MyBB Community Forums

Since I never saw a list of Plugins which are potentially harmful and buggy in a way that it can be used to call up some sort of exploit on a MyBB Forum, I think its time for a post where such Plugins (if experinced by other hosters) in fact were responsible for hacks or similiar.

I think it would be only good if those that were in fact a problem, were named here and so either the Plugin Developers (if still around) could fix them or if not, pose as a warning to other hosters that want to try those, not knowing they can actually lead to them being hacked because of it.

There are many very smart & talented people here. I am sure some of them would maybe help in checking on these things, we normal user are not experienced enough for.

I would like to ask the MyBB Staff to pin this topic so that it won't get lost in the many many topics in this forum. Also I am asking those of you with the proper knowledge on how plugins work, if they would be willing to check on these things.

There are so many Plugins, and its often very risky to decide which to use and which will maybe even be responsible for one's forum to be hacked because of it.

Any help in this greatly appreciated. As for the MyBB Staff and those that would be so kind to help checking out Plugins mentioned in this topic.

If noone is interested in this, if noone cares about either which files are harmful or that those were in fact detected, or the whole idea, then please go ahead and delete this topic. It would be a shame, but it wouldn't be the first I would have come across over the years.

Wolfseye

Last paragraph you missed a space between no one (you wrote noone).
But this is a good idea maybe they could make a page in the mods section where you can click a link on the plugin page to report hack or malfunction.

(2012-08-07, 03:16 PM)JordanMussi Wrote: [ -> ]Last paragraph you missed a space between no one (you wrote noone).

And I almost thought there would be serious replies.

How is this suppose to work? I mean, who is going to ask for plugins reviews/whatnot? I subscribed to this thread but it seems no one is really interested in knowing if X plugin is dangerous.

I am afraid you are right. Noone seems to care. Maybe they all prefer people coming here, all broken up about their Websites being hacked because of some Plugin that some maybe already knew was dangerous to use because of bugs. But keeping this knowledge to themselves since "they" knew it and either didn't use the Plugin because of that or even found a way to fix it.

A situation that could have easily be avoided by letting others know what they know, but often that seems too much to ask. Why care about others when you can care about yourself far easier.

On the other hand, if something happens, they rather say that you shouldn't use any 3rd Party Plugins but only the ones coming with MyBB. That way you're safer but hardly have any good additional features.

There is not one topic I found where someone tried to list all the plugins that were known to be a problem. Yes, there were some mentioned a couple times, like the "Tabbed Forums" plugin or what the name was. But thats it. However, I am sure there are more Mods that cause possible security issues.

Basically noone cares to let others know of possible issues that could lead to one's forum getting hacked. A centralized topic would be the best way to collect such info. But I suppose we must all be able to understand how the plugins work so we can anticipate every possible problem. I am sure that is what they like most.

Its very sad but it was expected.

Well, I think you are maybe exagerrating a little bit. Using your example of the mybb tabs - that was pulled from the mods database once the problem was known - same with the facebook login.

The thing is, mybb is not the only place distributing plugins, and really I would advise going with a plugin developer whose work you know and has a good reputation. Even then, there is the possibility of an issue that is not detected.

In that case, if it is on the mods site then I would go and post a review saying there is an issue, on a third party site I would post on that site.

Other than that, I am not sure what the mybb team can do.

In my oppinion, and don't get that wrong please, any plugin submitted here should be checked by some people with real knowledge into things and evaluated if there is any form security concern, the plugin developer should be notified of that and asked to fix it before its hosted as a plugin on the official MyBB site.

Of course that only counts for Mods submitted and offered here. Other sites that offer plugins as well, often only for a payable Subscriptions, but those aren't hosted here on the official MyBB site.

But it would be a start if here on this Site, the official Site, things could be made a bit easier by those that are so good with PHP and MySQL to help those of us, not blessed with a bright understanding of these things.

I know what you mean - you want everything to be checked etc etc. The moderators are volunteers - it is a lot of work checking things to the level I think you hope for and really too much to expect. I moderate on another big site that accepts members uploads, and we check the items at a fairly high level - is all required information submitted, that sort of thing. It takes a lot of time and a team of about 8 people. Those people do not do any other site moderation, nor do they make any items themselves. The ones that do make a lot less than they used to as they have less time.

It is the same here - the guys you want to check the plugins are the same ones who are making the project software. They really don't have the time to do a detailed scan.It WOULD be nice if the skilled coders checked things for us etc etc, but why not learn a little php yourself? Maybe you could do some simple checks then and post a review in the plugin.

(2012-08-13, 08:34 AM)Leefish Wrote: [ -> ]but why not learn a little php yourself? Maybe you could do some simple checks then and post a review in the plugin.

There are many many here, which is obvious enough from what I see here sometimes what people can do, doing these things for many years. Maybe even studied that stuff for their future "making a living" plans.

Those are the best choices to test things like that. Not someone like me, that runs forums and does the occasional "Ok, please explain how you did that." kinda guy. I don't even have time for learning proper PHP coding. I can choose between time to run a forum with the little knowledge & time that I have, or learn how to do PHP and how to even know what other people did in their plugins, to correct it if necessary. I don't have time for both, its as simple as that.

I realize other people also have that much time, as you said. So I do of course symphasize for them. But sometimes here, from what I see of how many things certain people post here, fiddling with something that for them it seems very easy to do, that time might as well could be spend to help others minimize the risk of being hacked.

Almost every hack in a software, for the outside & first view, falls bad on the actual Software. Until that is proven to all others, that in fact the cause was a 3rd Party Plugin, its called a vulnerability of the actual Software. If thats MyBB or other softwares.

So if there were a listing of plugins "definately" known to cause issues because of bugs in these plugins that could lead to a hack, that would make things easier for noobs like me , and I am pretty sure many others as well (no offence intended of course), to avoid installing those plugins in the first place. And ultimately at least make sure that my site cannot be hacked because of that.

As it is now, with every plugin one downloads & installs here and on other sites, its a possibility that this could be used by someone else to hack my site. Its a kinda surprise thingy.

So if there were people with the proper knowledge and some time on their hands to check on Plugins and shake them upside down to find out if they are in fact a reason for a concern, that would be great.

Thats all I ask.

(2012-08-13, 08:49 AM)Wolfseye Wrote: [ -> ]I realize other people also have that much time, as you said. So I do of course symphasize for them. But sometimes here, from what I see of how many things certain people post here, fiddling with something that for them it seems very easy to do, that time might as well could be spend to help others minimize the risk of being hacked.

I am one of those fiddlers

I think that it is all how you want to spend your time: for me, fiddling about with my css or code is fun, and it is at MY risk. It is a huge responsibility to be the one who says "This is safe". I sure as heck would not want to do that job.

It would be nice if some coders did this kind of thing for the rest of the community out of the goodness of their hearts, I agree. Is it likely? I don't really think so.