Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #16  
Old 30 Aug 2011, 02:19
BirdOPrey5's Avatar
BirdOPrey5 BirdOPrey5 is offline
 
Join Date: Jun 2008
Real name: Joe D.
Originally Posted by JacquiiCooke View Post

Right now - it's obvious that vBulletin.org as an entity doesn't give a flying _______.
((whatever horrible or not-so-horrible word you can think of will likely fit in the blank space))

J.
Seriously Jacquii? I (and most of the rest of the staff) are here as volunteers. We are using our own time and energy to keep vBulletin modifications safe for everyone. Even confirming it is an exploit might give people ideas and risk the security of everyone who has this installed.

Regardless of the reason the e-mail contains the suggested course of action (disable the mod). I will not have any pity for those who received the email and chose to ignore it. If anyone is that interested in fixing the mod itself then review the code and fix any exploits you find- no one is stopping you. That goes for every mod here, quarantined or not.
__________________
-Joe (@BirdOPrey5) Former Moderator. Fighting for a free & independent vb.org.
BirdOPrey5.com - Exclusive VB Mods! (Formerly Qapla.com) | Joe's Ultimate Off Topic
Note - I do not read my PMs often, do not expect quick replies.
Reply With Quote
  #17  
Old 30 Aug 2011, 02:22
Max Taxable's Avatar
Max Taxable Max Taxable is offline
 
Join Date: Feb 2011
Drama queens everywhere.... Glad to see my board is not the only one. Of course, I knew that already.
Reply With Quote
  #18  
Old 30 Aug 2011, 02:24
AuroraStorm's Avatar
AuroraStorm AuroraStorm is offline
 
Join Date: Nov 2006
My board is still at 3.7.2 and I haven't updated my arcade in about three years because I was dealing with a serious illness...does this exploit affect my board?

I know this is a dumb question but I'm not sure what's going on here...

edited - oh and I did disable it...I learned my lesson from the vbPlaza exploit that destroyed my board in 2007...

I'll await instructions from those who know. Thank you for sending me an email (I know it's general mail) and I appreciate it...

Last edited by AuroraStorm; 30 Aug 2011 at 02:31.
Reply With Quote
  #19  
Old 30 Aug 2011, 02:33
garyb12001 garyb12001 is offline
 
Join Date: Jun 2010
Originally Posted by BirdOPrey5 View Post
Seriously Jacquii? I (and most of the rest of the staff) are here as volunteers. We are using our own time and energy to keep vBulletin modifications safe for everyone. Even confirming it is an exploit might give people ideas and risk the security of everyone who has this installed.
FWIW, thanks for the heads-up. Much appreciated.
Reply With Quote
  #20  
Old 30 Aug 2011, 02:50
BirdOPrey5's Avatar
BirdOPrey5 BirdOPrey5 is offline
 
Join Date: Jun 2008
Real name: Joe D.
Paul posted this in another thread but it is worthy of reposting.

http://www.vbulletin.org/forum/info.php?do=security

This is the procedure on when a mod is quarantined and it shows the possible outcomes and options we have.
__________________
-Joe (@BirdOPrey5) Former Moderator. Fighting for a free & independent vb.org.
BirdOPrey5.com - Exclusive VB Mods! (Formerly Qapla.com) | Joe's Ultimate Off Topic
Note - I do not read my PMs often, do not expect quick replies.
Reply With Quote
  #21  
Old 30 Aug 2011, 02:51
vbresults vbresults is offline
 
Join Date: Apr 2009
Originally Posted by BirdOPrey5 View Post
Seriously Jacquii? I (and most of the rest of the staff) are here as volunteers. We are using our own time and energy to keep vBulletin modifications safe for everyone. Even confirming it is an exploit might give people ideas and risk the security of everyone who has this installed.

Regardless of the reason the e-mail contains the suggested course of action (disable the mod). I will not have any pity for those who received the email and chose to ignore it. If anyone is that interested in fixing the mod itself then review the code and fix any exploits you find- no one is stopping you. That goes for every mod here, quarantined or not.
A sort of mania appears to be setting in with this quarantine. It's like everyone's cat is lighting on fire. He probably doesn't mean what he said, even though it was a _______ bag thing to say.
Reply With Quote
  #22  
Old 30 Aug 2011, 04:31
Adrian Schneider's Avatar
Adrian Schneider Adrian Schneider is offline
 
Join Date: Jul 2004
Wow guys. Any administration, developer, etc. worth a grain of salt will not give out (even potential) security vulnerabilities to harm their members. For those who are curious, you can find out by looking at the patch once it comes out or try finding it yourself prior.

There is no reason you need to know what the vulnerability is until it's been fixed. If you're concerned, disable the product. Simple.

Ugh, I feel for the staff here. Dealing with other admins or developers is the worst when they think they always know best.

Keep up the good work guys. The response you SHOULD be getting is a huge thanks for looking out for us.

Cheers
Reply With Quote
  #23  
Old 30 Aug 2011, 06:24
souperman souperman is offline
 
Join Date: Mar 2011
I agree 100% with Adrian on this. The reason why they're not saying much about this is because not many people know about the exploit, it's not even lurking on hack forums/sites. This mod can be exploited if they release details on this, the mods or mod owner need time to get this sorted. I know all of you want to be given a reason, but you guys need to understand that's not the best route at them moment. For now, disable the mod and remove all the php files associated with the mod.
Reply With Quote
  #24  
Old 30 Aug 2011, 06:53
toastyman toastyman is offline
 
Join Date: Sep 2002
I totally get "don't give out what the actual exploit is", but the email didn't give us enough information to actually know what to do.

It didn't say that it was removed for security reasons at all. I couldn't tell if this was a "remove this now, it's urgent!" problem, a "the latest version that was uploaded by the author is breaking installs, we don't want people messing up their forum by continuing to download it" problem, or a copyright claim or whatever.

If it was removed for security reasons, is just disabling it enough? Do the files actually have to be removed because it's still exploitable even if the product is disabled? The email says "If the modification consists of a product then disabling the product should be all that is required.", but past security problems with mods has shown that not to always be true. The email follows up with "If the modification also included new files then you may remove (or rename) them." which seems to contradict that disabling is good enough.

The URL listed in the email sent out just linked to the thread with no information about the quarantine either.


I'm not trying to complain about the wonderful service you guys are doing, but trying to explain from the perspective of a recipient of the quarantine email why you're getting so much angst over it. It's kinda like the evening TV news saying "There's something in your kitchen that could kill you!" and not elaborating. A very vague warning about a mod without anything other than "it has been quarantined" raises way more questions than provides answers, and left me unsure what I really needed to do.


If I were writing the email, I'd say something more like:

Subject: Action needed - Security issue with ibProArcade - professional Arcade System

The ibProArcade - professional Arcade System modification has been 'quarantined' by vBulletin.org, due to a security issue that requires your immediate action to ensure your forum's security.

You downloaded this modification at the following thread, which has now been archived until further notice.

http://www.vbulletin.org/forum/showthread.php?t=101554

This modification has been quarantined due to a serious security issue that has been brought to our attention. Our policy is not to discuss security issues publicly. However, the author of the modification has been informed and asked to address the quarantine reason(s). Until this is done, the modification will remain in the vbulletin.org graveyard. Once the author has responded to the issues you will be notified that it has been restored.

With the information we have at the current time, we believe this security issue can be completely prevented by disabling the modification in your Admin Control Panel. Go to "Plugins & Products", then "Manage Products" then disable this modification.

We do not believe removing this modification's additional files (if any) or uninstalling it is necessary to prevent exploitation of the security issue. Please keep in mind that if you uninstall this modification anyway, you may delete any data associated with it.
Explain the problem, explain what's being done about it, and list what actions a forum owner needs to take a bit more authoritatively.
Reply With Quote
  #25  
Old 30 Aug 2011, 08:52
vijayninel's Avatar
vijayninel vijayninel is offline
 
Join Date: Mar 2009
Real name: Vijay
I completely support the vb.org staff's decision of not releasing additional details without a fix being developed and released first. Doing so will only make a hackers job easier and leave users of the mod more vulnerable.
Reply With Quote
  #26  
Old 30 Aug 2011, 09:53
Bomyne Bomyne is offline
 
Join Date: Aug 2011
Do i have to disable it in plugins/products or is using the mod's off switch enough?

EDIT Nevermind! Turning it off has no effect what so ever... I'll disable it.

Disabling it still leaves it accessable! What's going on?

Last edited by Bomyne; 30 Aug 2011 at 10:10.
Reply With Quote
  #27  
Old 30 Aug 2011, 10:14
JacquiiDesigns's Avatar
JacquiiDesigns JacquiiDesigns is offline
 
Join Date: Dec 2008
Location: Tennessee
Real name: Jacquii Cooke
Originally Posted by BirdOPrey5 View Post
Seriously Jacquii?
Yes. Seriously Joe.
If I wasn't serious - I likely wouldn't have posted it. And though the language I used may be a bit strong for the subject matter at hand.... The suggestion that members here who have installed a modification be given a weeee bit more info than, "exploit. disable mod until further notice" is as well. It's a solid idea and it's a strong idea and you can see that it's a valid idea by the bulk of commentary in this thread.

Also - FWIW - I appreciate very much the all volunteer staff here at vB.org - I always have and as long as my boards are running vBulletin = I always will.

But being an all volunteer staff isn't an excuse for providing little to absolutely-no information to the users of modifications here.

That's all - and hopefully my posts will inspire a conversation amongst the staff members regarding this ridiculous no-info-upon-graveyard policy. Specifically - how to better it so that the Jacquii's of the world won't have a reason to +++++ -- Drama queen? Not hardly. Someone curious about what the exploit is and why we're not given one iota of a detail regarding it? Sure.

J.

--------------- Added 30 Aug 2011 at 10:22 ---------------

Originally Posted by Bomyne View Post
Do i have to disable it in plugins/products or is using the mod's off switch enough?

EDIT Nevermind! Turning it off has no effect what so ever... I'll disable it.

Disabling it still leaves it accessable! What's going on?
Disabling it does indeed leave it accessible.
You should probably just turn the entire arcade off via Arcade Main Settings.
Perhaps to go a step further would be to rename your arcade.php file to something else until a fix is announced.

Of course such info might have been helpful if included in the super-useful quarantine email...

J.
__________________
Call For Submissions. Come share your poetry & writing at JPiC Forum.
JPiC Forum For Writers | Celebrating Diversity With The Typed Word
Reply With Quote
  #28  
Old 30 Aug 2011, 10:25
Bomyne Bomyne is offline
 
Join Date: Aug 2011
Originally Posted by JacquiiCooke View Post
--------------- Added 30 Aug 2011 at 10:22 ---------------



Disabling it does indeed leave it accessible.
You should probably just turn the entire arcade off via Arcade Main Settings.
Perhaps to go a step further would be to rename your arcade.php file to something else until a fix is announced.

Of course such info might have been helpful if included in the super-useful quarantine email...

J.


Tried turning it off via the settings too. I can still play arcade games like that.

I think I'm going to chmod the arcade.php file to 000 or something.
Reply With Quote
  #29  
Old 30 Aug 2011, 10:28
JacquiiDesigns's Avatar
JacquiiDesigns JacquiiDesigns is offline
 
Join Date: Dec 2008
Location: Tennessee
Real name: Jacquii Cooke
Originally Posted by Lancerforhire View Post
A sort of mania appears to be setting in with this quarantine. It's like everyone's cat is lighting on fire. He probably doesn't mean what he said, even though it was a _______ bag thing to say.
Okay - this post is useful to the thread how? IDK - but one thing to correct you on = I'm a she --- the "______" was for dramatic effect. So I suppose drama queen was appropriate. But even more appropriate than the name-calling, is the call to provide actual information in the "quarantine" email - otherwise the email is pretty useless to those of us who can read.

It has absolutely nothing to do with mania or anyone's cat lighting on fire, which is really a horrible thing lmao

--------------- Added 30 Aug 2011 at 10:30 ---------------

Originally Posted by Bomyne View Post
Tried turning it off via the settings too. I can still play arcade games like that.

I think I'm going to chmod the arcade.php file to 000 or something.
Only Admin group can access the arcade when disabled. Other usergroups will see "The administrator currently has the arcade disabled." message.

Rename arcade.php to something like blablabla.php -- something that only you will know -- and then once a fix has been posted - change the name back - then users browsing to your arcade.php file should be redirected to 404 error...?
__________________
Call For Submissions. Come share your poetry & writing at JPiC Forum.
JPiC Forum For Writers | Celebrating Diversity With The Typed Word
Reply With Quote
  #30  
Old 30 Aug 2011, 10:35
Bomyne Bomyne is offline
 
Join Date: Aug 2011
Originally Posted by JacquiiCooke View Post
--------------- Added 30 Aug 2011 at 10:30 ---------------



Only Admin group can access the arcade when disabled. Other usergroups will see "The administrator currently has the arcade disabled." message.

Rename arcade.php to something like blablabla.php -- something that only you will know -- and then once a fix has been posted - change the name back - then users browsing to your arcade.php file should be redirected to 404 error...?
That explains it, Thanks.

I went one better. I inserted

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

after the <?php

To the best of my knowege, that'll cause the file to fail to load but when an update is released, uploading it will automatically replace the file and save me the trouble of remembering to rename it back :P
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


New To Site? Need Help?

All times are GMT. The time now is 19:40.

Layout Options | Width: Wide Color: