MyBB Hacks

Well, I don't think this sort of stuff really gets reviewed.  From what I understand, MyBB staff leave it up to the community to make their own judgements over 3rd party modifications.
I think the approval process on the mods site / releases forum is just to check for viruses, but in all honesty, I think it's largely unnecessary.  The approval process doesn't extend to forum attachments, for example.

Heh, all this talk about security, I wonder if I should just post security exploits on plugins that I find, so that people who actually care about the security of their forum are aware of these things (unlike the people in the first post's linked thread).
Well, that's what I say on the outside, but I'm somewhat more interested in showing how many crappy coders there are out there, and make my forum visitors feel that they're smarter than the rest (cause really, the average intelligence here is greater than that of pretty much every other MyBB related forum out there).    [and then I kick myself when I can't find any security exploits... well, I'm sure there's quite a few... I hope]

I wouldn't just post a list, I don't think a public list of vulnerabilities that people could to use to hack forums with is the best way of doing it. Contacting the author and letting them decide whether they want to listen would probably suffice and wouldn't take any more time than just posting here. They can fix it, learn from it or w/e, but there's not a list of them, which would ultimately cause a lot of problems for us.

(10-25-2010 04:22 AM)MattR Wrote: [ -> ]but there's not a list of them, which would ultimately cause a lot of problems for us.

Was I ever someone who was nice to others?
I fail to understand why I should go to the effort of reporting someone else's issue.  It's their problem for writing crap code, and whoever installed the plugin for actually trusting an idiot.  I've already tried once, and the guy totally ignored me.  I'm not going to bother trying this with every idiot kid out there who only cares about their ego.  Hardly my fault and hardly my responsibility to fix.
And just because it's not publicly known, doesn't mean it's not known at all.  A group of people could easily be aware of a number of exploits without your knowledge.  And considering how much crap code there is out there, I wouldn't be surprised if this was the case.
Maybe if people knew about all this, would they then criticize these things more (what they should be) and not blindly trust everything posted there (cause really, it isn't checked for security issues, despite what many seem to think).

But don't worry, hardly anyone visits here anyway.  I've already reported two things, and neither have been abused to the point that anyone seems to be aware of

MattR, can you please edit the first post here - http://community.mybb.com/thread-66696.html
so the new people will not redo the mistake?

(10-25-2010 08:17 AM)ZiNgA BuRgA Wrote: [ -> ]

(10-25-2010 04:22 AM)MattR Wrote: [ -> ]but there's not a list of them, which would ultimately cause a lot of problems for us.

Was I ever someone who was nice to others?
I fail to understand why I should go to the effort of reporting someone else's issue.  It's their problem for writing crap code, and whoever installed the plugin for actually trusting an idiot.  I've already tried once, and the guy totally ignored me.  I'm not going to bother trying this with every idiot kid out there who only cares about their ego.  Hardly my fault and hardly my responsibility to fix.

Must admit, I agree with the other Matt on this point. It's good form, if nothing else, to notify the author and give them a heads up if you find a problem. By all accounts, if a week or two has passed and there has been no response or update from the author, then make the exploit public to try and force some action, but to do so straight away is awfully bad form.

Everyone makes mistakes, whether through a simple numpty moment or merely through inexperience. Even if the latter is the case, there ought be an attempt to educate them before penalising/crucifying them. Condescending attitude towards people I can totally understand. Not having the decency to follow good form is a different thing altogether, however, and not something you ought be aiming for.

I'm sure you wouldn't appreciate the scenario happening in reverse if you happened to overlook something in your code at some point, (we all do), and somebody never notified you of it before making it public, so do unto others...

(10-26-2010 12:00 AM)MattF Wrote: [ -> ]Must admit, I agree with the other Matt on this point. It's good form, if nothing else, to notify the author and give them a heads up if you find a problem. By all accounts, if a week or two has passed and there has been no response or update from the author, then make the exploit public to try and force some action, but to do so straight away is awfully bad form.

If you actually expect me to do that, I could spend my entire life reporting cases.
No, I'd rather keep my mouth shut if that was an actual requirement.
As it isn't, I couldn't care less about "good" or "bad" form.  I don't consider myself some altruistic being here.  I do whatever makes me interested.
Anyway, as they say, "no pain no gain".

(10-26-2010 12:00 AM)MattF Wrote: [ -> ]I'm sure you wouldn't appreciate the scenario happening in reverse if you happened to overlook something in your code at some point, (we all do), and somebody never notified you of it before making it public, so do unto others...

Totally incorrect.  I WANT people to post exploits of my code, but throughout the years, no-one ever has.  I wonder why...

(10-26-2010 07:53 AM)ZiNgA BuRgA Wrote: [ -> ]

(10-26-2010 12:00 AM)MattF Wrote: [ -> ]I'm sure you wouldn't appreciate the scenario happening in reverse if you happened to overlook something in your code at some point, (we all do), and somebody never notified you of it before making it public, so do unto others...

Totally incorrect.  I WANT people to post exploits of my code, but throughout the years, no-one ever has.  I wonder why...

So if anyone did happen to find an exploit in your code, you'd rather they make it public knowledge before notify you? If so, I'll digress now, because that attitude is nothing more than either stupidity or arrogance. No-one turns out perfect code 100% of the time, and to suggest you would rather an exploit be made public knowledge than be given the opportunity to patch/repair it before that is just a stupid stance to take.

hmmm, I have been reading this thread with interest. I have no real understanding of exploiting code, but I think that the original post was to show us again that we should be careful what plugins we download. Its interesting to note that Zinga did not really tell us how to damage any forum where this code was installed by exploiting the code and - to be honest - I think he knows that most of the regulars here would NEVER do that to someones forum.

I see MattF's point re good form etc - but Zinga already said

Quote:I fail to understand why I should go to the effort of reporting someone else's issue.  It's their problem for writing crap code, and whoever installed the plugin for actually trusting an idiot. I've already tried once, and the guy totally ignored me.  I'm not going to bother trying this with every idiot kid out there who only cares about their ego.  Hardly my fault and hardly my responsibility to fix.\

So he has tried to tell people - but often they dont want to hear it, given their options of
1) Take down the plugin and admit they made poor code
2) Leave it up there and bask in all the "Thanks man" posts.

I think option 3)( the "right" option) Fix it and release a fixed version is not an option for many people who make these codes as they don't know HOW to fix it.

(10-26-2010 08:24 AM)MattF Wrote: [ -> ]So if anyone did happen to find an exploit in your code, you'd rather they make it public knowledge before notify you? If so, I'll digress now, because that attitude is nothing more than either stupidity or arrogance. No-one turns out perfect code 100% of the time, and to suggest you would rather an exploit be made public knowledge than be given the opportunity to patch/repair it before that is just a stupid stance to take.

I don't really have a preference actually.  Whether they report it publicly or privately is their choice.
I would MUCH rather it being reported, through any means, rather than it being kept private.  Only then do I have the ability to improve.
And no, I don't expect that my code is 100% perfect, but similarly, if there is an issue in it (within reason), I'm 100% responsible for it.
Code can be made exploit free with good design (of course, this is rarely followed).  If you code correctly, the probability that there actually will be an exploit will be close to 0%.  No-one turns out 100% perfect code, but you can certainly get close to it.

Anyway YES, it IS nicer to report privately (for most people that is; I don't mind either way), just as it IS nicer to donate your life savings to charity, or spend your whole life developing for a free project.
I'm saying here that I'm not that sort of person and I don't have the time for it.  I have tried many, many times in the past to report issues, but practically they've been ignored every single time.  And this is all the SAME problem.  This is NOT a case of people merely making mistakes.  This IS a case of the community just being stupid as a whole, and simply refusing to learn (assuming they ever had the ability to do so to begin with).
I presume you're talking mostly from the point of view of an outsider, but once you've actually experienced how bad customisations generally are, perhaps you'll understand better.  A systematic problem requires a systematic fix, and your solution is simply a waste of time.

Now, just to make something clear to you, I really don't care about my end users.  I used to, but after a while, I lost interest (I won't go into reasons).  I code for myself.  If I can improve, I'll do it.  I've expressed that there is no warranty over my code, so if a whole heap of forums get exploited, it doesn't affect me.  Thus I don't care if an exploit is made public or not - it makes no difference to me.

I don't care what people think of me.  I never did, and I'm not trying to appear altruistic like many others out there (who really aren't) and hide hidden agendas.  So think of me any way you wish.

And FYI, MANY exploits are made public because the large companies behind the product simply refuse to put the effort to fix anything unless it's made public.  How about we just ditch this stupid additional process and jump straight to the point already?

Actually, I don't think I'll bother.  I don't know why I should even bother wasting time pointing out this.  Leave the exploits in the code, maybe some hacker will discover it and put it to his advantage some time.

(10-26-2010 08:50 AM)leefish Wrote: [ -> ]So he has tried to tell people - but often they dont want to hear it, given their options of
1) Take down the plugin and admit they made poor code
2) Leave it up there and bask in all the "Thanks man" posts.

I think option 3)( the "right" option) Fix it and release a fixed version is not an option for many people who make these codes as they don't know HOW to fix it.

That example linked to was a prime case of a numpty who just doesn't want to hear it and has blanked an attempt to highlight errors in his plugin. He's been given the opportunity to sort it, so deserves whatever happens now that he's ignored the information.

With regards to "coders" not knowing how to sort problems, they don't have that as an excuse. Even if they're inexperienced, half a hour on various sites explaining how exploits can happen would have given him the knowledge to sort that exploit, so ignorance is only a transient excuse they can use.

(10-26-2010 10:33 AM)ZiNgA BuRgA Wrote: [ -> ]I don't really have a preference actually.  Whether they report it publicly or privately is their choice.
I would MUCH rather it being reported, through any means, rather than it being kept private.  Only then do I have the ability to improve.
And no, I don't expect that my code is 100% perfect, but similarly, if there is an issue in it (within reason), I'm 100% responsible for it.
Code can be made exploit free with good design (of course, this is rarely followed).  If you code correctly, the probability that there actually will be an exploit will be close to 0%.  No-one turns out 100% perfect code, but you can certainly get close to it.

When put that way, it sounds better than in your previous post. I totally agree on your point of good coding practice minimising the probability of anything unexpected or untoward occuring, btw. Unfortunately, those of us who do care about our coding standards seem to be in the minority, as you've obviously noticed too. Saying that though, after making one schoolboy type error the other month, (still kicking myself over the fact I overlooked something so simple), I can also appreciate just how easy it is, on occasion, to overlook something which can have a detrimental effect. It was a simple fix, granted, but a slip nonetheless.

Quote:Anyway YES, it IS nicer to report privately (for most people that is; I don't mind either way), just as it IS nicer to donate your life savings to charity, or spend your whole life developing for a free project.
I'm saying here that I'm not that sort of person and I don't have the time for it.  I have tried many, many times in the past to report issues, but practically they've been ignored every single time.  And this is all the SAME problem.  This is NOT a case of people merely making mistakes.  This IS a case of the community just being stupid as a whole, and simply refusing to learn (assuming they ever had the ability to do so to begin with).
I presume you're talking mostly from the point of view of an outsider, but once you've actually experienced how bad customisations generally are, perhaps you'll understand better.  A systematic problem requires a systematic fix, and your solution is simply a waste of time.

With regards to a certain communities ability to take bug reports and suchlike onboard and act on them, I can understand what you mean there. I know from previous times I've seen mention that it does appear you are attempting to plait snuff over there when reporting problems. On a wider scale, developers do tend to be far more receptive to bug reports though. I think the above site tends to taint ones opinion a tad in that regard.

Quote:I don't care what people think of me.  I never did, and I'm not trying to appear altruistic like many others out there (who really aren't) and hide hidden agendas.  So think of me any way you wish.

Nowt wrong with that attitude. Your stance on things does make far more sense now that you've explained it in more depth though. It just seemed a bit blaise the first time around.

Quote:And FYI, MANY exploits are made public because the large companies behind the product simply refuse to put the effort to fix anything unless it's made public.  How about we just ditch this stupid additional process and jump straight to the point already?

They make the rod for their own back, so they have no reason to complain and deserve whatever outcome they get. Conversely though, when a software Dev or team are very receptive to all problem/bug reports, it is better to give them a slight lead on sorting a problem before it going public. No need to tar all Dev's with the same brush.

Quote:Actually, I don't think I'll bother.  I don't know why I should even bother wasting time pointing out this.  Leave the exploits in the code, maybe some hacker will discover it and put it to his advantage some time.

From your previous post, I couldn't quite figure out whether you were just young or merely older and jaded. I'm guessing now though that it's the latter of the two?


p.s: Apologies for the length of this post.