else. Something which is also breaks my copyright.

And now the critical question: "Do the Moderators plan to give me the details of a person who broke my copyright rules?"

To answer your last question first: no we will not give out the name of the person that reported this.

Also you seem to have been jumping to some conclusions about how this person found the vulnerability and his intentions. I have no proof whatsoever that this person was trying to break your copyright. If you have such proof, please let me know and i will review this.

You seem to forget that we also have members that maybe consider installing a modification on their site and have the habbit of first checking the code before putting any third-party coding on their website.

Zachery · #**140** 07-27-2007, 08:36 AM

Quote:

Originally Posted by MicroHellas

Well, this is most probably for Coder's Forum but as I rejected that title, I'm posting it here as it's relative to this thread.

Everything is ok, most posts are under logic, but seems that all we forgot something. That part about "Reported by a Member". And I'm wondering:

"Has an average member the knowledge to check a mod for security risks? In my opinion checking for security risks it's much more difficult than programming. So, the reporter is not the average enduser who downloads the mod for his own use, but is a coder who download it for ....what really?"

I thought about it seeing where my security risk was for vbDigiShop. It was in the file which hundles the post back from the payment gateway. So someone gave special attention to that file for one of the following reasons:

To make changes so my mod to work with PayPal. By doing this he/she was breaking my copyright which clear stated that developing payment to work with PayPal is prohibited even if it was for his/her own use. I gave for free to public a full script by deactivating only the PayPal payments.
To get the code for use somewhere else. Something which is also breaks my copyright.

And now the critical question: "Do the Moderators plan to give me the details of a person who broke my copyright rules?"

How do you figure someone who reviewed your code from our site is breaking copyright laws?

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.04273 seconds Memory Usage 2,279KB Queries Executed 11 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (11)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (1)pagenav (1)pagenav_curpage (4)pagenav_pagelink (1)pagenav_pagelinkrel (10)post_thanks_box (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (10)post_thanks_postbit_info (10)postbit (10)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!