Go Back   vb.org Archive > Community Central > vBulletin.org Site Feedback
Reload this Page Official Policy: When Security Vulnerabilities in Hacks are Found
FAQ Community Calendar Today's Posts Search

Reply
Page 2 of 4 1 2 34
 
Thread Tools Display Modes
  #11  
Old 06-17-2005, 03:53 AM
Erwin's Avatar
Erwin Erwin is offline
 
Join Date: Jan 2002
Posts: 7,604
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Paul M
Oh well, it just seems that you are commiting yourselves to removing a hack, and someone spending time on fixing someone elses bug(s), when the author would be quite willing, but was simply away for a few days. Two weeks just seems a more reasonable time.
In 7 days, if there is no response, we will remove the files to the hack - in 7 days a LOT of people may have installed a hack with a security hole. The author can fix it after that and we can always put the files back.
Reply With Quote
  #12  
Old 06-17-2005, 04:28 AM
Reeve of shinra's Avatar
Reeve of shinra Reeve of shinra is offline
 
Join Date: Oct 2001
Location: NYC
Posts: 1,896
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
I think this is a double edged sword. I kind of agree with everything here but at the same time I think the nature of the vulnerability should be made known to the people that have installed it at least. Perhaps some of them can patch it.

The better question is what if its not a serious vulnerability or if its an issue that would only affect a specific yet minor group? Like say people running the hack on ISS would be vulnerable but on apache it wouldn't or something.

? Like say for instance it only affects a
Reply With Quote
  #13  
Old 06-17-2005, 06:23 AM
Revan's Avatar
Revan Revan is offline
 
Join Date: Jan 2004
Location: Norway
Posts: 1,671
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Reeve of shinra
I think this is a double edged sword. I kind of agree with everything here but at the same time I think the nature of the vulnerability should be made known to the people that have installed it at least.
It is possible to say "This hack has been removed due to a SQL Injection Vulnerability" instead of saying "This hack has been removed due to a SQL Injection Vulnerability in clancp.php?do=join, where a malformed input (such as [example]) would allow an user to show/modify anything from the database"

I applaud this, and just hope I have managed to fix all holes so this never happens to me XD
Reply With Quote
  #14  
Old 06-17-2005, 06:25 AM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
The kind of information on the risk that we give, will be based on the kind of vulnerability.
Reply With Quote
  #15  
Old 06-18-2005, 06:28 AM
Erwin's Avatar
Erwin Erwin is offline
 
Join Date: Jan 2002
Posts: 7,604
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Reeve of shinra
I think this is a double edged sword. I kind of agree with everything here but at the same time I think the nature of the vulnerability should be made known to the people that have installed it at least. Perhaps some of them can patch it.

The better question is what if its not a serious vulnerability or if its an issue that would only affect a specific yet minor group? Like say people running the hack on ISS would be vulnerable but on apache it wouldn't or something.

? Like say for instance it only affects a
We will decide what to tell the users who installed it. You can appreciate the fact that some people may click install but have not installed it just to keep updates of when a vulnerability is found, and then if they know what it is, to take advantage of it.

Members who we trust who contact us may be given full information though. It's a case by case thing - we can't make rules for every case but we can make general protocols.
Reply With Quote
  #16  
Old 06-18-2005, 07:08 AM
Azhrialilu's Avatar
Azhrialilu Azhrialilu is offline
 
Join Date: Aug 2003
Location: Stretton, Derbyshire
Posts: 445
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Speaking as someone who did have a hack installed on a forum which did have a vulnerability which gave people access to the admincp (obviously keeping this vague because I don't want to upset the person who wrote the hack) I applaud this idea!
Reply With Quote
  #17  
Old 06-19-2005, 07:02 PM
Reeve of shinra's Avatar
Reeve of shinra Reeve of shinra is offline
 
Join Date: Oct 2001
Location: NYC
Posts: 1,896
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
We then proceed to inform all members who have installed the hack.
If it comes to this step, can this be announced by the staff using the update announcer?

I didnt even notice the journal issue until I was reading through the thread just now.
Reply With Quote
  #18  
Old 06-19-2005, 09:48 PM
Erwin's Avatar
Erwin Erwin is offline
 
Join Date: Jan 2002
Posts: 7,604
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Reeve of shinra
If it comes to this step, can this be announced by the staff using the update announcer?

I didnt even notice the journal issue until I was reading through the thread just now.
Yes, that is how we will do it. Which makes the "Installed" button even more important.
Reply With Quote
  #19  
Old 06-20-2005, 03:29 AM
ManagerJosh's Avatar
ManagerJosh ManagerJosh is offline
 
Join Date: Feb 2002
Posts: 348
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
What about exceptions Erwin, like another party other than the original author(s) step in and provides a decent patch or fix to the problem?
Reply With Quote
  #20  
Old 06-20-2005, 04:30 AM
Erwin's Avatar
Erwin Erwin is offline
 
Join Date: Jan 2002
Posts: 7,604
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by ManagerJosh
What about exceptions Erwin, like another party other than the original author(s) step in and provides a decent patch or fix to the problem?
That is allowed and even encouraged.
Reply With Quote
Reply
Page 2 of 4 1 2 34

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 12:09 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.07617 seconds
  • Memory Usage 2,253KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (6)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (3)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete