Unsafe Mods List?

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
Iamgarygnu
Registered User
Posts: 23
Joined: Mon Feb 24, 2003 6:59 pm
Location: New York City & New Jersey
Contact:

Unsafe Mods List?

Post by Iamgarygnu »

Hi - I searched the board but was unable to find a listing of unsafe mods - i.e. mods that don't have proper security precautions and expose the board. Can some kind soul kindly direct me to the proper link if there is indeed such a list on this board? Thank you!
User avatar
A_Jelly_Doughnut
Former Team Member
Posts: 34457
Joined: Sat Jan 18, 2003 1:26 am
Location: Where the Rivers Run
Contact:

Post by A_Jelly_Doughnut »

MODs found in our MOD-DB are scanned for security flaws before being posted for download. If there is a flaw, I'm not sure what the MOD team does.
A Donut's Blog
"Bach's Prelude (Cello Suite No. 1) is driving Indiana country roads in Autumn" - Ann Kish
Iamgarygnu
Registered User
Posts: 23
Joined: Mon Feb 24, 2003 6:59 pm
Location: New York City & New Jersey
Contact:

Post by Iamgarygnu »

actually, i'm very comfortable with the mods on the site (i mean, who came out with phpbb in the first place?!?!?)
my question, is: is there a repository or warning about certain mods known to be unsafe and therefore they should be avoided?
User avatar
A_Jelly_Doughnut
Former Team Member
Posts: 34457
Joined: Sat Jan 18, 2003 1:26 am
Location: Where the Rivers Run
Contact:

Post by A_Jelly_Doughnut »

Not that I've seen. Typically, it is the end user of the MOD that would find the flaws. I have seen 2 mods with security flaws, both now fixed.
A Donut's Blog
"Bach's Prelude (Cello Suite No. 1) is driving Indiana country roads in Autumn" - Ann Kish
Iamgarygnu
Registered User
Posts: 23
Joined: Mon Feb 24, 2003 6:59 pm
Location: New York City & New Jersey
Contact:

Post by Iamgarygnu »

thanks AJD - one less thing to worry about (i suppose)
Slimeboy
Registered User
Posts: 358
Joined: Mon Apr 08, 2002 10:52 am
Location: Sydney, Australia
Contact:

Post by Slimeboy »

Anything not from http://www.phpbb.com/mods/ i would not touch with a ten meter pole
Image
AbelaJohnB
Former Team Member
Posts: 5674
Joined: Fri Jul 06, 2001 11:56 pm

Post by AbelaJohnB »

Iamgarygnu,


The phpBB MOD Team takes great care in making sure that All MOD's within our MOD Database are free from security weakness, and malicious code. Likewise, we try to review code within the forums for weaknesses, but not as intense as we do within our MOD Database.

But, please understand, we do not guarantee that weakness do not exist. phpBB has thousands of lines of code, and so do a few of the MOD's created for phpBB. We are a dedicated group, but only so many eyes to review code.


However, Iamgarygnu, your questions bring up an interesting issue: A MOD Security Data Center. Perhaps our MOD Tools Team can develop something to start keeping track of weaknesses within MOD's.

It would not be all that used, as A_Jelly_Doughnut stated above... very few MOD's over the last two years have been found to have major security weaknesses, and a few submitted to our MOD Database (but never released to the public) have been found to have malicious code.

But, the idea behind a -simple- MOD Security Data Center is something I'll address to the MOD Team.

Hope this addresses you're concerns. If you (or anybody) has any security issues with any given MOD, please contact me directly at: abela@phpbb.com .

Thank You.
Iamgarygnu
Registered User
Posts: 23
Joined: Mon Feb 24, 2003 6:59 pm
Location: New York City & New Jersey
Contact:

Post by Iamgarygnu »

Hi John! Thank you for the reply - now I feel like I made it into the "big time" :)
Per YOUR (and other respected phpbb programmer's) suggestions, i reinstalled phpbb after running a "fully modded" version of the board that was just plain flakey - 217 or so mods vying for attention.
Anyway, I find myself in the process of building the board back up, and that means installing mods!
My comfort level from the phpbb.com "endorsed" mods is very high, and I am loathe to install "unoffiicial" mods - not actually for security concerns so much as because of compatability or functional concerns.
Also, keeping my old database, I find I MUST install certain mods if I want features to work - case in point - my avatars would not work after the reinstall no matter what I did - turns out once I installed (or technically reinstalled) the official neclectic's sticky avatar mod, they worked perfectly - likewise, do to my "overlapping install" i see evidence of residue from the prior board I have to address. I have not seen a banner mod from phpbb, so i installed Neils Chr. Denmark's unofficial banner hack, which I don't believe will pose security concerns, though I'd feel better comparing it to a list of known non-phpbb.com mods which are deemed safe or otherwise.

The point is, as I'm reinstalling mods, I do feel comfortable with the phpbb.com official mods. The question becomes, "Is anyone aware of mods, phpbb.com endorsed or otherwise, that have security concerns?" Perhaps if folks are aware, there could be an "official" thread, "Warning - potentially unsafe mods" and it can list Mod XYZ version 1.1.3 and then either a remedy (chmod your directory) or a warning, "We recommend you avoid this mod until the security flaw(s) are addressed" - I'm not asking potentially for what those flaws are - no need to make it easier for hackers. I do aknowledge this could be a strain for the team, so I would suppose if such an animal were put into place, it would have to be from users bringing it to the team's attention.

Another security related suggestion, might be a "Vulnerability Index" for each mod - say 1 through 5 - as a newbie, i can't spot vulnerable code, but i think it's safe to say, a mod that only moves the administration code from the bottom to the top of the page might be pretty darn secure, versus a mod that affects the admin panel settings or can through whacky circumstances create a security issue. Part 2 of the suggestion would be listing the vulnerability index in the mod's comments, and then below how to increase the security or safeguard, again, possibly with making sure certain directories or files are chmodded, or by applying a secondary mod for the security precautions.

Final point (and then I'll finish my strong cup of coffee!) - I, like many others, am very grateful to the team for the work and community provided. As a way to offset the time to potentially handle the security issues, or anything else, may i suggest the possiblity of a subscriber weekly mailing - i.e. weekly updates for phpbb2.2, newest mods or featured mods, tips, tricks, whatever, for a nominal fee - it would provide a way for the users to help support phpbb, and perhaps provide a small revenue stream in return. Just a suggestion.

Regardless of which of my ideas are applauded or thrown in the toilet, THANK YOU for the great system and community made available for the very reasonable price of nothing.
Very truly yours,

Gary Garland
Graham
Former Team Member
Posts: 8462
Joined: Tue Mar 19, 2002 7:11 pm
Location: UK
Contact:

Post by Graham »

I suspect this is in the wrong place to attract comment from many of the MOD Authors, but what I think, is that if people become aware of security issues with a MOD, perhaps the best thing is to mail the MOD author about the problem. The author could then note in the Release thread for that MOD that there was a problem (if in the DB or the Beta thread if not in the DB), and then look at fixing the problem and providing a newer release, since theoretically, these threads contain all the relevant info about a given MOD. I can see the merit in a central list as well, but I'm not sure how well it would work.

As an aside to John (or DanielT ;) ) about the tools, do I recall correctly that the MDD has a bug feature? If it does, would this be a place to add an extra security tracker if the permissions could be worked out?
"So Long, and Thanks for All the Fish"

phpBB Useful Links: Knowledge Base | Userguide | Forum Search | MOD Database | Styles Database
My Links: Blog!
Iamgarygnu
Registered User
Posts: 23
Joined: Mon Feb 24, 2003 6:59 pm
Location: New York City & New Jersey
Contact:

Post by Iamgarygnu »

If I recall correctly, i think you can/should mail security related issues QUIETLY to security@phpbb.com - i suppose if you do that, then the team can contact the mod author or scan the code and figure out what the problem is, if any - though e-mailing the mod author too probably woudln't be a bad idea....
please don't get me wrong, unless done intentionally, i don't even know how you'd have vulnerable code in a mod, and the work that goes into the mods seems to me to be incredible - from just figuring out the coding to putting it into the easy mod-able template - i scratch my head and wonder why all these hours of computer time are being given to us, for free! (geez, wish i could do it :)
DanielT
Former Team Member
Posts: 3324
Joined: Tue Aug 27, 2002 10:55 am
Contact:

Post by DanielT »

Graham wrote: As an aside to John (or DanielT ;) ) about the tools, do I recall correctly that the MDD has a bug feature? If it does, would this be a place to add an extra security tracker if the permissions could be worked out?


Hello,

the MDD currently has no bug tracking feature, it has a task tracking feature, how ever.

also bugs should be directed at the MOD author via pm or email, and MOD Security issues should be addressed to: mod-team@phpbb.com

:)
senghong79
Registered User
Posts: 311
Joined: Wed Oct 30, 2002 2:45 pm
Location: Malaysia

Post by senghong79 »

My experience:

The MOD team have done an exceptional work in maintaining the MOD database. But I will fully support an additional thread dedicated to MOD security announcements.

Don't get me wrong. I keep an eye on ALL the MOD release announcements for the mod I have installed, but sometimes, all you get to read is someone asking for help in installing the mod, minor issues, etc..... that sooner or later you might just miss one VERY IMPORTANT security risk mod update.

Having a single thread for such things at the top of the MOD forum means easier reference. It doesn't mean reporting bug or such, it simply mean that's the place MOD user's like myself can refer to for important MOD updates, like the way we check phpbb's announcement forum!

P/s: On a side note, actually I would love a sticky locked topic which get's updated everytime a MOD in the database is released or updated. It's easier to get an idea of what is happening in the MOD database, rather than browsing through topics (which get's bumped mostly because of support issue rather than a REAL update)
Iamgarygnu
Registered User
Posts: 23
Joined: Mon Feb 24, 2003 6:59 pm
Location: New York City & New Jersey
Contact:

Post by Iamgarygnu »

I have found the phpbb.com to be SO VAST that searching yields many results other than what i want - even when searching with "AND" - sometimes too much knowledge can be, err, too much!
That's why i'm suggesting a slimmed down "mods warning" fora

i have to tell you, as i install more and more mods, i appreciate more and more the work that went into the core phpbb, and the work by the mod authors.
and, if i install a mod from elsewhere, i bite my nails and hope the quality will be as good as the rest - wishful thinking :)
User avatar
Numlock2KS
Registered User
Posts: 84
Joined: Fri May 23, 2003 7:17 am
Contact:

Post by Numlock2KS »

Hello,

I do not know if this would solve the situation created by stacked MODs, but it would be nice if all MODs that require database modifications were 'tagged' to show users that once they are installed they must always be installed.

Thank You,

Numlock2KS
Iamgarygnu
Registered User
Posts: 23
Joined: Mon Feb 24, 2003 6:59 pm
Location: New York City & New Jersey
Contact:

Post by Iamgarygnu »

Numlock2KS wrote: Hello,

I do not know if this would solve the situation created by stacked MODs, but it would be nice if all MODs that require database modifications were 'tagged' to show users that once they are installed they must always be installed.

Thank You,

Numlock2KS

I think that's a GREAT IDEA - personally, I'm very satisfied with Sticky Avatars - however if I knew I'd have to reinstall every time, well then, I'd reinstall every time!
I WISH I had a better way of keeping track of my installed mods - so when I update in the future, I can reclaim functionality - oh well, next time I'll chart them all... :)
Locked

Return to “2.0.x Discussion”