security seems not a main priority in vb hacks

[AN-net]

not the best idea to release the names of those hacks because then hackers will know which sites they can target

[T3MEDIA]

Quote:

Originally Posted by Erwin

Add-ons on this site are written by 3rd parties who are not endorsed or supported by Jelsoft in any way - as such Jelsoft offers no guarantees and take no responsibility of any add-ons or "hacks" that are hosted here. Jelsoft does not offer support for modified or "hacked" forums. You install hacks at your own risk. If you find security holes, take it up with the author of the add-on.

If you dont endorse or support it why tell people to come here in the first place from vbulletin.com. That answer may work on the simple people on this site but not for me. Besides Im just getting my stuff ready.

[T3MEDIA]

Quote:

Originally Posted by AN-net

not the best idea to release the names of those hacks because then hackers will know which sites they can target

What ever. what is wrong with the hacks.
you guys have who clicked install. tell them.

This site is helpful and a joke at the same time there should be a standard. Like to submit a hack it has to fall under x things.

Like I am not even a programmer and I know a simple solution. Have a hack installer. this is a standard all in one installer. (think of it like a gameshark) Now if you want to hack code you do. if you touch code (the installer has in its database) it will warn of a conflit. Then you must code to make it work for all hacks out there.

do that and boom no need for users to install them just click on the installer and it does it itself.

Then vb can watch the hacks and support them. Becuase the way your doing it now... you guys are setting yourself up for the fall and you guys dont even know it yet.

[ericgtr]

Installers are great but what happens when you have hack 1, hack 2, hack 3, etc. installed utilizing the same files or making additions to the DB? There are so many variables and changes, especially in a heavily modified board that having a script that says "modify if it's only unchanged" would make life really hard.

It would have to be something where every modification was considered into the script and couldn't be released otherwise and it would also need to be managed and updated constatnly. So, a large majority of hacks would most likely not make it through, especially the little tweaks and such.

As far as becoming like phpbb and open source, VB really isn't in the same boat. Sure there are probably security leaks but none of it's open to the public, even on this site you must be licensed to be able to view modifications.

Just my .02

[Dean C]

Quote:

Originally Posted by T3MEDIA

If you dont endorse or support it why tell people to come here in the first place from vbulletin.com. That answer may work on the simple people on this site but not for me. Besides Im just getting my stuff ready.

It's a disclaimer. We cannot possibly legally support or be held responsible for any modifications people make to their software. This site is for people who realise that modifications void their support, it says so in your license agreement. However, we have over 750 vB3 hacks here so far. Although I personally have not gone through and verified the security of every single one, I'd put money on it that there are very little security holes in any of them.

Quote:

Originally Posted by T3MEDIA

Like I am not even a programmer and I know a simple solution. Have a hack installer. this is a standard all in one installer. (think of it like a gameshark) Now if you want to hack code you do. if you touch code (the installer has in its database) it will warn of a conflit. Then you must code to make it work for all hacks out there.

do that and boom no need for users to install them just click on the installer and it does it itself.

This is hear-nigh impossible, and as a programmer you can't see how difficult something like this. Maybe with the move to OOP in the next vB3 version something like this will become more possible.

[Gio~Logist]

Quote:

Originally Posted by TwinsX2Dad

Hacked or not - you've invested under $200, which is peanuts.

Im sorry but some of us here struggle to get atleast 100 in their pocket. Especially when you're 13 with no job. Just as well, my site has over 400 invested in it.

[Rick Sample]

Quote:

Originally Posted by aussiev8

this is stupid, 2 hacks (major hacks as well with over 200 installs) i've found to be covered with holes and the simplest of hacking kiddies can exploit. This is a major issue in my opinion, and i think something needs to be done about it, or VB is going to turn into a phpnuke! and i'm sure you guys don't want that.

Their is a very very simple solution to which I think you over looked. Everything in the world is hackable, just look at microsoft for example! I personally don't think any program is 100% secure. When one whole is blocked, another one is open. The world is advacing and things we thought were secure in the past, new hackers with newer technologys are finding more and more holes (Thats just how life works) With that said, just don't install any kind of hack and just leave your board completely plain. *not sure why anyone would want that though, it takes all the nice features out* It would be impossible for the vbulletin.org staff to go over each and every single hack.

Its just like a car, you add a poweradder such as a supercharger, it automatically voids your warrenty!

[Erwin]

Okay, I'm no expert, but from my own observations, a simple tip is to make sure every variable goes through the internal vB check function and does not get passed as a _GET or _POST variable without this check:

For example:

a. globalize($_REQUEST, array(
'action' => STR,
'username' => STR,
'olduser' => STR,
'newuser' => STR,
'amount' => STR,
));

OR

b. globalize($_POST, array(
'action' => STR,
'username' => STR,
'olduser' => STR,
'newuser' => STR,
'amount' => STR,
));

Instead of

$action = $_GET[action];

OR

$action = $_POST[action];

Which is not secure.

A lot of hack authors just use $_GET[variable] or $_POST[variable] in their code, which is much easier to code (I admit I do this too) but this is not secure especially the $_GET/ $_REQUEST variables which are susceptible to SQL injections via the URL directly as anyone can send variables via the command line.

The developers can correct me if I am wrong. I repeat, I'm no expert.



vBulletin.org is an official site which hosts a reservoir of unofficial 3rd-party add-ons as a courtesy to licensed users. I am NOT an employee of Jelsoft, but I can say that Jelsoft is doing this as a favor for the vB admins by hosting this site - they don't have to.

[Michael Morris]

I'll go ahead and speak for myself alone on this, but I'd imagine a lot of the folks here fall into this category as well. Not everyone here is that experienced. Every so often I go back and check my old hacks for glitches or holes - and I've considered deleting some of them since they are pretty old. For me at least, tinkering with vbulletin's code has been a learning process - and as I said over on the vbulletin.com site the code has made for an excellent teacher of php. I'm very thankful to the Jelsoft teach for reigniting my interest in programming which was killed a long while ago by some incompetant teachers and teaching techniques in college.

I follow the coding conventions as best I can and some of my code is no doubt atrocious to expert eyes, but I'm trying to both learn and also share what I've learned.

The only way you can even begin to get hacks that are totally consistent and secure is to go through a certification process which would no doubt shut out amateurs like me.

So, let the hacker beware. I - for myself - try to help as best I can with the stuff I've written, but if you install a hack by a member who has left or doesn't visit often you may be left on your own.

[Infopro]

... and so we'd hope that someone else who is still here to say "hey I found a hole in.... and here's the problem, here's a fix"