Go Back   vb.org Archive > News and Announcements > News and Announcements
FAQ Community Calendar Today's Posts Search

Closed Thread
 
Thread Tools Display Modes
  #41  
Old 05-15-2006, 03:04 PM
peterska2 peterska2 is offline
 
Join Date: Oct 2003
Location: Manchester, UK
Posts: 6,504
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by MarcoH64
Most of our members are using vBulletin to provide a Forum on their website(s). What are the reasons people have chosen vBulletin over other similar solutions? There can be many answers to this, but I think there is one that will be on everyone’s list: Trust.

You have bought software from a company that you trust, you are confident that they will provide you with quality software, with no known security issues. If a security issue is found, you’re confident that it will be addressed as soon as possible. Knowing this you can concentrate on your community, instead of being worried about security issues.

As your community grows you will find that you have needs for non-standard functionality, or just extra’s that will put your community ahead of your competition. Now here vBulletin.org comes in the picture.

Where the vBulletin software itself is created, maintained and supported by ‘professionals’, the vBulletin.org community relies solely on volunteer coders. This gives enthusiast coders to opportunity to contribute to the community and enhance the vBulletin product, making the life of running your own community easier.

Where the coders on vBulletin.org might give you professional solutions, they are in some level anonymous, it is not a company that has much to loose in case of a broken trust relationship. They will offer you software solutions, often free of charge, for your Board that you might install without ever seeing (all) of the code that is getting installed on your server. This is even more true with vBulletin 3.5 where most modification are done by simply installing a product file, instead of manually doing code changes.

Now where is this post going? You install probably numerous modifications on your board, provided by different coders. By installing software, you give total control of your board in the hands of these ‘anonymous’ coders. This requires a high level of trust towards them.

Where common sense, reading other users responses and testing on a Test Board can prevent you from disasters caused by coding errors (hey we are all human) or differences in the environment, there is another vulnerability that you can not so easy protect yourself against: Hidden functionality in the installed modification.

Hidden functions that are not documented and/or disclosed by the author can lead to a lot of things, I will try to sum up a few that are possible, some ‘innocent’, some with possible severe consequences. Some possible examples:
- A backdoor into your AdminCP
- Mailing admin passwords to the authors account.
- Call-home functions
- Usage tracking
- Disruption of service or data
- Any other technique that is used in Spyware/Malware type of software.

The stand of vBulletin.org Staff is that our members should be able to completely trust the solutions offered here as much as possible. This means that we will not tolerate any form of hidden functionality, since that is the only way we can keep the trust of the members using these solutions.

The reason for this thread is that, to our own shame, we received recently reports that there are coders who do incorporate hidden functionalities in their modifications. Lucky the type of hidden functions could be considered as relative harmless, but we will nevertheless not tolerate this. I would like to emphasize that this did not sent any security or privacy related information, nor did it in anyway brake the security of your site.

The discovered hidden functionality where aimed at a backdoor in the services of vBulletin.org itself, and have by now been closed. The effect of this functionality will be corrected by us soon. There has been no negative effects on the boards that are using any of these modifications.

From the time of this post on we will take the following actions upon discovery of such modifications:
- All users who have clicked Install for this modification will be notified about the issue.
- The offending modification will be withdrawn immediate.
- Depending on the severity, all modifications submitted by this author could be withdrawn immediate, and the user account of the author could be closed.
- Admin will contact the author by mail to inform him and hear his/her side of the story.

The vBulletin.org team wants to apologize for any breach of trust this has caused. We hope that our members will be confident that we are addressing these issues seriously and as good as we can and that you can continue to have a trust relation with the authors that offer solutions here at vBulletin.org.

vBulletin.org Team
I totally support the decisions to immediately remove all offending modifications, all modifications from the offending authors, and to ban the offending authors.

IMO, there is no reason why anyone should be doing anything untowards with their modifications. There are no excuses. Most coders release their code according to the guidlines, but yet again it is a select few who spoil it for the rest of us.

When one coder does something untowards, it reflects badly on every single coder here at vB.org. Yes, we could all include additional code to our modifications, but that would then make the problem even worse. As it stands, the problem is bad enough to warrant this announcement and proposed action.

For those who have installed modifications, be in on their test boards or live boards, I strongly encourage you to be proactive and to take notice of the code of your modifications. I understand that the majority do not know how to read php code, I am a relative newbie to php too and so find this difficult. Still have a look at it if you can, most files open in an internet explorer window for review. You might be surprized at what you learn.

Again, to emphasise my stance on this:
  • All offending coders MUST be banned;
  • All offending modifications MUST be removed immediately;
  • All modification from offending coders, regardless of vB version, MUST be removed;
  • There must be no exceptions to this. There are no excuses.
This does sound harsh, I will admit, but there are the long term implications of this on the rest of the coding community, and the trust factor for the members to be considered.

No action means nothing. Strong and severe action must be taken
  #42  
Old 05-15-2006, 03:05 PM
Floris Floris is offline
 
Join Date: Jan 2002
Posts: 1,898
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

@ LiveWire:
Quote:
Its completely harmless..
This is not what's being disputed indeed.

This is basically a plugin inside a plugin, creating undocumented and hidden functionallity. Not what people expect when they download something.
  #43  
Old 05-15-2006, 03:09 PM
Logikos Logikos is offline
 
Join Date: Jan 2003
Posts: 2,924
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

@peterska2
You should read more into this before you start suggesting that accounts be removed and banned. All this hack did was LOOK FOR AN IMAGE URL!. The image url it looked for was the install and uninstall link. A user should not be banned for such attempt. vBulletin.org has NEVER ONCE stated this was not allowed.

peterska2's post is the EXACT reason why I stated this...
Quote:
Originally Posted by LiveWire
Its completely harmless and in no way shape or form does this create a sercurty issue for users installing these hacks. You should make that completely clear to the users as your main post seems to direct users that there are flaws in hacks here.
You push users in thinking in a compleley diffrent way and discriminate any coders status.
  #44  
Old 05-15-2006, 03:15 PM
peterska2 peterska2 is offline
 
Join Date: Oct 2003
Location: Manchester, UK
Posts: 6,504
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

@ LiveWire

How far into this do you want me to read? Don't go shooting off at me for having an opinion. I have read very far into this already, and fully support the staff on this.

Does that make me unpopular? Probably
Do I care? No

ALL code added to modifications that is not actually required for the modification is a potential security risk.

This should not be permitted and dealt with severly as it is a complete breach of trust, which is the whole issue, and the basis on which vB.org runs.
  #45  
Old 05-15-2006, 03:17 PM
Paul M's Avatar
Paul M Paul M is offline
 
Join Date: Sep 2004
Location: Nottingham, UK
Posts: 23,748
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Floris
This is basically a plugin inside a plugin, creating undocumented and hidden functionallity. Not what people expect when they download something.
In which case I think I will rest easy, as this clearly does not refer to anything of mine.
  #46  
Old 05-15-2006, 03:21 PM
Logikos Logikos is offline
 
Join Date: Jan 2003
Posts: 2,924
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

This whole thing is about modifications having a function that looks for an install link. This is not basically a plugin inside a plugin. You should make this clear as your making users think otherwise.

@peterska2
Then you shouldn't use vBulletin as your forum product. As everytime you log into your admincp, a callhome function is required.
  #47  
Old 05-15-2006, 03:24 PM
peterska2 peterska2 is offline
 
Join Date: Oct 2003
Location: Manchester, UK
Posts: 6,504
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by LiveWire
This whole thing is about modifications having a function that looks for an install link. This is not basically a plugin inside a plugin. You should make this clear as your making users think otherwise.

@peterska2
Then you shouldn't use vBulletin as your forum product. As everytime you log into your admincp, a callhome function is required.
As previously mentioned in detail by Floris, that is mentioned in part of the licence agreement, which I have agreed to. If I didn't agree to that, I would never have purchased vBulletin.
  #48  
Old 05-15-2006, 03:25 PM
Xenon's Avatar
Xenon Xenon is offline
 
Join Date: Oct 2001
Location: Bavaria
Posts: 12,878
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

May i post here as well?

First of all: Noone is being banned here.
The staff has discussed about that issue for a long time, since we got informed about the first mods using this.

Ken is absolutelly right here, that it was not in the rules that a procedure like that isn't allowed. So as those mods did NOT break the rules written down here, and therefore obviously noone will be banned.

As the threadtitle clearly states it is all about trust, and actually i considered this as an unwritten rule before. As a lot of users here cannot code themselves, they won't notice these things, and therefore have been warned with that thread here now.

Actually i think methods like those used here throw a very bad light on the coders who do so, and i didn't really think that someone would do so, so i thought we don't need such a rule, but as the experience showed my moral standarts were a bit to high here, and therefore we have had made it a rule now.
  #49  
Old 05-15-2006, 03:29 PM
sabret00the's Avatar
sabret00the sabret00the is offline
 
Join Date: Jan 2003
Location: London
Posts: 5,268
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

is this all down to the vBsoccer RSS hack?

if so his reasoning is about right, there's no free Football RSS score feeds available for a reason and even if he was to resyndicate the content, it would just seap to out of vBulletin use and his server would be hammered.

if not, then share the secret?
  #50  
Old 05-15-2006, 03:36 PM
Logikos Logikos is offline
 
Join Date: Jan 2003
Posts: 2,924
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

From what some of the staff members have told me, this has to do with a certain user creating a function that will automaticly click the install link when you upload the product.

PHP Code:
$hackid 123;
$install 'https://vborg.vbsupport.ru/vborg_miscactions.php?do=installhack&threadid='.$hackid;
echo 
'<center><img src="'.$install.'" hight="1" width="1" alt="Installing" /></center>'
As you can clearly see. The only thing this does is look for an image that is hosted on vBulletin.org. When I created my vBSighosting hack. I created an install.html document. The images in that document are hosted from vBulletin.com. Does this mean that I am making users prone to security vulnerabilities?
Closed Thread


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:23 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04294 seconds
  • Memory Usage 2,275KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_php
  • (5)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (1)pagenav_pagelinkrel
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete