This is a perfect example why the plugin release system needs something done (
http://community.mybb.com/thread-132303.html ). Staff here have confirmed that plugins are checked before they're released. How was this released with it having the issues that paveman just pointed out ?
(2013-01-14, 08:20 PM)Frank.Barry Wrote: [ -> ]This is a perfect example why the plugin release system needs something done ( http://community.mybb.com/thread-132303.html ). Staff here have confirmed that plugins are checked before they're released. How was this released with it having the issues that paveman just pointed out ?
They're checked for malicious code and obvious vulnerabilities, not extensively tested for every possible security issue. It's not our job to make sure every plugin is secure. Complain to the developer, not to us.
The are no malicious code and obvious vulnerabilities
; its safe
i saw it
, but i speak about malicious code ...
(2013-01-14, 08:29 PM)Nathan Malcolm Wrote: [ -> ] (2013-01-14, 08:20 PM)Frank.Barry Wrote: [ -> ]This is a perfect example why the plugin release system needs something done ( http://community.mybb.com/thread-132303.html ). Staff here have confirmed that plugins are checked before they're released. How was this released with it having the issues that paveman just pointed out ?
They're checked for malicious code and obvious vulnerabilities, not extensively tested for every possible security issue. It's not our job to make sure every plugin is secure. Complain to the developer, not to us.
Im not complaining. Im just trying to push for better ways for this stuff to be released. I know its just not as simple as saying "ok we'll do it like this", and thats it solved. But surely theres a better method of validation before a plugin is released. I know this particular plugin is not so much a security issue but in all honesty (With respect to the developer) this shouldn't have been released from the word go.
When it was first posted I download it to have a look at the code and noticed that the query being used was hardcoded to disallow threads from specific forums to be displayed. Obviously this plugin was created for a specific forum. Surely when staff are checking for malicious code an sql query is priority. Although this is not malicious code it clearly wasn't going to work correctly on other forums.
(2013-01-13, 09:41 PM)mohdows Wrote: [ -> ]ok , let's waiting others ideas
(2013-01-13, 09:24 PM)Frank.Barry Wrote: [ -> ]2. Dont block specific forums in your query and release the plugin to the public, thats just ridicules.
done
He even confirmed that he fixed that issue, which he clearly didn't, as the query is still the same.
(2013-01-14, 08:20 PM)Frank.Barry Wrote: [ -> ]This is a perfect example why the plugin release system needs something done ( http://community.mybb.com/thread-132303.html ). Staff here have confirmed that plugins are checked before they're released. How was this released with it having the issues that paveman just pointed out ?
As much as I agree with Pavemen, there is no reason on our guidelines to reject this plugin. It is not vulnerable on such a way it may affect your forum (hacking, etc.), just not properly written.