Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
MyBB Vulnerability Releases
#21
(06-18-2019, 07:05 AM)Serpius Wrote: Those admins have put their website in a vulnerable position without realizing this.

Those admins have the responsibility to vett their own code. Especially someone elses code.
[Image: kAhpvOW.png]
Reply
#22
(06-18-2019, 07:37 AM)Ben Cousins Wrote:
(06-18-2019, 07:05 AM)Serpius Wrote: Those admins have put their website in a vulnerable position without realizing this.

Those admins have the responsibility to vett their own code. Especially someone elses code.

Do you realize that many admins, including myself, do NOT know how to check other people's code. 

If there is a procedure on how to check software for exploits, please, share it with us.

Don't respond with a 'Google it'. That is condescending. Try to be helpful.
I'm Serpius and You're Not    ¯\_(ツ)_/¯
[Image: y3xr3cj5]
Reply
#23
(06-18-2019, 06:23 PM)Serpius Wrote: Do you realize that many admins, including myself, do NOT know how to check other people's code. 

No disrespect, but Ben is right: That's your problem.

Anyone who runs a MyBB forum must either learn how to code well enough to vet plugins before use or keep someone on staff that can.

MyBB reviews reported vulnerabilities in plugins and takes action to hide those plugins/themes until they are patched. That is all we can do.
Reply
#24
(06-18-2019, 06:23 PM)Serpius Wrote: Do you realize that many admins, including myself, do NOT know how to check other people's code. 

If there is a procedure on how to check software for exploits, please, share it with us.

Don't respond with a 'Google it'. That is condescending. Try to be helpful.

I'm sorry? Condescending? By talking like that, you're making me want to reply "Google it, bugger you", which, to be fair, I have a right to do. But since I'm such a nice person--

To paraphrase my lawyer: Ignorance is no excuse.

Everyone's procedure is different and varies from "Pfft, she'll be right mate" to "Fine-Tooth Comb"; and I no longer code much in PHP so I'm not really the one to answer this question; as a guide, however, I would normally advise limiting third-party code - code you haven't written, or isn't from the MyBB Team - at all, and if you do need to use a plugin, take the time to find a paid one, as generally, there is some accountability.

Internally, now we code from scratch, we have a new issue - dependencies. How do we vet those?
[Image: kAhpvOW.png]
Reply
#25
(06-18-2019, 07:29 PM)Wildcard Wrote:
(06-18-2019, 06:23 PM)Serpius Wrote: Do you realize that many admins, including myself, do NOT know how to check other people's code. 

No disrespect, but Ben is right: That's your problem.

Anyone who runs a MyBB forum must either learn how to code well enough to vet plugins before use or keep someone on staff that can.

MyBB reviews reported vulnerabilities in plugins and takes action to hide those plugins/themes until they are patched. That is all we can do.

Many admins, including myself, do not retain someone who is well versed in coding/programming. 

That's the real world. 

I guess without having any kind of verifiable way of checking other people's coding/programming, we are on our own. 

It makes me reconsider a few things that I have seen lately.
I'm Serpius and You're Not    ¯\_(ツ)_/¯
[Image: y3xr3cj5]
Reply
#26
@Serpius I take my hat off to you for trying, but you are flogging a dead horse.

I still use MyBB and appreciate all that those do behind the scenes and wait in vain that MyBB will move onto the next version and stop updating 1.8 so I can stay where I am. I don't want 1.9 or 2.0 I've had enough.

Answers like you have been given do not help, we don't all understand the guts of the machine. We use it and plugins from those willing to share for free because it's the way we have to go (or in my case prefer to go) I am very grateful for those that make MyBB what it is and the plugin authors for all their hard work. I run my forum on a non profit basis and it is the way I and my members like it, but being told that I should know how and engine is built is not the same as driving the car.

I have made similar posts before, we don't all understand or in some cases don't want to understand how it all works. We chose MyBB because it suits what we are looking for and it's free. There is no other reason that 90% of installs are used than that.

As uses we try to give something back, you (Serpius) have and still do give back a lot, but me ...................... I have given up because some on MyBB feel as an admin I should know what they know, or some will just not listen to feedback.

MyBB is a forum software and admins will install it to try and make a great forum, many will fail but some will keep plodding on. I'm one of those that will still keep plodding on as I have a great member base, but please can some of you out there stop telling us admins that "We should know" we run our forums thanks to all the hard work of others, but it is a bit off putting when we are treated as just a user with no knowledge.

