[Request] Video Directory Quarantine Info

[blind-eddie]

Can someone tell me why the video directory was quarantined?
It is for sure the author will not repair it because he has not been here for almost 2 years.
I for one will have it fixed if I know what's wrong with it., I already invested money to get the youtube api corrected so it could still be used by everyone.

Please pm me as to what is wrong with it. I have been around here long enough not to share that info, I just want to fix it.

Thank you.

Email I received...........
=================================================

Quote:

** DO NOT REPLY TO THIS MESSAGE **

* Quarantine Notification *

The following modification has been 'quarantined' by vBulletin.org.

https://vborg.vbsupport.ru/showthread.php?t=200819

The author of the modification has been informed and asked to address the quarantine reason(s), until this is done the modification will remain in the vbulletin.org graveyard.

If you are currently using this modification then you may wish to consider disabling it.
If the modification consists of a product then disabling the product should be all that is required.
Do not uninstall the product as this may delete any data associated with it. If the modification also included new files then you may remove (or rename) them.

Once the author has responded to the issues you will be notified that it has been restored.

Thank you,

vBulletin.org Staff

==================================================

[TheLastSuperman]

No, we cannot and will not disclose such information. On occasion we will if for example its blatantly obvious but specifically identifying the culprit and disclosing to the masses is not our place or prerogative - in fact its your prerogative as a site owner to disable said modification until you know its secure again, don't place your members at risk on a "maybe".

I'd love to say I could, I like you sir but there's all sorts of low-life trolls that browse this forum daily and would simply run amok with said information and cause a ruckus for some unfortunately by taking advantage of others using info we supply. Furthermore, when you receive an email stating a modification has been moved to quarantine, its meant to be received and interpreted as "serious" and taken to heart as such meaning that if you do not know why then don't ask how later (how you were hacked), disable for now until you find out more with ANY mod that is quarantined, ever! As the saying goes "better safe than sorry".

Edit: Also as a prime example since you mentioned "investing heavily" Eddie and this goes for anyone whose ever done such; If you've made custom changes or paid someone to customize your particular version of a mod, the person who did that work may be qualified to find the security issue and patch now - this is something you must find out and decide if its worth it at said time. We will not however disclose those details and we cannot guarantee nor endorse anyone or any company who does such including but not limited to speaking of paid request - naturally you'll need to do that in private and or use the Paid OR Unpaid request forums here to discuss such. All modifications and information on this site are pretty much "as-is" meaning you need to make a well informed decision before doing anything to your forum... same as your daily routine, such is life. If anyone discloses anything on here it will be Paul, he is the primary Administrator who makes the super-duper-man-a-ma-jig type decisions when it comes down to it so you may PM him and ask.

[JacquiiDesigns]

Ugh. I loathe the policy. Sure - some asshats might find it useful to exploit the info - but don't you think those of us who at least had the modification installed PRIOR to the quarantine should be given some sort of info????

What you've said is this ==> I understand your concern - but you're sh*t out of luck! Good luck hiring someone to chase down the exploit and let you know what it is. We understand that we could tell you something or at least point you in the direction of a fix.. No. We cannot do that for you. You're SOL. Thanks for using vB.org and best of luck though!!

That's non-sensical. I implore you guys to rethink the policy.
Folks like myself and Eddie, who've had the modification installed for years and took the time to click the "Install" link - should be told something. Otherwise = like your insinuated post = We're SOL. And with all due respect - that sux.

J.

[blind-eddie]

Well said Jacquii...

[JacquiiDesigns]

Quote:

Originally Posted by blind-eddie

Well said Jacquii...

Ah thanks. I'm just a loudmouth - thought I'd get on the soapbox for a minute LOL
The complaint has merit though. I've never really quite understood why the shroud of secrecy around quarantined modifications. I think if we are to err - then we should err on the side of helping the community. And the majority of this community are novice hobbiests who like to better their forums. We're not advanced coding gurus who can easily delve into code as to find and fix modification exploits. The current policy should take that into consideration - especially for those of use who do tend to stay tuned to the modifications we install by subscribing to installed mods. What good is a QUARANTINED! stamp on the thread when we have no further information as for what course of action to take. "Uninstall the modification and wait until someone gets back to you ... if indeed anyone ever gets back to you." Is not an appropriate solution. It's cold splash of water in the face. :down: I mean - the quarantined email woke many of us up. But what the hell can we do about it??

The policy needs to be revisited if anyone on vB.org Staff would even care to do so...

J.

[weave]

Well this outright sucks ass....The coder left 3 years ago and now runs on ZenForo....the odds of him fixing whatever you emailed him are about NONE to NEVER.

Now to find out how to remove this without messing up the rest of the forum......and then find some sort of valid replacement.

We need another "legit" coder to take this over and you guys can send him/her the issues and they can fix it and get the community back on their feet. Otherwise, this one is DEAD.

[TheLastSuperman]

The policy does not need attention, in the least. Remember all, I was once once of you, I voiced the same concerns in fact if you search my past posts you'll find me spouting off to Paul and others long ago... it sounded like the same gibberish you typed above no offense but the forcing someone into doing something over being loud, proud, and funny when calling them or the sites policies into question is my JOB Ooooootay? Also - we're both loud Jacqii and nothings wrong with that unless its Movie night . See I'm still being funny while also beating a dead horse, policy won't change but we can surely poke and prod that poor dead horse until the cows come home, pigs fly, or the thread is closed and I'm pretty sure which one will happen first! "How Now Brown Cow"

Edit: Info to those who already downloaded or installed it? What about the 1000x illegal/hacker/download 599 vb4 Mods in this .zip type of sites? Remember that most mods are available illegally and perhaps with tons of injected code or similar in the files so we can't just trust anyone #X-Files.

Now corny humor aside, I feel your pain. I also hate the fact when some coders remove their mods (over spite or similar, while nothing is wrong with the mod at all) and I fix tons of hacked sites... my method is restore the site to how it was 100% then upgrade if required - issue comes into play when the mod is in the graveyard and I can't download to help "fix" their site back to original so if you hate just being sol, then try just being sh**ted on eh? Basically what some have done in the past yet we don't see threads about that and those mods broke the mold for sure, some of them. So we can all have our opinions and justify why something should or should not be done but the rules are the rules, I've argued with Paul before and he politely pointed out many oversights in my logic and they just made sense once I took his point of view into consideration. See my post above, if its within your budget many coders here are qualified to change a few lines of coding to make it secure again - this is why we have an unpaid + paid request area for you to utilize. Furthermore you could open a new thread in vB4 programming discussions and ask for advice or what others might see as a vulnerability.

*Do not forget though, that a coder can fix a mod then contact staff and if we review and confirm its fixed we can add the fixed mod as an attachment to the first post, the liability IF any at all then does not fall on the new coder nor the original author, it would then fall on you the person downloading and using as it would still be use as-is and at your own risk we would simply verify if a security risk is still present or not. Some coders also fix a mod and attach the fixed file to the mods thread so it stays within the thread and does not violate the do not re-release this mod blah blah as its still within the mods thread here - since its quarantined now and not a misc issue i.e. its a security issue the only way to go about it that way would be to contact staff directly and voice interest in fixing said mod so we can work with you then restore the mod with the fixed version in place ready for download.

[blind-eddie]

Ooooootay....

I respect everything you are say but, how would I go about wording a thread in the paid section ask for assistance to fix the video directory addon?

Example:
Hi, I am in need of someone willing to install the video directory addon on their site and wait to be hacked so they can then find out what the exploit was and fix it?

I am at a loss here.
How about this, for a fee, would you fix the exploit after my site gets hacked?

[TheLastSuperman]

Quote:

Originally Posted by blind-eddie

Ooooootay....

I respect everything you are say but, how would I go about wording a thread in the paid section ask for assistance to fix the video directory addon?

Example:
Hi, I am in need of someone willing to install the video directory addon on their site and wait to be hacked so they can then find out what the exploit was and fix it?

I am at a loss here.
How about this, for a fee, would you fix the exploit after my site gets hacked?

Nah just post saying:

Quote:

A recent vulnerability in the Video Directory Remixed mod was discovered however not disclosed. I would like a coder to view the file(s) and ensure everything is updated to be fully secure.

Alternatively you could also say something along the lines of:

Quote:

A recent vulnerability in the Video Directory Remixed mod was discovered however not disclosed. I would like a coder to view the file(s) and ensure everything is updated to be fully secure then I want to share the file with staff so the mod can be restored for all members to enjoy again!

The coder may or may not want to do that, it won't hurt to ask and will surely benefit everyone else or you may not simply want to do that, its your money and your prerogative HOWEVER I would honestly post in unpaid requests or vB4 programming discussion first asking for help - some folks LOVE to be helpful, after all its a nice thing to do!

The coder already knows its not secure, they can be given access to your site OR duplicate your site and test in a dev/test environment if you're fret'n about anything but it should be a non-trivial fix with a little bit of rewriting not much. Point being anyone whose anyone in vBulletin and dealing with modifications of this nature and/or security in general will see the issue right away and know how to fix it, I mean I saw it sure enough - there it was like a snake in the grass named Charlie... HALP! CHARLIE BIT ME!

[weave]

I am very curious what this would cost to fix AND update. If it is reasonable, I might be willing to foot the bill....worst case is the community pools their funds together and gets a legit coder to fix it up and make it current. I do NOT want to rip it off my site but I have disabled it until I know more about why it was quarantiend.

I am not faulting the ORG at all....I just want it fixed and updated so I can enable it on my site again.....