Unsafe Mods List?
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations
READ: phpBB.com Board-Wide Rules and Regulations
-
Iamgarygnu
- Registered User
- Posts: 23
- Joined: Mon Feb 24, 2003 6:59 pm
- Location: New York City & New Jersey
- Contact:
Unsafe Mods List?
Hi - I searched the board but was unable to find a listing of unsafe mods - i.e. mods that don't have proper security precautions and expose the board. Can some kind soul kindly direct me to the proper link if there is indeed such a list on this board? Thank you!
-
A_Jelly_Doughnut
- Former Team Member
- Posts: 34457
- Joined: Sat Jan 18, 2003 1:26 am
- Location: Where the Rivers Run
- Contact:
MODs found in our MOD-DB are scanned for security flaws before being posted for download. If there is a flaw, I'm not sure what the MOD team does.
A Donut's Blog
"Bach's Prelude (Cello Suite No. 1) is driving Indiana country roads in Autumn" - Ann Kish
"Bach's Prelude (Cello Suite No. 1) is driving Indiana country roads in Autumn" - Ann Kish
-
Iamgarygnu
- Registered User
- Posts: 23
- Joined: Mon Feb 24, 2003 6:59 pm
- Location: New York City & New Jersey
- Contact:
-
A_Jelly_Doughnut
- Former Team Member
- Posts: 34457
- Joined: Sat Jan 18, 2003 1:26 am
- Location: Where the Rivers Run
- Contact:
Not that I've seen. Typically, it is the end user of the MOD that would find the flaws. I have seen 2 mods with security flaws, both now fixed.
A Donut's Blog
"Bach's Prelude (Cello Suite No. 1) is driving Indiana country roads in Autumn" - Ann Kish
"Bach's Prelude (Cello Suite No. 1) is driving Indiana country roads in Autumn" - Ann Kish
-
Iamgarygnu
- Registered User
- Posts: 23
- Joined: Mon Feb 24, 2003 6:59 pm
- Location: New York City & New Jersey
- Contact:
-
AbelaJohnB
- Former Team Member
- Posts: 5674
- Joined: Fri Jul 06, 2001 11:56 pm
Iamgarygnu,
The phpBB MOD Team takes great care in making sure that All MOD's within our MOD Database are free from security weakness, and malicious code. Likewise, we try to review code within the forums for weaknesses, but not as intense as we do within our MOD Database.
But, please understand, we do not guarantee that weakness do not exist. phpBB has thousands of lines of code, and so do a few of the MOD's created for phpBB. We are a dedicated group, but only so many eyes to review code.
However, Iamgarygnu, your questions bring up an interesting issue: A MOD Security Data Center. Perhaps our MOD Tools Team can develop something to start keeping track of weaknesses within MOD's.
It would not be all that used, as A_Jelly_Doughnut stated above... very few MOD's over the last two years have been found to have major security weaknesses, and a few submitted to our MOD Database (but never released to the public) have been found to have malicious code.
But, the idea behind a -simple- MOD Security Data Center is something I'll address to the MOD Team.
Hope this addresses you're concerns. If you (or anybody) has any security issues with any given MOD, please contact me directly at: abela@phpbb.com .
Thank You.
The phpBB MOD Team takes great care in making sure that All MOD's within our MOD Database are free from security weakness, and malicious code. Likewise, we try to review code within the forums for weaknesses, but not as intense as we do within our MOD Database.
But, please understand, we do not guarantee that weakness do not exist. phpBB has thousands of lines of code, and so do a few of the MOD's created for phpBB. We are a dedicated group, but only so many eyes to review code.
However, Iamgarygnu, your questions bring up an interesting issue: A MOD Security Data Center. Perhaps our MOD Tools Team can develop something to start keeping track of weaknesses within MOD's.
It would not be all that used, as A_Jelly_Doughnut stated above... very few MOD's over the last two years have been found to have major security weaknesses, and a few submitted to our MOD Database (but never released to the public) have been found to have malicious code.
