I think that MyBB 2.0 should take care on plugins submissions. It would be nice to implement a system with automatic updates of mods, like Wordpress, and another feature is to add a warning message on user Admin Control Panel if a plugin has security vulnerabilities, like ProPortal 1.0 (XSS).
Before the user install the plugin on his board, the system will inform him about the plugin bugs.
I know that this involves a larger staff, but I think that would be great to have something like that.
PS : Excuse me for my bad english.
I've already suggested this in the MyBB 2.0 suggestions thread.
BTW, ProPortal has XSS vulnerabilities?! ARE YOU SURE?!
So you think it's possible to 'automatically' detect things like this?? If that was the case the problems wouldn't exist in the plugins in the first place would they.
(2011-07-09, 06:23 PM)MattRogowski Wrote: [ -> ]So you think it's possible to 'automatically' detect things like this?? If that was the case the problems wouldn't exist in the plugins in the first place would they.
He probably meant as vulnerabilities were found in plugins in the mod database that you would get a message about in the ACP to help you keep the forum secure.
Then that'd be a pretty weird system, having the authors add some sort of log to the plugin saying what vulnerabilities it has, so MyBB can warn people. I mean there's already a version checker, if that just ran automatically then people would know there was an update, and could upgrade to it.
(2011-07-09, 06:26 PM)MattRogowski Wrote: [ -> ]Then that'd be a pretty weird system, having the authors add some sort of log to the plugin saying what vulnerabilities it has, so MyBB can warn people. I mean there's already a version checker, if that just ran automatically then people would know there was an update, and could upgrade to it.
I know, but what if it takes a while to fix the hole? Warning users instead of making them wait possibly a week (theoretically and for the sake of this example) would make sense, instead of having some hacker taking down forums while everyone waits for an update.
Of course, it could work against us too, if a hacker gets notifications that a plugin has vulnerabilities he could go around hacking all the forums with the plugin before admins realize it.
(2011-07-09, 06:29 PM)lucasbytegenius Wrote: [ -> ]I know, but what if it takes a while to fix the hole? Warning users instead of making them wait possibly a week (theoretically and for the sake of this example) would make sense, instead of having some hacker taking down forums while everyone waits for an update.
A security vulnerability shouldn't take long to fix, if the author were to be able to add a note saying the plugin had an issue, it wouldn't take much more time to release a patch. If there was a checkbox they could tick on the submission page saying it was a security related release, so admins knew it was an important upgrade, that would be a different story, as long as the update had actually been released.
(2011-07-09, 06:29 PM)lucasbytegenius Wrote: [ -> ]Of course, it could work against us too, if a hacker gets notifications that a plugin has vulnerabilities he could go around hacking all the forums with the plugin before admins realize it.
Exactly. Shouting about the fact something has a vulnerability and alerting them to that fact, all before you actually release the fix, is just illogical. I mean if we said "Hey, MyBB has a SQL injection vulnerability, we haven't released a fix yet but we're telling everyone about it now", it wouldn't make much sense would it. However, telling people a security update has already been released makes sense, but that's just a small addition to the current system.
(2011-07-09, 06:11 PM)lucasbytegenius Wrote: [ -> ]I've already suggested this in the MyBB 2.0 suggestions thread.
BTW, ProPortal has XSS vulnerabilities?! ARE YOU SURE?!
Are you sure?
Please post a thread with the subject :
Quote:"/><script>alert(/TEST/)</script>
And then run
portal.php...
What you will get? Something like that :
[
attachment=23339]
I`m going to repair that as soon as possible.
PS : You must have the block Last Threads active!
Man, and how can a hacker use this to get into the ACP or damage the forum?
They can't, but they can use it to attach downloads of viruses and the such to your forum - all it would require is for them to use window.location.replace() rather than alert(). Basically, they can run any type of JS they wish - which is bad.