The Arcive of Official vBulletin Modifications Site.

Chris M · #11 07-01-2007, 11:53 AM

Alright guys, can we keep to the topic please

Chris

Paul M · #12 07-01-2007, 12:51 PM

There is a big difference between commercial sites and here - your proposal relies on the author actually fixing it - experience shows that this is rarely the case for free modifications released here (take vbplaza, that's still not fixed, months after the holes were found and notified to the author).

We have to have a policy that suits the majority of cases here, and the one we currently have serves that purpose - and while it may not have been ideal for your case, your's is, I'm afraid, an exception, not the rule - the last few have either not been fixed, taken a while to get fixed, or in a couple of cases a staff member has eventually fixed them.

However, we will review what we do to see if it can be tweaked to suit cases where the author is known to be still active.

Of course, it won't make any difference to you since you decided to take all your mods away anyway.

hambil · #13 07-01-2007, 02:03 PM

Quote:

Originally Posted by Paul M

Of course, it won't make any difference to you since you decided to take all your mods away anyway.

If fairness, if I'm not allowed to say why I did the above, you should not be allowed to use it against me.

Quote:

Originally Posted by Paul M

There is a big difference between commercial sites and here - your proposal relies on the author actually fixing it - experience shows that this is rarely the case for free modifications released here (take vbplaza, that's still not fixed, months after the holes were found and notified to the author).

This is, perhaps, the crux of the current misunderstanding. I remember vbShout going unfixed forever, until Brad had to fix it. I remember other hacks that had similar issues. That is why I know what the policy used to be - notify the author asking them to change it, and only if they were unresponsive for a fair amount of time would the mod be disabled or, fixed by staff if a staff member was willing.

For such a dramatic change in policy to take place, and for an active hack author to not even know about it, is a serious flaw in the conduct of business - regardless of what you say about the rules being posted.

How about a show of 'virtual hands' for coders who had no idea a policy change had been implemented? I'm sure I'm not alone.

That aside, I still think it's a flawed policy. The email that went out to all the users stated:
This modification contains a MySQL injection vulnerability

It was also put into the thread itself in nice large red letters:
This modification contains a MySQL injection vulnerability

This puts every user of the hack at risk. It also creates a nice little searchable database for anyone who might want to start hacking VB sites. It's an all around bad idea.

smacklan · #14 07-01-2007, 06:19 PM

Quote:

Originally Posted by hambil

This puts every user of the hack at risk. It also creates a nice little searchable database for anyone who might want to start hacking VB sites. It's an all around bad idea.

Which is a good reason not to use third party hacks, imho. Learn to code, take care of your own board is what I say. Whilst I appreciate the willingness to share, I think there are too many strings attached that I'm not willing to "be strung up by" for lack of a better description. I also think there are waayyy too many over-inflated ego's on this site (nothing personal towards anyone) and it really does look petty to most.

/speech

hambil · #15 07-01-2007, 06:34 PM

Quote:

Originally Posted by smacklan

Which is a good reason not to use third party hacks, imho.

The official vBulletin Modification site is a strange place to be hanging out, then.

Dream · #16 07-01-2007, 06:38 PM

He or she is here for the styles I think, from her signature.

/me has an inflated ego

Logikos · #17 07-01-2007, 06:49 PM

At vBhackers, we have a system in place that staff use. If a hack has either been a complete rip of someone elses work (usually stolen from here) or contains a security vulnerability, then staff simply put the hack into a "investigation mode". This then places the thread in a moderation queue, a pm is sent to the author and a new thread is created in the staff section to inform other staff members, this is all automatic.

Maybe the vb.org staff can come up with a similar system to handle these problems.

hambil · #18 07-01-2007, 07:29 PM

Quote:

Originally Posted by Dream

He or she is here for the styles I think, from her signature.

With the amount of changes many of these skins make, I see little difference. In fact, I've had more bugs introduced from skins than mods. But, too each their own

smacklan · #19 07-01-2007, 08:12 PM

Quote:

Originally Posted by hambil

The official vBulletin Modification site is a strange place to be hanging out, then.

I'm here for many reasons that have nothing to do with mods...as are many others

Quote:

Originally Posted by hambil

I've had more bugs introduced from skins than mods.

Have you ever heard of a security hole being introduced from a skin?

EnIgMa1234 · #20 07-01-2007, 08:54 PM

The policy has two sides

If a security hole is found, it is up to users to uninstall the hack. It is also a good idea to not let it be downloaded and for a warning to be put up.

But then letting the author know before hand is also good. If they're not active, take it down

Thats just my opinion

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.07611 seconds Memory Usage 2,264KB Queries Executed 11 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (7)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (1)pagenav (1)pagenav_curpage (3)pagenav_pagelink (10)post_thanks_box (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (10)post_thanks_postbit_info (10)postbit (10)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!