(2010-05-28, 07:49 PM)frostschutz Wrote: [ -> ]that_guy, I'd not have commented in any other thread, but I think you're an idiot. Last anyone needs is an immature git like you to jump on the train here.
/thread
I am entitled to my opinion. And you are an idiot yourself moron.
frostschutz is completely right, you just barge into threads and make so many negative posts. You are also extremely rude to the staff. Grow up and stop being a selfish git.
Quote:That is correct. it can be used by malicious people to install Mybb and cause havoc in the servers
Not true.
To install MyBB you need FTP or a control panel access (cpanel). If the server isn't secured in a shared hosting environment than anyone with an account and malicious intent can cause havoc. You don't need MyBB to get a hosting account, upload a shell, and wreak havoc.
Again so much of these complaints are really outside the scope of the software itself. It's just arguable positions. It's like a complaining to a host that by giving a person an FTP account they can delete files you uploaded. DUH. If you give someone access to your templates and they are malicious. They can just delete all your templates or worse...inject javascript and drive-by javas. So really this is all bullshit. Sorry but that's how I see this.
(2010-05-28, 09:02 PM)labrocca Wrote: [ -> ]Quote:That is correct. it can be used by malicious people to install Mybb and cause havoc in the servers
Not true.
To install MyBB you need FTP or a control panel access (cpanel). If the server isn't secured in a shared hosting environment than anyone with an account and malicious intent can cause havoc. You don't need MyBB to get a hosting account, upload a shell, and wreak havoc.
Again so much of these complaints are really outside the scope of the software itself. It's just arguable positions. It's like a complaining to a host that by giving a person an FTP account they can delete files you uploaded. DUH. If you give someone access to your templates and they are malicious. They can just delete all your templates or worse...inject javascript and drive-by javas. So really this is all bullshit. Sorry but that's how I see this.
I agree with this. Its no different than letting a repair man into you home and he robs you blind while you are not looking.
I think we're done here for now.
If Ryan or any other staff member wishes to comment further on this, they will.
(2010-05-28, 07:40 PM)frostschutz Wrote: [ -> ] (2010-05-28, 04:10 PM)Ryan Gordon Wrote: [ -> ]As I stated before if you can give me a working, non-buggy, non-half-assed solution that doesn't require a huge rewrite of code, then I'll be happy to implement it.
The catch being that you decide what a working, non-buggy, non-half-assed solution is.
Yup. I am qualified to make that decision.
(2010-05-28, 07:40 PM)frostschutz Wrote: [ -> ]The solution is most trivial and outlined in the first post. Any developer who deserves the title can use this information to come up with a fix within the hour. It's pretty much a one-liner, and a no-brainer.
Then what is it? I have yet to see ANYONE talk to me or send me a good fix (let alone a one-liner, no-brainer). Please do PM me the fix and I'll either implement it or give you and the public good reasons why it won't be implemented.
Seriously, I'm not on the side of leaving open vulnerabilities. We have a stellar record for fixing vulnerabilities very quickly, and given a good fix I seriously have no problem pushing it in.
I took several hours to look into Zinga's plugin when it was original released that supposedly "fixes" this problem. It definitely stops some of the ways in which could be a problem but it is in no way a complete fix and the methods that Zinga used are crude workarounds (sketchy preg_replace's and limited sanitation coverage was what I saw at first glance).
So don't think I don't take these things seriously. I take them very seriously.