Almost every time I visit these forums I read about someone being hacked again. We all now that MyBB is not to blame here, but nonetheless these "I have been hacked" threads have a negative impact to MyBB's reputation. "Look, a MyBB site has been hacked again, MyBB is insecure!" You can read similiar comments in the web. Perhaps it's time for MyBB to disapprove or at least highlight all third-party plugins with security issues in the plugin directory?
Warning, this plugin has security issues! By installing it you make your site vulnerable to attacks!
How about something like this?
Sounds pretty good to me, but I still think it has to do with the webmaster and not with MyBB or with the plugins.
I mean if you see what kind of password people use for their mysql databases or what kind of passwords they use for their admin panel.
I am a webhost since 1997 and people even give their cPanel paswords like "123456".
Everyone thinks it won't happen to them.
I have a client which is a webhost him self, he rents a dedicated server from me and has a very simple password for that as well.
(2012-07-07, 03:43 PM)mattias Wrote: [ -> ]Almost every time I visit these forums I read about someone being hacked again. We all now that MyBB is not to blame here, but nonetheless these "I have been hacked" threads have a negative impact to MyBB's reputation. "Look, a MyBB site has been hacked again, MyBB is insecure!" You can read similiar comments in the web. Perhaps it's time for MyBB to disapprove or at least highlight all third-party plugins with security issues in the plugin directory?
Warning, this plugin has security issues! By installing it you make your site vulnerable to attacks!
How about something like this?
As soon as a plugin is proven to be vulnerable we unapprove it from the mods site and notify the author. We take security very seriously.
Yeah, people choosing weak passwords for important things is another story unrelated to MyBB or security issues in software. But here you can read regulary about people being hacked due to insecure plugins.
(2012-07-07, 03:59 PM)Nathan Malcolm Wrote: [ -> ] (2012-07-07, 03:43 PM)mattias Wrote: [ -> ]Almost every time I visit these forums I read about someone being hacked again. We all now that MyBB is not to blame here, but nonetheless these "I have been hacked" threads have a negative impact to MyBB's reputation. "Look, a MyBB site has been hacked again, MyBB is insecure!" You can read similiar comments in the web. Perhaps it's time for MyBB to disapprove or at least highlight all third-party plugins with security issues in the plugin directory?
Warning, this plugin has security issues! By installing it you make your site vulnerable to attacks!
How about something like this?
As soon as a plugin is proven to be vulnerable we unapprove it from the mods site and notify the author. We take security very seriously.
What if the author is not willing to fix his plugin? People who already installed an insecure plugin are still vulnerable after unapproving the plugin. I think it's better to somehow inform them that they are using an insecure plugin and that they should deinstall it as long as it's not fixed. What about a list of plugins that are insecure at this time where people can check whether any plugin they currently use is insecure or not?
(2012-07-07, 03:59 PM)mattias Wrote: [ -> ]Yeah, people choosing weak passwords for important things is another story unrelated to MyBB or security issues in software. But here you can read regulary about people being hacked due to insecure plugins.
I haven't seen any of that yet, but I am here since 5 days ago or something. I am used to vBulletin. But I am working on 2 plugins at the moment, one of them could have a security issue.
(2012-07-07, 03:59 PM)mattias Wrote: [ -> ]What if the author is not willing to fix his plugin? People who already installed an insecure plugin are still vulnerable after unapproving the plugin.
Depending on the severity, the download might be updated by a staff member. But you have no remember that this isn't the only site to download MyBB plugins. Recently there was a security issue with a plugin hosted on another site. Unfortunately we can't do anything about that. At most we can notify the author but it's out of our hands.
(2012-07-07, 03:59 PM)mattias Wrote: [ -> ]I think it's better to somehow inform them that they are using an insecure plugin and that they should deinstall it as long as it's not fixed.
That's easier said than done (Assuming you're referring to an ACP notification of some sort). As I previously mentioned there are a lot of (popular) plugins hosted on third party sites. I can see a lot of people saying "My site was hacked because of an insecure plugin, why wasn't I notified???". See below for a better solution.
(2012-07-07, 03:59 PM)mattias Wrote: [ -> ]What about a list of plugins that are insecure at this time where people can check whether any plugin they currently use is insecure or not?
There was a mention of that internally. We'll be discussing that over the next few days.
I would like to suggest something.
All new threads in Security Management forum should require moderation (staff only approval). That way, MyBB staff could check if it's an MyBB problem or not, and if not - if title is misleading, edit the title, post the suitable reply and THEN approve the thread.
This would bring some improvement to threads or posts like "Mybb is insecure" and such all.
With that being said, the security forum has less frequency of threads being posted as that in other forum, so it would be light (less load) on moderation part also approving them.
Worth a shot.
I am hoping that with MyBB 2.0, plugins are able to be marked vulnerable and all forums using it are notified via the ACP. What would need to happen, at least for ones on the MyBB site, is a database of bad plugin IDs are maintained. Whenever the ACP is logged in to, then the forum phones home for that database (max. one time daily). It then compares installed plugin IDs to the database, and if any are found, a warning is shown.
(2012-07-07, 11:45 PM)Josh H. Wrote: [ -> ]I am hoping that with MyBB 2.0, plugins are able to be marked vulnerable and all forums using it are notified via the ACP. What would need to happen, at least for ones on the MyBB site, is a database of bad plugin IDs are maintained. Whenever the ACP is logged in to, then the forum phones home for that database (max. one time daily). It then compares installed plugin IDs to the database, and if any are found, a warning is shown.
This seems like the best solution imo
(2012-07-07, 11:45 PM)Josh H. Wrote: [ -> ]I am hoping that with MyBB 2.0, plugins are able to be marked vulnerable and all forums using it are notified via the ACP. What would need to happen, at least for ones on the MyBB site, is a database of bad plugin IDs are maintained. Whenever the ACP is logged in to, then the forum phones home for that database (max. one time daily). It then compares installed plugin IDs to the database, and if any are found, a warning is shown.
But the problem is, we can't control plugins downloaded from 3rd party sites.