But, the idea behind a -simple- MOD Security Data Center is something I'll address to the MOD Team.
Hope this addresses you're concerns. If you (or anybody) has any security issues with any given MOD, please contact me directly at: abela@phpbb.com .
Thank You.
-
Iamgarygnu
- Registered User
- Posts: 23
- Joined: Mon Feb 24, 2003 6:59 pm
- Location: New York City & New Jersey
- Contact:
Hi John! Thank you for the reply - now I feel like I made it into the "big time" 
Per YOUR (and other respected phpbb programmer's) suggestions, i reinstalled phpbb after running a "fully modded" version of the board that was just plain flakey - 217 or so mods vying for attention.
Anyway, I find myself in the process of building the board back up, and that means installing mods!
My comfort level from the phpbb.com "endorsed" mods is very high, and I am loathe to install "unoffiicial" mods - not actually for security concerns so much as because of compatability or functional concerns.
Also, keeping my old database, I find I MUST install certain mods if I want features to work - case in point - my avatars would not work after the reinstall no matter what I did - turns out once I installed (or technically reinstalled) the official neclectic's sticky avatar mod, they worked perfectly - likewise, do to my "overlapping install" i see evidence of residue from the prior board I have to address. I have not seen a banner mod from phpbb, so i installed Neils Chr. Denmark's unofficial banner hack, which I don't believe will pose security concerns, though I'd feel better comparing it to a list of known non-phpbb.com mods which are deemed safe or otherwise.
The point is, as I'm reinstalling mods, I do feel comfortable with the phpbb.com official mods. The question becomes, "Is anyone aware of mods, phpbb.com endorsed or otherwise, that have security concerns?" Perhaps if folks are aware, there could be an "official" thread, "Warning - potentially unsafe mods" and it can list Mod XYZ version 1.1.3 and then either a remedy (chmod your directory) or a warning, "We recommend you avoid this mod until the security flaw(s) are addressed" - I'm not asking potentially for what those flaws are - no need to make it easier for hackers. I do aknowledge this could be a strain for the team, so I would suppose if such an animal were put into place, it would have to be from users bringing it to the team's attention.
Another security related suggestion, might be a "Vulnerability Index" for each mod - say 1 through 5 - as a newbie, i can't spot vulnerable code, but i think it's safe to say, a mod that only moves the administration code from the bottom to the top of the page might be pretty darn secure, versus a mod that affects the admin panel settings or can through whacky circumstances create a security issue. Part 2 of the suggestion would be listing the vulnerability index in the mod's comments, and then below how to increase the security or safeguard, again, possibly with making sure certain directories or files are chmodded, or by applying a secondary mod for the security precautions.
Final point (and then I'll finish my strong cup of coffee!) - I, like many others, am very grateful to the team for the work and community provided. As a way to offset the time to potentially handle the security issues, or anything else, may i suggest the possiblity of a subscriber weekly mailing - i.e. weekly updates for phpbb2.2, newest mods or featured mods, tips, tricks, whatever, for a nominal fee - it would provide a way for the users to help support phpbb, and perhaps provide a small revenue stream in return. Just a suggestion.
Regardless of which of my ideas are applauded or thrown in the toilet, THANK YOU for the great system and community made available for the very reasonable price of nothing.
Very truly yours,
Gary Garland
Per YOUR (and other respected phpbb programmer's) suggestions, i reinstalled phpbb after running a "fully modded" version of the board that was just plain flakey - 217 or so mods vying for attention.
Anyway, I find myself in the process of building the board back up, and that means installing mods!
My comfort level from the phpbb.com "endorsed" mods is very high, and I am loathe to install "unoffiicial" mods - not actually for security concerns so much as because of compatability or functional concerns.
Also, keeping my old database, I find I MUST install certain mods if I want features to work - case in point - my avatars would not work after the reinstall no matter what I did - turns out once I installed (or technically reinstalled) the official neclectic's sticky avatar mod, they worked perfectly - likewise, do to my "overlapping install" i see evidence of residue from the prior board I have to address. I have not seen a banner mod from phpbb, so i installed Neils Chr. Denmark's unofficial banner hack, which I don't believe will pose security concerns, though I'd feel better comparing it to a list of known non-phpbb.com mods which are deemed safe or otherwise.
The point is, as I'm reinstalling mods, I do feel comfortable with the phpbb.com official mods. The question becomes, "Is anyone aware of mods, phpbb.com endorsed or otherwise, that have security concerns?" Perhaps if folks are aware, there could be an "official" thread, "Warning - potentially unsafe mods" and it can list Mod XYZ version 1.1.3 and then either a remedy (chmod your directory) or a warning, "We recommend you avoid this mod until the security flaw(s) are addressed" - I'm not asking potentially for what those flaws are - no need to make it easier for hackers. I do aknowledge this could be a strain for the team, so I would suppose if such an animal were put into place, it would have to be from users bringing it to the team's attention.
Another security related suggestion, might be a "Vulnerability Index" for each mod - say 1 through 5 - as a newbie, i can't spot vulnerable code, but i think it's safe to say, a mod that only moves the administration code from the bottom to the top of the page might be pretty darn secure, versus a mod that affects the admin panel settings or can through whacky circumstances create a security issue. Part 2 of the suggestion would be listing the vulnerability index in the mod's comments, and then below how to increase the security or safeguard, again, possibly with making sure certain directories or files are chmodded, or by applying a secondary mod for the security precautions.
Final point (and then I'll finish my strong cup of coffee!) - I, like many others, am very grateful to the team for the work and community provided. As a way to offset the time to potentially handle the security issues, or anything else, may i suggest the possiblity of a subscriber weekly mailing - i.e. weekly updates for phpbb2.2, newest mods or featured mods, tips, tricks, whatever, for a nominal fee - it would provide a way for the users to help support phpbb, and perhaps provide a small revenue stream in return. Just a suggestion.
Regardless of which of my ideas are applauded or thrown in the toilet, THANK YOU for the great system and community made available for the very reasonable price of nothing.
Very truly yours,
Gary Garland
I suspect this is in the wrong place to attract comment from many of the MOD Authors, but what I think, is that if people become aware of security issues with a MOD, perhaps the best thing is to mail the MOD author about the problem. The author could then note in the Release thread for that MOD that there was a problem (if in the DB or the Beta thread if not in the DB), and then look at fixing the problem and providing a newer release, since theoretically, these threads contain all the relevant info about a given MOD. I can see the merit in a central list as well, but I'm not sure how well it would work.
As an aside to John (or DanielT
) about the tools, do I recall correctly that the MDD has a bug feature? If it does, would this be a place to add an extra security tracker if the permissions could be worked out?
As an aside to John (or DanielT
) about the tools, do I recall correctly that the MDD has a bug feature? If it does, would this be a place to add an extra security tracker if the permissions could be worked out?"So Long, and Thanks for All the Fish"
phpBB Useful Links: Knowledge Base | Userguide | Forum Search | MOD Database | Styles Database
My Links: Blog!
phpBB Useful Links: Knowledge Base | Userguide | Forum Search | MOD Database | Styles Database
My Links: Blog!
-
Iamgarygnu
- Registered User
- Posts: 23
- Joined: Mon Feb 24, 2003 6:59 pm
- Location: New York City & New Jersey
- Contact:
If I recall correctly, i think you can/should mail security related issues QUIETLY to security@phpbb.com - i suppose if you do that, then the team can contact the mod author or scan the code and figure out what the problem is, if any - though e-mailing the mod author too probably woudln't be a bad idea....
please don't get me wrong, unless done intentionally, i don't even know how you'd have vulnerable code in a mod, and the work that goes into the mods seems to me to be incredible - from just figuring out the coding to putting it into the easy mod-able template - i scratch my head and wonder why all these hours of computer time are being given to us, for free! (geez, wish i could do it
please don't get me wrong, unless done intentionally, i don't even know how you'd have vulnerable code in a mod, and the work that goes into the mods seems to me to be incredible - from just figuring out the coding to putting it into the easy mod-able template - i scratch my head and wonder why all these hours of computer time are being given to us, for free! (geez, wish i could do it
Graham wrote: As an aside to John (or DanielT
Hello,
the MDD currently has no bug tracking feature, it has a task tracking feature, how ever.
also bugs should be directed at the MOD author via pm or email, and MOD Security issues should be addressed to: mod-team@phpbb.com
-
senghong79
- Registered User
- Posts: 311
- Joined: Wed Oct 30, 2002 2:45 pm
- Location: Malaysia
My experience:
The MOD team have done an exceptional work in maintaining the MOD database. But I will fully support an additional thread dedicated to MOD security announcements.
Don't get me wrong. I keep an eye on ALL the MOD release announcements for the mod I have installed, but sometimes, all you get to read is someone asking for help in installing the mod, minor issues, etc..... that sooner or later you might just miss one VERY IMPORTANT security risk mod update.
Having a single thread for such things at the top of the MOD forum means easier reference. It doesn't mean reporting bug or such, it simply mean that's the place MOD user's like myself can refer to for important MOD updates, like the way we check phpbb's announcement forum!
P/s: On a side note, actually I would love a sticky locked topic which get's updated everytime a MOD in the database is released or updated. It's easier to get an idea of what is happening in the MOD database, rather than browsing through topics (which get's bumped mostly because of support issue rather than a REAL update)
The MOD team have done an exceptional work in maintaining the MOD database. But I will fully support an additional thread dedicated to MOD security announcements.
Don't get me wrong. I keep an eye on ALL the MOD release announcements for the mod I have installed, but sometimes, all you get to read is someone asking for help in installing the mod, minor issues, etc..... that sooner or later you might just miss one VERY IMPORTANT security risk mod update.
Having a single thread for such things at the top of the MOD forum means easier reference. It doesn't mean reporting bug or such, it simply mean that's the place MOD user's like myself can refer to for important MOD updates, like the way we check phpbb's announcement forum!
P/s: On a side note, actually I would love a sticky locked topic which get's updated everytime a MOD in the database is released or updated. It's easier to get an idea of what is happening in the MOD database, rather than browsing through topics (which get's bumped mostly because of support issue rather than a REAL update)
-
Iamgarygnu
- Registered User
- Posts: 23
- Joined: Mon Feb 24, 2003 6:59 pm
- Location: New York City & New Jersey
- Contact:
I have found the phpbb.com to be SO VAST that searching yields many results other than what i want - even when searching with "AND" - sometimes too much knowledge can be, err, too much!
That's why i'm suggesting a slimmed down "mods warning" fora
i have to tell you, as i install more and more mods, i appreciate more and more the work that went into the core phpbb, and the work by the mod authors.
and, if i install a mod from elsewhere, i bite my nails and hope the quality will be as good as the rest - wishful thinking
That's why i'm suggesting a slimmed down "mods warning" fora
i have to tell you, as i install more and more mods, i appreciate more and more the work that went into the core phpbb, and the work by the mod authors.
and, if i install a mod from elsewhere, i bite my nails and hope the quality will be as good as the rest - wishful thinking
-
Numlock2KS
- Registered User
- Posts: 84
- Joined: Fri May 23, 2003 7:17 am
- Contact:
-
Iamgarygnu
- Registered User
- Posts: 23
- Joined: Mon Feb 24, 2003 6:59 pm
- Location: New York City & New Jersey
- Contact:
Numlock2KS wrote: Hello,
I do not know if this would solve the situation created by stacked MODs, but it would be nice if all MODs that require database modifications were 'tagged' to show users that once they are installed they must always be installed.
Thank You,
Numlock2KS
I think that's a GREAT IDEA - personally, I'm very satisfied with Sticky Avatars - however if I knew I'd have to reinstall every time, well then, I'd reinstall every time!
I WISH I had a better way of keeping track of my installed mods - so when I update in the future, I can reclaim functionality - oh well, next time I'll chart them all...