Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 29 Aug 2011, 17:13
HenryHank HenryHank is offline
 
Join Date: Jan 2006
Quarantined?

Are there any more details on this and why it was quarantined?

thanks.
Reply With Quote
Comments
  #2  
Old 29 Aug 2011, 17:29
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Real name: Zachery Woods
We do not release additional details, no sense having the exploit in the wild without a fix.
__________________
Looking for ImpEx?
Reply With Quote
  #3  
Old 29 Aug 2011, 17:56
souperman souperman is offline
 
Join Date: Mar 2011
If it's quarantine it's for a reason. You should probably disable this modification on your board for the time being.
Reply With Quote
  #4  
Old 29 Aug 2011, 18:26
garyb12001 garyb12001 is offline
 
Join Date: Jun 2010
Is the recommendation to disable this mod in effect for all versions of VB? Thanks.
Reply With Quote
  #5  
Old 29 Aug 2011, 21:21
souperman souperman is offline
 
Join Date: Mar 2011
From what I can tell, yes. You should disable it in vb3 and in vb4. You should also remove the actual files from your website (just the php files).
Reply With Quote
  #6  
Old 29 Aug 2011, 21:38
JacquiiDesigns's Avatar
JacquiiDesigns JacquiiDesigns is offline
 
Join Date: Dec 2008
Location: Tennessee
Real name: Jacquii Cooke
Originally Posted by Zachery View Post
We do not release additional details, no sense having the exploit in the wild without a fix.
Sorry to say - but I find this comment ridiculous....for this modification.

ibProArcade has it's own section here at vB.org - its' the most downloaded/installed modification here. This being the case - I'm sure the 8400 people who've at least clicked install would feel more secure about their vBulletin paid-product if given a reasoning behind why such modification is quarantined.

This policy about "we do not release additional details" truly could use a bit of transparency as concerns such popular modification(s) as ibProArcade! Even if said transparency takes shape in a little info-note attached to the automated(?) quarantine email.

Meanwhile -congrats vBulletin.org for continually keeping members in the dark!

I sincerely hope that MrZeroPage offers up a fix for this exploit, and QUICKLY!

J.
__________________
Call For Submissions. Come share your poetry & writing at JPiC Forum.
JPiC Forum For Writers | Celebrating Diversity With The Typed Word
Reply With Quote
  #7  
Old 29 Aug 2011, 22:03
Hippy's Avatar
Hippy Hippy is offline
 
Join Date: Dec 2001
I'm sure they will contact MrZeroPage about this but I'm not sure he has the time anymore
like Zachery said why exploit
Reply With Quote
  #8  
Old 29 Aug 2011, 23:02
basskiller basskiller is offline
 
Join Date: Jan 2003
Originally Posted by JacquiiCooke View Post
Sorry to say - but I find this comment ridiculous....for this modification.

ibProArcade has it's own section here at vB.org - its' the most downloaded/installed modification here. This being the case - I'm sure the 8400 people who've at least clicked install would feel more secure about their vBulletin paid-product if given a reasoning behind why such modification is quarantined.

This policy about "we do not release additional details" truly could use a bit of transparency as concerns such popular modification(s) as ibProArcade! Even if said transparency takes shape in a little info-note attached to the automated(?) quarantine email.

Meanwhile -congrats vBulletin.org for continually keeping members in the dark!

I sincerely hope that MrZeroPage offers up a fix for this exploit, and QUICKLY!

J.
you have to realize that consequences far outweigh the right to know what the problem actually is/
Say he does mention what the exact exploit is.. This could leave possible thousands of boards out there that maybe haven't received the message about the quarantine, vulnerable to the exploit to many new people that now know what the exploit is. And by people, I mean guys that just want to cause truoble..
so is it better for them not to say and we just disable the mod.. wait for the fix, or let you know and possibly open a bunch of boards up to now a bunch of people that didn't know, but now do ???

the smart move is just disable and wait
Reply With Quote
  #9  
Old 29 Aug 2011, 23:25
Biker_GA Biker_GA is offline
 
Join Date: Oct 2004
The problem is, we were told there was an "issue". That's it. What kind of issue? Copyright? Security? What?

I get an email saying there's an issue with a modification and it's been quarantined. Yeah. That tells me a whole lot. In truth, it tells me absolutely nothing at all.
Reply With Quote
  #10  
Old 30 Aug 2011, 00:13
nighteyes nighteyes is offline
 
Join Date: Oct 2001
Originally Posted by Biker_GA View Post
The problem is, we were told there was an "issue". That's it. What kind of issue? Copyright? Security? What?

I get an email saying there's an issue with a modification and it's been quarantined. Yeah. That tells me a whole lot. In truth, it tells me absolutely nothing at all.
Yes exactly. The email notice was useless.

