MyBB Community Forums

I think we should have a news feed where if the MyBB team finds a new vulnerability in a plugin and if the plugin gets removed, a feed should be posted informing MyBB software users in ACP that there was a new vulnerable plugin removed from the mods site and if they are using the plugin, it's recommend they remove the plugin.

I understand that we have a sticky for known vulnerable plugins but think about this. If you are a successful webmaster and way too busy to check out the MyBB community forums and your site is using a plugin that is vulnerable however no update(s) available on the mods site, you wouldn't know about it and anyone can then break into your website due to the vulnerable plugin. It would be hard for the webmaster to visit MyBB everyday to check for vulnerable plugins, I mean after all they have their own huge board to look after.

This is just a rough idea of informing webmasters about vulnerable plugins and a shoutout to protect their website(s). Off course it's up to the MyBB team on how they would like to implement this if they agree with this suggestion.

I totally agree on this one. Would be a great feature to have.

Personally, I think a notice saying "Vulnerable!" should be placed next to any vulnerable plugins in the plugin manager, as specific versions are usually vulnerable, not the plugin in itself. Thus, if the plugin version installed is vulnerable, a message is shown, and the webmaster can see this, deactivate, update, whatever is required.

Use MyBB's fetch_remote_file to a somewhat API-ish function on the Mods Site, to verify.

Unfortunately this would only work for the Mods site. For instance, if a MyBB Central plugin was vulnerable and labrocca had not posted it on the Mods site, MyBB could not reasonably get the information it was vulnerable, unless a master "vulnerable list" was kept and this was checked.

Don't quote me on this but I seem to remember Dylan working on allowing 3rd party plugins, which aren't on the Mods Site, to be able to 'call home' from the plugin updates tab. We could use a similar system.

I like the idea by Dylan but what if they are premium or paid plugins, would webmasters also get an update if they are any update(s) on those plugins?

I also agree with seabody. Just because a certain version of a plugin is affected and the plugin is later on updated (Patched), it should not be considered a vulnerable plugin any longer.

Perhaps in ACP(Dashboard), when we click on "Check for Updates"; Instead of checking for the MyBB version only, it will also check against vulnerable plugins or the plugin version affected.

(2013-10-09, 01:24 AM)Arbaz Wrote: [ -> ]I like the idea by Dylan but what if they are premium or paid plugins, would webmasters also get an update if they are any update(s) on those plugins?

I also agree with seabody. Just because a certain version of a plugin is affected and the plugin is later on updated (Patched), it should not be considered a vulnerable plugin any longer.

Perhaps in ACP(Dashboard), when we click on "Check for Updates"; Instead of checking for the MyBB version only, it will also check against vulnerable plugins or the plugin version affected.

I don't think it would be bad if MyBB had an API that the software called to every day or two to verify the security status of a plugin, and then let the admin know on the plugins page the next time it's visited.

The API thing is not a bad idea. I'm just suggesting a rough idea on how to make it easier for webmasters to stay up to date with security updates, it's up to the MyBB team how they decide to implement this. I think the more ideas we have on implementing this would make it easier for the MyBB team to come to a conclusion.