Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
MyBB Vulnerability Releases
#31
(06-21-2019, 02:13 AM)Serpius Wrote: To tell us, admins, that in order to check someone else's coding/programming you must be a coder/programmer in order to verify the software is an insult[...]

Can you explain how telling someone the truth is an insult?

If I told you that in order to run a business, you'd either need to know how to balance the books or you'd have to hire someone that does, would that be an insult?

If I told you that if you want to travel by plane, you'd either need to own a plane, or buy a ticket, would that be an insult?

I think you are being overly sensitive. I am simply stating the truth. As frost said, even if you are a coder, there is no guarantee that you will catch everything. The best you can hope for is that keeping your ear to the ground and patching known vulns quickly is enough to avoid an issue.

Try to think about this rationally rather than allowing your emotions to play into it.
Reply
#32
(06-21-2019, 10:59 AM)Wildcard Wrote:
(06-21-2019, 02:13 AM)Serpius Wrote: To tell us, admins, that in order to check someone else's coding/programming you must be a coder/programmer in order to verify the software is an insult[...]

Can you explain how telling someone the truth is an insult?

If I told you that in order to run a business, you'd either need to know how to balance the books or you'd have to hire someone that does, would that be an insult?

If I told you that if you want to travel by plane, you'd either need to own a plane, or buy a ticket, would that be an insult?

I think you are being overly sensitive. I am simply stating the truth. As frost said, even if you are a coder, there is no guarantee that you will catch everything. The best you can hope for is that keeping your ear to the ground and patching known vulns quickly is enough to avoid an issue.

Try to think about this rationally rather than allowing your emotions to play into it.

If I am buying a plane ticket, I am putting my faith into the airline who is selling it that their planes are safe to fly and their pilots are competent to fly an airplane. I do not need to do anything else but pay for the ticket because it is assumed that all other things have been inspected and verified. 

If I was running a business and needed a licensed accountant (which I do... by the way), I have several sources to verify the accounting firm through the government and/or agencies such as the Better Business Bureau (for USA businesses). 

I cannot do the same thing for someone who is a coder/programmer who advertises their business over the internet.

There are no means, at least that I am not aware of, to verify someone with those credentials. 

You say that I can do this locally, sure, but again... how do I verify that person?

With all of the fake/false information out there, how can one trust someone who claims to have certain credentials?

Take you, @Wildcard, I can reasonably trust you with your plugins. Why?

You have a good track record and people are still coming to you for your plugins.
If you were one of those "fly by night" people, then no one can place their trust into you.

Also, if there was a vulnerability in one or more of your plugins, you immediately fix them.
Why do you do it so quickly?
Because you do not want to see your plugin be responsible for someone's website being hacked into because of a security issue that was found on your plugins. (this is exactly why I brought up this part of the thread in the 1st place)

Other plugin authors are not quite that good or quick dealing with those kinds of issues.

However, I can not say the same for someone who put together a plugin that seems to work OK, but did this as a "one time adventure" and was never seen again, but people continue to use that said plugin for quite some time. How can someone like me verify that this 'one-time adventure' plugin is safe to use given the current situation on the internet with all of these exploits going around?
I'm Serpius and You're Not    ¯\_(ツ)_/¯
[Image: 5M7sb0n.png?1]
Reply
#33
I'm not going to quote and reply to everything you said, Serpius, but I don't think we are saying different things. I just think that you have a perspective that doesn't exactly match up with mine.

I see "forum admin" as a job that requires a lot of preparation, study, and most of all responsibility to your site. You mention vetting plugins like you feel as if someone else should do it for you, but whatever you feel, that just isn't the case.

All of the things you mentioned about looking for and using plugins from stable devs that have been around long enough to prove that they are dedicated to their projects is true...that in and of itself is part of the vetting process.

For example, I still have to deal with my users complaining about the old "While You Were Typing" plugin not coming back, because the author (who is/was a brilliant dev) disappeared.

I don't see anything else to say here. I've made my point as clearly as I can.
Reply
#34
You should use paid software. Then you have a basis for recourse.
Pretty pointless complaining on this forum about anything.
If you want to install every plugin under the sun -> expect problems.
Otherwise follow the general rule of thumb for a project whether it's a forum or online shop whatever. Build it with the least amount of plugins required. That way you reduce your risk to vulnerability and also your potential maintenance load.
What goes around comes around
Reply
#35
Ooh I'm going to enjoy this.

(06-20-2019, 08:44 PM)sarisisop Wrote: @Serpius I take my hat off to you for trying, but you are flogging a dead horse.

I still use MyBB and appreciate all that those do behind the scenes and wait in vain that MyBB will move onto the next version and stop updating 1.8 so I can stay where I am. I don't want 1.9 or 2.0 I've had enough.

As is your right.

(06-21-2019, 02:13 AM)Serpius Wrote: To tell us, admins, that in order to check someone else's coding/programming you must be a coder/programmer in order to verify the software is an insult and basically telling us admins to 'Muck off' is a condescending train of thought among the coders/programmers.

Got sources for this? I'd love to see where you're pulling that 'muck' from.

(06-21-2019, 02:13 AM)Serpius Wrote: To recruit someone from the internet is an invitation to huge potential problems. How do us admins trust someone that we have not seen or have met in person?

With all of the fake/BS/fraudulent information flying around on the internet, how are us admins supposed to find someone that won't hijack our website when we have paid a lot of money to set it up in the first place?

And yet, here you are, discussing plugins that you've installed from people you haven't met with other people you haven't met.

(06-21-2019, 02:13 AM)Serpius Wrote: All I asked for was a method of us non-coders/programmers to check the software to see if it is vulnerable or not, but this thread has descended into something completely different

I gave you an answer; I literally said, and I quote:

(06-19-2019, 01:05 AM)Ben Cousins Wrote: Everyone's procedure is different and varies from "Pfft, she'll be right mate" to "Fine-Tooth Comb"; and I no longer code much in PHP so I'm not really the one to answer this question; as a guide, however, I would normally advise limiting third-party code - code you haven't written, or isn't from the MyBB Team - at all, and if you do need to use a plugin, take the time to find a paid one, as generally, there is some accountability.

Here endeth the lesson.

(06-21-2019, 07:14 AM)frostschutz Wrote: Well, it's impossible, even for a developer.

This is correct, it is impossible to ensure that all vulnerabilities are gone. Code is, at its essence, vulnerable. Want a 100% unbreakable site? Well, you're orange outta luck. To put that onus onto the MyBB team is, at its very core, stupid. You complain that MyBB 1.9 is taking forever, and you want to stretch the resources of the team even further? That's poor - even for you.

(06-21-2019, 01:03 PM)Serpius Wrote: Take you, @Wildcard, I can reasonably trust you with your plugins. Why?

You have a good track record and people are still coming to you for your plugins.
If you were one of those "fly by night" people, then no one can place their trust into you.

There's your answer. Find someone you can trust. I can't see how this is so hard for you.
[Image: kAhpvOW.png]
Reply
#36
(06-22-2019, 08:04 AM)Ben Cousins Wrote: Here endeth the lesson.

Enjoy your victory lap.

Have a nice day.
I'm Serpius and You're Not    ¯\_(ツ)_/¯
[Image: 5M7sb0n.png?1]
Reply
#37
I think it's important to point out that the team and MyBB try to cater to as much users as possible. It's simply quite impossible to cater for everyone.

@Serpius, the difference between your analogy and MyBB is that you pay for your plane ticket so you are entitled to quality. You do not pay for MyBB, it is free and open-source so you're not actually entitled to anything but a working software. Therefore, the link you're trying to make between the two is quite impossible and is rather stupid IMO.

The team do their best to ensure that any exploits that are identified (within plugins) are removed from the public until the problem has been resolved. It is up to the author of the plugin to rectify the problem. All the team do is provide a showcase/market. It's like buying car insurance through a comparison site. If there's a problem with the insurance, you go to the insurance company, not the comparison site.

Most importantly, MyBB is here to provide a starting platform for users with near-any experience, if any. Of course, complimentary support is also provided with that. However, if you want to take that starting platform and make it more advanced via the use of plugins, then that's completely up to you, but the onus to learn more about the software and coding is on you. But even then, the team is nice enough to assist in most cases. You don't want to trust an outsider to do it for you? Learn coding and read up on what you need to know.

The team probably can't say it because they need to remain "professional", but god damn, stop acting so entitled.
Plugin Count: I lost count.
Public Plugins are available here.
Official GitHub.
Please do not PM me for support unless asked to.
Reply
#38
Pretty much what everyone else said, MyBB isn't responsible for plugins. They shouldn't have to audit code from every plugin uploaded, no other CMS will do this either.

MyBB goes far enough by hiding/marking vulnerable a plugin that has been reported which is more than most CMS devs do.
Reply
#39
It may be beneficial to extend the version check to include information about vulnerabilities and issues. Something like: https://i.imgur.com/IK7oTF8.png would be useful to inform forum admins. I'm sure many admins don't pay attention to the warning, and assume mybb is bullet proof.
Reply
#40
I spoke with Nervo about the transparency of vulnerabilities several years ago. I've ran a forum for almost a decade and I've never seen a situation so dire. Board owners need to be updated with security flaws and there's no reason it should have taken until the 10th to do so. I expect more from the MyBB team and I'm sure the other board owners do as well. It is not realistic to expect users to keep up to date with the Github. These vulnerabilities were in the wild long before other owners heard.

(06-16-2019, 01:01 AM)labrocca Wrote: And please don't argue that if you make a vulnerability public before a patch is made you risk the site being exploited. This week at least 3 sites that I know of were taken offline because of the 1.8.21 release. If you're a lazy admin that doesn't pay attention that's on you.

This happened to several sites.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)