I thought they may have been cryptic because the issue was something different to security this time. I'm pretty sure in the past these quarantine notices have always stated 'for security reasons' and that its advisable to disable the product until such a time that a fix is provided. I obviously don't expect them to publish details of the flaw(s). But just a couple of simple words would suffice in letting us know there are security risks in allowing the software to remain on our servers.
Reply With Quote
  #11  
Old 30 Aug 2011, 00:40
JacquiiDesigns's Avatar
JacquiiDesigns JacquiiDesigns is offline
 
Join Date: Dec 2008
Location: Tennessee
Real name: Jacquii Cooke
Originally Posted by basskiller View Post
you have to realize that consequences far outweigh the right to know what the problem actually is/
Say he does mention what the exact exploit is.. This could leave possible thousands of boards out there that maybe haven't received the message about the quarantine, vulnerable to the exploit to many new people that now know what the exploit is. And by people, I mean guys that just want to cause truoble..
so is it better for them not to say and we just disable the mod.. wait for the fix, or let you know and possibly open a bunch of boards up to now a bunch of people that didn't know, but now do ???

the smart move is just disable and wait
This post is justification for no-info. Your point has not fallen on deaf ears though, likewise I hope mine hasn't.

My point is ==> people now know there's an exploit. You may as well publish the details, so that those of us who can take care of the issue ourselves may do so, instead of having to wait hours, days, weeks, months, never ((hopefully not)) for the modification author to release a fix.

As it is though - I've just received the quarantine email, which for all intents and purposes could have simply been a nice vBulletin-ized photo of a man in red cape flipping the middle finger = no use to anyone. Just a little trivial something that irks our nerves.

We may as well have hoped for a crystal ball in which to read the minds of those who know the exploit particulars....so that we may take action!

J.

--------------- Added 30 Aug 2011 at 00:45 ---------------

in other news ==> now would be as good as time as ever to do a complete site backup LOL... So off I go...
__________________
Call For Submissions. Come share your poetry & writing at JPiC Forum.
JPiC Forum For Writers | Celebrating Diversity With The Typed Word
Reply With Quote
  #12  
Old 30 Aug 2011, 00:46
BirdOPrey5's Avatar
BirdOPrey5 BirdOPrey5 is offline
 
Join Date: Jun 2008
Real name: Joe D.
The email had suggestions on what you should do, and you should follow the actions suggested.

If you want to call it useless that is your call, but it was pretty specific on what you should do until the issue is resolved.
__________________
-Joe (@BirdOPrey5) Former Moderator. Fighting for a free & independent vb.org.
BirdOPrey5.com - Exclusive VB Mods! (Formerly Qapla.com) | Joe's Ultimate Off Topic
Note - I do not read my PMs often, do not expect quick replies.
Reply With Quote
  #13  
Old 30 Aug 2011, 01:13
nighteyes nighteyes is offline
 
Join Date: Oct 2001
Previous quarantine email messages that were useful:

The following modification has had an exploit reported in it, and has been 'quarantined' by vBulletin.org.

The author of the modification has been informed and asked to provide a fix, until this fix is provided the modification will remain in the vbulletin.org graveyard.
Today's quarantine email notice:

The following modification has been 'quarantined' by vBulletin.org.

The author of the modification has been informed and asked to address the quarantine reason(s), until this is done the modification will remain in the vbulletin.org graveyard.
Security through obscurity doesn't work. I would argue the language you now think is far more suitable to use is actually going to result in more people shrugging their shoulders and ignoring your notices. And as a result, more vB forums will get hacked.
Reply With Quote
  #14  
Old 30 Aug 2011, 02:03
Hippy's Avatar
Hippy Hippy is offline
 
Join Date: Dec 2001
may of 2010..
there was a update intended but never released
Originally Posted by MrZeropage View Post
this is not unsupported, while v2.7.1+ is to be finished I am trying hard to fix things that came up with vB4 and using its own index.php to direct to portal or forum.
There is no hook in index.php or any other place where right from the start I can implement the needed code, very bad.
I think I need to contact Jelsoft and request a hook there.

I am still irritated that this error does NOT appear on my testsite ...

Maybe anybody let me check this "on site" ? Please contact me via PM and refer to this thread, thanks
I guess he never fixed those issues because it was never released..
I sure hope he can post a fix for the issue at hand for everyone still using it..
Reply With Quote
  #15  
Old 30 Aug 2011, 02:08
JacquiiDesigns's Avatar
JacquiiDesigns JacquiiDesigns is offline
 
Join Date: Dec 2008
Location: Tennessee
Real name: Jacquii Cooke
Originally Posted by BirdOPrey5 View Post
The email had suggestions on what you should do, and you should follow the actions suggested.

If you want to call it useless that is your call, but it was pretty specific on what you should do until the issue is resolved.
That email was BALONEY! And to suggest that it wasn't is even more ridiculous than that brief (useless) burp of an email notification...

Now - before we get all defensive ==> There is not anyone in this thread who wants to argue -- except for me perhaps haha. But rather - our posts tend to be suggestive of a better way for vBulletin.org to handle quarantined/exploited/blablabla modifications as concerns it's paying customer base!

Right now - it's obvious that vBulletin.org as an entity doesn't give a flying _______.
((whatever horrible or not-so-horrible word you can think of will likely fit in the blank space))

J.
__________________
Call For Submissions. Come share your poetry & writing at JPiC Forum.
JPiC Forum For Writers | Celebrating Diversity With The Typed Word
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


New To Site? Need Help?

All times are GMT. The time now is 18:22.

Layout Options | Width: Wide Color: