Oh, the stupidity

[1master1]

I'm sure yumi is older otherwise, he may not write these long replies or even talk to him sometimes through posts

[MattR]

My point was that if you intended on going through plugins to find issues, contacting the author would be a better approach because you've already spent time finding the issues and contacting them directly would require no extra effort. You said "I fail to understand why I should go to the effort of reporting someone else's issue" which is fair enough, you don't, but if you'd stated you were going to find vulnerabilities and just post them here, you could quite easily spend 30 seconds more contacting the author first, seeing as you'd already done the main job of finding the issues, and if they failed to listen nobody could stop you posting it publicly. I mean it was your idea to go through them in the first place, to do that and then say it's not your job to report the issues directly to the author instead of publicly doesn't make sense as you've already put the work in.

Anyway, I'm not arguing, I'm just saying

If you were to find any vulnerabilities in any of my code, whether you posted them publicly or told me personally, I'd still be grateful for it, but I'd be a bit pissed if it was posted publicly and people got hacked, before I'd even been given a chance to fix it. Just because some people don't listen doesn't mean everybody'll be like that; some people will really appreciate it and act on it straight away.

[ZiNgA BuRgA]

(10-27-2010 02:45 AM)MattR Wrote:  contacting them directly would require no extra effort

It DOES require extra effort.
That's the problem you don't understand.

It doesn't just take "30 seconds more".  But regardless, if it takes me 30 seconds to find an exploit, I'm effectively wasting twice the amount of time for absolutely no personal gain.  I'm sorry, as I said, I'm not altruistic, and unless I get something out of this exercise, I'm not doing it.  If it's at the detriment to others, so be it.

Perhaps if they're regular visitors to this forum, maybe I'll PM them.  But as most probably only go to the MyBB Community or even their own site, and I've stated that I do not wish to involve myself in the community, I am NOT going to the effort of going over to other sites and reporting stuff.

(10-27-2010 02:45 AM)MattR Wrote:  Just because some people don't listen doesn't mean everybody'll be like that; some people will really appreciate it and act on it straight away.

Unfortunately I can't see any evidence of such a statement.


I really can't see how many of these are even good at being obscurely hidden.  I mean, if you see something like:

PHP Code:

mysql_query("select * from users where user='$_GET[user]' AND password='$_GET[password]'");

---

and neither of the variables have been sanitised in any way, I think anyone with some PHP knowledge can easily see an exploit there.
If it's some complicated exploit path, then maybe I'll consider reporting it privately, but stuff like the above, I really don't think the author has much of an excuse other than a gross oversight or just pure incompetence.


But thanks for your opinions either way, everyone who replied
It was just a random thought.  I never said I'd do it, but maybe I will.

[Vapor]

Omg...I wish I could make a bumper sticker for every other thing you post Yumi, because I would be rich. LOL

I love the in your face logic and your correct: most people are either too lazy to fix issues or it's an ego thing. Please do not check my sites because I am horrible at coding

[trialnick]

regarding mybbrunway: their point system doesn't work fine...

one can see threads even they don't have the requested amount of points.

[MasterZuFu]

I must say that this entire thread was absolutely hilarious. I've had to read and re-read, but this was just funny....

On another note though....I got a ton of plugins and not a clue if any of them is secure.... :'(