Security of hacks at vbulletin.org?

**WurkAnimal** · Mon 4 Jun '07, 8:30am

No they shouldn't get involved.

**Floris** · Mon 4 Jun '07, 8:32am

The authors of those hacks are amateur or professional. But simply are not on the same level as the developers from vBulletin. And also make mistakes.

You simply can't know.

There are security issues reported and found at least once a month with third party source code. Including vBorg hacks. And once known the authors' hack is I believe pulled, and the author can release an update.

The most addons are user contributions. Therefore really hard to security check as everybody codes differently.

I highly doubt Jelsoft is going to get involved. There isn't enough manpower to check each release. The community on vBorg, and the staff there, are the people who can check.

**Marco van Herwaarden** · Mon 4 Jun '07, 8:41am

Posting this here is not really the best place. Best to discuss this at vBulletin.org.

**1QuickSI** · Mon 4 Jun '07, 10:27am

Originally posted by Floris

The authors of those hacks are amateur or professional. But simply are not on the same level as the developers from vBulletin. And also make mistakes.

I find that a rather bold statement.

**Floris** · Mon 4 Jun '07, 10:29am

It's a point, not a statement. With it I mean they have not been trained by the Jelsoft developers, don't code on the same level, and don't code the same way. They use their own personal experience. The best developer in the world might not fully understand how vB works internally, nor have the time to find out how .. (for the simple hack they write) and miss an important filtering function. Leaving open an xss hole to be exploited.

**jeffinj** · Mon 4 Jun '07, 11:57am

Its simply not possible for Jelsoft to look at everything. As it is vBulletin and the new products are taking all their time. I dont think, they ever sleep.

We should be installing the hacks at our own risk. Also if vb staff were to put their nose into these unofficial ones, vb.org might die soon. No one will ever voluntarily support or install them. Its a free world out there.

**Wayne Luke** · Mon 4 Jun '07, 12:18pm

Originally posted by jeffinj

We should be installing the hacks at our own risk.

You do. Says so in the license agreement.

**WurkAnimal** · Mon 4 Jun '07, 1:33pm

Support is given though on the hacks

**Wayne Luke** · Mon 4 Jun '07, 2:21pm

Jelsoft doesn't give official support on Hacks. We never have and most likely never will.

**Mazinger** · Mon 4 Jun '07, 2:32pm

May be reviewing before publishing publicity could help.

**Jose Amaral Rego** · Mon 4 Jun '07, 2:59pm

Originally posted by Mazinger

May be reviewing before publishing publicity could help.

Go and volunteer and see how much time it takes to look over coding and then test it on live forum. If that passes, then you have to see if it causes problems with other hacks. You want to join vBulletin.org team to just review and test hacks or you can ask the coder to beta test it on your live forum.

Feel free and join Beta Tester if coder request some.

**Dean C** · Tue 5 Jun '07, 12:14am

Originally posted by Floris

It's a point, not a statement. With it I mean they have not been trained by the Jelsoft developers, don't code on the same level, and don't code the same way. They use their own personal experience. The best developer in the world might not fully understand how vB works internally, nor have the time to find out how .. (for the simple hack they write) and miss an important filtering function. Leaving open an xss hole to be exploited.

That's an incorrect point to make. Just because Delia Smith (a UK cook), makes created a recipe for a meal, that is not to say a fellow cook can not come along and learn the recipe and know it just as well as Delia.

Obviously, this is an oversimplified example, but I can categorically say that a couple of years ago when I was up to scratch with vB, I felt confident enough that if you asked me about any of the internal workings, or how to prevent XSS/SQL injection within my vB mods, I would be able to answer you on the spot. Also remember, even the vBulletin developers make mistakes. Look at how many XSS vulnrabilities we've had over the years, but even they are still learning, as am I and lots of other developers here.

Nevertheless, to imply that they are on some godly level that makes them better programmers than anyone here, is a silly presumption to make. There will be far better, and more experienced programmers on this forum, and in many other places.

**Floris** · Tue 5 Jun '07, 12:16am

a fellow cook can not come along and learn the recipe and know it just as well as Delia

Exactly, Jelsoft is the cook, the coders on vborg are the students. Jelsoft is not training them. Hence the point.

That said, as requested by Marco, this is not a discussion for this web site. But vborg.

**Marco van Herwaarden** · Tue 5 Jun '07, 12:19am

As requested before, please have this discussion on vbulletin.org where it belongs.

Security of hacks at vbulletin.org?

Security of hacks at vbulletin.org?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment