Oh, the stupidity
1master1 Offline
Member
***
Posts: 232
Joined: Oct 2010
Post: #21
RE: Oh, the stupidity
I'm sure yumi is older otherwise, he may not write these long replies or even talk to him sometimes through posts Tongue
10-26-2010 11:33 PM
Find all posts by this user Quote this message in a reply
MattR Offline
Junior Member
**
Posts: 40
Joined: Jul 2010
Post: #22
RE: Oh, the stupidity
My point was that if you intended on going through plugins to find issues, contacting the author would be a better approach because you've already spent time finding the issues and contacting them directly would require no extra effort. You said "I fail to understand why I should go to the effort of reporting someone else's issue" which is fair enough, you don't, but if you'd stated you were going to find vulnerabilities and just post them here, you could quite easily spend 30 seconds more contacting the author first, seeing as you'd already done the main job of finding the issues, and if they failed to listen nobody could stop you posting it publicly. I mean it was your idea to go through them in the first place, to do that and then say it's not your job to report the issues directly to the author instead of publicly doesn't make sense as you've already put the work in.

Anyway, I'm not arguing, I'm just saying Tongue

If you were to find any vulnerabilities in any of my code, whether you posted them publicly or told me personally, I'd still be grateful for it, but I'd be a bit pissed if it was posted publicly and people got hacked, before I'd even been given a chance to fix it. Just because some people don't listen doesn't mean everybody'll be like that; some people will really appreciate it and act on it straight away.
(This post was last modified: 10-27-2010 04:34 AM by MattR.)
10-27-2010 02:45 AM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Online
Fag
*******
Posts: 3,357
Joined: Jan 2008
Post: #23
RE: Oh, the stupidity
(10-27-2010 02:45 AM)MattR Wrote:  contacting them directly would require no extra effort
It DOES require extra effort.
That's the problem you don't understand.

It doesn't just take "30 seconds more".  But regardless, if it takes me 30 seconds to find an exploit, I'm effectively wasting twice the amount of time for absolutely no personal gain.  I'm sorry, as I said, I'm not altruistic, and unless I get something out of this exercise, I'm not doing it.  If it's at the detriment to others, so be it.

Perhaps if they're regular visitors to this forum, maybe I'll PM them.  But as most probably only go to the MyBB Community or even their own site, and I've stated that I do not wish to involve myself in the community, I am NOT going to the effort of going over to other sites and reporting stuff.

(10-27-2010 02:45 AM)MattR Wrote:  Just because some people don't listen doesn't mean everybody'll be like that; some people will really appreciate it and act on it straight away.
Unfortunately I can't see any evidence of such a statement.


I really can't see how many of these are even good at being obscurely hidden.  I mean, if you see something like:

PHP Code:
mysql_query("select * from users where user='$_GET[user]' AND password='$_GET[password]'");

and neither of the variables have been sanitised in any way, I think anyone with some PHP knowledge can easily see an exploit there.
If it's some complicated exploit path, then maybe I'll consider reporting it privately, but stuff like the above, I really don't think the author has much of an excuse other than a gross oversight or just pure incompetence.


But thanks for your opinions either way, everyone who replied Tongue
It was just a random thought.  I never said I'd do it, but maybe I will.


My Blog
(This post was last modified: 10-27-2010 09:27 AM by ZiNgA BuRgA.)
10-27-2010 09:09 AM
Find all posts by this user Quote this message in a reply
Vapor Offline
Member
***
Posts: 115
Joined: Oct 2010
Post: #24
RE: Oh, the stupidity
Omg...I wish I could make a bumper sticker for every other thing you post Yumi, because I would be rich. LOL

I love the in your face logic and your correct: most people are either too lazy to fix issues or it's an ego thing. Please do not check my sites because I am horrible at coding Frown Frown

D3G Gaming Team - http://d3g.in

[Image: vapor_sig.png]
10-27-2010 09:52 AM
Visit this user's website Find all posts by this user Quote this message in a reply
trialnick Offline
Junior Member
**
Posts: 13
Joined: Oct 2010
Post: #25
RE: Oh, the stupidity
regarding mybbrunway: their point system doesn't work fine...

one can see threads even they don't have the requested amount of points.
(This post was last modified: 10-31-2010 06:18 AM by trialnick.)
10-31-2010 06:17 AM
Find all posts by this user Quote this message in a reply
MasterZuFu Offline
Member
***
Posts: 97
Joined: Dec 2010
Post: #26
RE: Oh, the stupidity
I must say that this entire thread was absolutely hilarious. I've had to read and re-read, but this was just funny....

On another note though....I got a ton of plugins and not a clue if any of them is secure.... Oh :'(

12-17-2010 11:17 PM
Visit this user's website Find all posts by this user Quote this message in a reply

« Next Oldest | Next Newest »

 Standard Tools
Forum Jump: