MyBB Community Forums

And which person is like that?
(besides, after 2 years, you'd probably know whether it's safe or not to use)

There are a few plugins out there. People just change the compatibility from "14*" to "16*" and begin using it. Some plugins authors have retire from mybb (the guy who made proportal springs to mind (dragon...something...?). If a problem is found and even if a fix is made by another dev, how likely is it to reach the general public as a whole?

Until we have some easy way of providing patches over at the modsite (which is supposedly in the works) its slim.

Basically, paid authors and reputable authors have either: a customer base to uphold or their reputation. There is more of developmental push for those users than some other free developers, with generally less to lose if their code is found to have caused a massive breach in security at a site due to their inability to update the plugin (for one reason or another).

Anyway, back on topic

What do haxors target? ACP login? FTP login? Host cPanel login?

Well, if I was a hacker, I'd look for an SQLi vulnerability that let me access the database variables from within the templates system. I would then try and login as admin on the forums using the database password. If the admin was stupid, they'd use the same password for everything. Possibly including cPanel, FTP etc...

I would then try that password with their registered board email, and have control over most of their Internet life

(2011-11-02, 11:40 PM)Tom K. Wrote: [ -> ]There are a few plugins out there. People just change the compatibility from "14*" to "16*" and begin using it. Some plugins authors have retire from mybb (the guy who made proportal springs to mind (dragon...something...?).

And are they necessarily bad?

I'd much prefer a well written plugin which requires no fixing, to a poorly written plugin requiring constant maintenance.

(2011-11-02, 11:40 PM)Tom K. Wrote: [ -> ]If a problem is found and even if a fix is made by another dev, how likely is it to reach the general public as a whole?

I fail to see how it's unlikely, assuming it's under an open source license, which most free plugins are. If it's non-free, then the developer abandoning their role means you're pretty much left stranded for updates.
That's just one of the many beauties of OSS.

(2011-11-02, 11:40 PM)Tom K. Wrote: [ -> ]Basically, paid authors and reputable authors have either: a customer base to uphold or their reputation. There is more of developmental push for those users than some other free developers, with generally less to lose if their code is found to have caused a massive breach in security at a site due to their inability to update the plugin (for one reason or another).

Lolwot?
Maybe to your idealistic view, but I'd say the reality is, people who pay probably can't understand the code anyway. Paid plugins have a (weak) obscurity layer, which doesn't necessarily mean they're more secure.

(2011-11-03, 06:41 AM)Yumi Wrote: [ -> ]

(2011-11-02, 11:40 PM)Tom K. Wrote: [ -> ]There are a few plugins out there. People just change the compatibility from "14*" to "16*" and begin using it. Some plugins authors have retire from mybb (the guy who made proportal springs to mind (dragon...something...?).

And are they necessarily bad?

I'd much prefer a well written plugin which requires no fixing, to a poorly written plugin requiring constant maintenance.

Well, since you actually understand the code, you can decide which plugins are well written and which are not. But most of the people using MyBB don't even know basics of PHP, so they can't even differentiate which is safe and which isn't.

Quote:

(2011-11-02, 11:40 PM)Tom K. Wrote: [ -> ]If a problem is found and even if a fix is made by another dev, how likely is it to reach the general public as a whole?

I fail to see how it's unlikely, assuming it's under an open source license, which most free plugins are. If it's non-free, then the developer abandoning their role means you're pretty much left stranded for updates.
That's just one of the many beauties of OSS.

I agree with you on this.

Quote:

(2011-11-02, 11:40 PM)Tom K. Wrote: [ -> ]Basically, paid authors and reputable authors have either: a customer base to uphold or their reputation. There is more of developmental push for those users than some other free developers, with generally less to lose if their code is found to have caused a massive breach in security at a site due to their inability to update the plugin (for one reason or another).

Lolwot?
Maybe to your idealistic view, but I'd say the reality is, people who pay probably can't understand the code anyway. Paid plugins have a (weak) obscurity layer, which doesn't necessarily mean they're more secure.

Tom meant that paid authors has the need to concentrate on maintenance of plugin, because their customers won't stay if the plugin isn't updated.
And another thing he said is, even if a vulnerability is found in a paid plugin, it would affect only a handful of Forums who bought it, whereas a Free plugin would be used in lot of forums, and if a vulnerability is found, it would affect a lot of Forums.

Personally as a paid and open source plugin developer I completely agree with Yumi. I don't provide paid plugins because "they're better" than the others or "more secure" than the others.
I just made them paid because of one reason: they allow those who use it to get money then I think it is far enough that I ask you to pay for them as well since it took me time to develop them.

There's one case though (MyAchievements) which has a different reason and that reason was that it was initially on ShopMyBB (not sure if anyone remembers) and it had about 12 purchases and I kinda guessed that I'd be receiving complaint emails if I had made it free.

(2011-11-03, 07:21 AM)kavin Wrote: [ -> ]Well, since you actually understand the code, you can decide which plugins are well written and which are not. But most of the people using MyBB don't even know basics of PHP, so they can't even differentiate which is safe and which isn't.

Which is why my suggestion is to avoid plugins as much as you can if you care about security.

(2011-11-03, 07:21 AM)kavin Wrote: [ -> ]Tom meant that paid authors has the need to concentrate on maintenance of plugin, because their customers won't stay if the plugin isn't updated.

I guess you have some point there. You know, like, tweak some random image every few months so you can "update" the plugin. Makes some people think you're actually maintaining it, when really, you're not.

(2011-11-03, 07:21 AM)kavin Wrote: [ -> ]And another thing he said is, even if a vulnerability is found in a paid plugin, it would affect only a handful of Forums who bought it, whereas a Free plugin would be used in lot of forums, and if a vulnerability is found, it would affect a lot of Forums.

Is that a good thing?
The thread is about how to protect your own forum from being hacked, not about how to reduce exploitation amongst all MyBB forums. If you're hacked because of a plugin, I don't think it's helpful to know that the exploit would only affect a handful of other forums.

I'm not even going to bother discussing the other assumptions made here.

Well, i just tried to explain what Tom said.

I'm not a plugin developer and not so good in security. When i run my previous forum, i had about 3-4 plugins, and all of them is Pirata's. He did concentrate on maintaining the plugins he developed. I honestly never found a need to use more than some 4 plugins.

Quote:If the admin was stupid, they'd use the same password for everything. Possibly including cPanel, FTP etc...

* wethegreenpeople starts to change some passwords