I have been using MyBB for about 8 years now and I still don't understand what goes on under the bonnet. I just want it easy, if I wanted difficult I would code my own.

Oh well my post as usual will probably fall on deaf ears, and I will give up posting again.

But I just wanted to back up Serpius and his comments.
Reply
#27
(06-20-2019, 08:44 PM)sarisisop Wrote: But I just wanted to back up Serpius and his comments.

Look, I didn't mean to speak for MyBB, sometimes I forget about the badge. After all, I am really just a forum admin, myself.

All I am saying is that when I went (blindly) into opening a forum, I was certainly exposed to many types of security risks on my own forum because I didn't know anything about what I was doing. After a while, I smartened up and recruited someone to my staff that knew webdev and MyBB in particular. All of that time I kept learning and eventually, I was able to take over the full administration of my site.

It was a long road. I don't mean to trivialize the situation for admins out there, but I do like to keep it real. My statement is not how I wish things were, it is how I honestly believe them to be.
Reply
#28
(06-20-2019, 09:58 PM)Wildcard Wrote: I don't mean to trivialize the situation for admins out there, but I do like to keep it real. My statement is not how I wish things were, it is how I honestly believe them to be.

By telling us, admins, that in order to be a MyBB Admin, you should do one of two things:

  1. Know coding/programming.
  2. Recruit someone who intimately knows MyBB coding.
By making statements such as these will severely limit the usage of MyBB out "in the wild" and force those same admins to give up consideration of MyBB and potentially drive those admins to other CMS software (paid or free). 

To tell us, admins, that in order to check someone else's coding/programming you must be a coder/programmer in order to verify the software is an insult and basically telling us admins to 'Muck off' is a condescending train of thought among the coders/programmers.

To recruit someone from the internet is an invitation to huge potential problems. How do us admins trust someone that we have not seen or have met in person?
With all of the fake/BS/fraudulent information flying around on the internet, how are us admins supposed to find someone that won't hijack our website when we have paid a lot of money to set it up in the first place?

All I asked for was a method of us non-coders/programmers to check the software to see if it is vulnerable or not, but this thread has descended into something completely different.  
I'm Serpius and You're Not    ¯\_(ツ)_/¯
[Image: y3xr3cj5]
Reply
#29
This user has been denied support. This user has been denied support.
(06-21-2019, 02:13 AM)Serpius Wrote: All I asked for was a method of us non-coders/programmers to check the software to see if it is vulnerable or not, but this thread has descended into something completely different.

Well, it's impossible, even for a developer.

Sure, you can open the code in a text editor and read through it all. You can do this even if you don't know a lick about how to code. If you feel bored, you can also do a lot of hands-on testing.

But pretty much the only thing you catch that way (even with years of experience with the MyBB codebase specifically) is obviously malicious or obviously low-quality code. And it's a good idea to catch those, but in terms of security, it doesn't amount to much more than a cursory glance.

But most security issues out there are not like that. They're exploits, and exploit literally means - the code itself is perfectly harmless, but due to some unfortunate and intricate side effect that normally no one even thinks about, there is a way to exploit it to do the wrong thing anyway.

A guarantee that code is secure does not exist, hence it also cannot be provided by MyBB team or anyone else.

You can hire someone to do a security audit, and pay a lot of money to do so (going through all the code and second-guessing every other line is a time sink), and maybe they'll actually find something, and that'd be great, but it's still no guarantee that no new exploit will pop up the day after.

Other than that all you can do is update MyBB and watch https://community.mybb.com/mods.php?acti...erablesubs for known exploits... (and perhaps keep a watch on a google search to that effect to find reports posted elsewhere) but no guarantee that whoever finds an exploit will actually publish it at all
Reply
#30
(06-21-2019, 07:14 AM)frostschutz Wrote: Other than that all you can do is update MyBB and watch https://community.mybb.com/mods.php?acti...erablesubs for known exploits... (and perhaps keep a watch on a google search to that effect to find reports posted elsewhere) but no guarantee that whoever finds an exploit will actually publish it at all

I know of that webpage, but more current reports are being sent to Exploit-DB.com, not here.

I don't know if you saw my post #13 HERE. See that screenshot.
I'm Serpius and You're Not    ¯\_(ツ)_/¯
[Image: y3xr3cj5]
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)