The Arcive of Official vBulletin Modifications Site.

Clayton · #11 07-24-2007, 08:02 AM

Quote:

Originally Posted by Marco van Herwaarden

if a vulnerability is found our primary goal is to protect the members.

and for this we are absolutely appreciative

what led to my concern was the timing and the amount of hacks which have been found to be vulnerable only now

I am sure you can see concerns by users of these forums?

Zachery · #12 07-24-2007, 08:05 AM

I cant?

Maybe there are a surge of bored coders?
Maybe coding pratcies by coders are getting worse?
Maybe there are more people using the modifications who are finding said issues?

Marco van Herwaarden · #13 07-24-2007, 08:09 AM

Quote:

Originally Posted by Clayton

what led to my concern was the timing and the amount of hacks which have been found to be vulnerable only now

I am sure you can see concerns by users of these forums?

I already replied to that. There have been a sudden increase of modifications being reported by members lately, and we do nothing more then follow up on these reports.

Clayton · #14 07-24-2007, 08:11 AM

OK .. here is an example of 1

VBGooglemap Member Edition

Released: 06. Aug 2006 Last Update: 16. Sep 2006 Installs: 522

Not Supported DB Changes Uses Plugins Template changes Additional files

--------------------------------------------------

yesterday's date 23rd July we receive an email to uninstall

This Modification is no longer available or supported.
This thread is in the Modification Graveyard and is available for information purposes only.

the above is now placed on the thread ..

10 months after 522 installs we now have a vulnerability

there are further examples

I have tried to contact the author of the hack and await a reply

as mentioned it is the timing of things

surely we would not like vB.com now to offer these add ons in the very near future?

hambil · #15 07-24-2007, 08:12 AM

Quote:

Originally Posted by Zachery

I cant?

Maybe there are a surge of bored coders?
Maybe coding pratcies by coders are getting worse?
Maybe there are more people using the modifications who are finding said issues?

The first hack I ever wrote, sat here for three years with a security vulnerability in it. It had 50 - 60 installs. It was only reported very recently. I don't think coding practices have changed, or anyone is getting lazy. I think more vulnerabilities are being found is all. Who is finding them is unclear, but it's a good thing, so who cares?

BTW: To staff - thank you for listening and changing the procedure to not announce the nature of the vulnerability other than to the author.

Clayton · #16 07-24-2007, 08:22 AM

Quote:

Originally Posted by hambil

BTW: To staff - thank you for listening and changing the procedure to not announce the nature of the vulnerability other than to the author.

this is excellent, however are the authors of the hacks being notified via email as well, please?

my major concern is about the solution to the vulnerability

that is my bottom line

Zachery · #17 07-24-2007, 08:24 AM

I was just coming up with 2 random, and one logical suggestion.

Way back in the day lots of highly skilled coders lived and shared their work here, sadly lots of them found something that took them away. Now we've been in a cycle of rebuilding year after year.

If anyone makes a living though vBulletin.org or though peoples hacks, its my belief that they should be able to take a look at a modifications code and make sure it is safe. Though this rarely happens anymore

alot more things might get fixed this way.

hambil · #18 07-24-2007, 08:24 AM

Quote:

Originally Posted by Clayton

this is excellent, however are the authors of the hacks being notified via email as well, please?

my major concern is about the solution to the vulnerability

that is my bottom line

I guess it depends on their PM settings. I get an email every time I get a PM, so in my case, yes. Er, if I had any releases

Clayton · #19 07-24-2007, 08:31 AM

@ hambil pml

zach .. there are only so many hours in the day

one day we will get there

MaryTheG(r)eek · #20 07-24-2007, 08:33 AM

Quote:

Originally Posted by Marco van Herwaarden

@MicroHellas
2. With our current procedures we will inform both the users that have installed a modification and the author at the same time if the vulnerability found is serious. The reason members are notified by email and the author by PM is merely using the tools we have available. The author is also informed on the details of the vulnerability found. We have no way of knowing if an author will read his email faster then a PM, and he/she could have email notifications of a PM. Also the author could have disabled Email as contact method, so the best way to contact them (that will always work) is by PM.

I just re-read your Mod Vulnerability Guidelines located at:
https://vborg.vbsupport.ru/info.php?do=security
and the order that it says, didn't followed. You can check the timestamps of the emails and PMs. Firstly the users informed and then the author.

In any case, I don't have the power to argue anymore. By signing here I accepted the rules, so no reason to talk. The only that I want to say is that on the sames Mod Vulnerability Guidelines says that you've the right to provide a fix (&4) and then to put it back to public (&5). You can do &4 for all users who've installed it already, but please I don't want to have it back to public.

Thank you.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.07526 seconds Memory Usage 2,261KB Queries Executed 11 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (6)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (1)pagenav (1)pagenav_curpage (3)pagenav_pagelink (1)pagenav_pagelinkrel (10)post_thanks_box (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (10)post_thanks_postbit_info (10)postbit (10)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!