can old disabled plugins be a security risk?

**zascok** · Sat 15 Sep '12, 4:27pm

could, would and probably will. Clean those things if not used. What was the plugin that crashed ? Is it one of those "Mark thread as ..." ? If so I can help do uninstall

**sross** · Sat 15 Sep '12, 4:33pm

the crash was a while ago and it put me off wanting to do anymore uninstalls. I'll definitely go through and clean out the filesystem though, and I guess instead of uninstall it is safest to just delete the old plugins from the plugins view? This way the database will not be touched and the plugin will be removed? Thanks

**zascok** · Sun 16 Sep '12, 5:06am

yeah remove the it from plugin view it will uninstall the product as well

**sross** · Sun 16 Sep '12, 5:47am

thanks for the info, i am cleaning old stuff out as fast as i can but what is considered more of a risk? old plugin files in the file system or old plugins in the vbulletin forum plugins system?

**Hartmut** · Sun 16 Sep '12, 5:59am

It's always nice to have cleaned up software thou... Disabled plugins and products can be a security risk it's not supported anymore and files of it are left on ftp. Disabled plugins not using any files should be no risk at all.

**sross** · Sun 16 Sep '12, 6:04am

so to clarify if for example i had 10 vulnerable plugins that used 80 files on ftp, and i deleted the 80 files but left the plugins disabled it should not be a risk? Thanks

**liamwli** · Sun 16 Sep '12, 6:07am

Originally posted by sross

so to clarify if for example i had 10 vulnerable plugins that used 80 files on ftp, and i deleted the 80 files but left the plugins disabled it should not be a risk? Thanks

Correct.

**soniceffect** · Sun 16 Sep '12, 6:15am

Originally posted by sross

so to clarify if for example i had 10 vulnerable plugins that used 80 files on ftp, and i deleted the 80 files but left the plugins disabled it should not be a risk? Thanks

That would depend on the security risk IMO. If these files can be accessed/run directly then they may well be a security risk. IMO if something is a vulnerable plugin, unless you know what exactly is vulnerable you should uninstall the plugin and remove all files related to it.

This said however, you should remove all files related to plugins that are no longer used as a matter of cause.

**sross** · Sun 16 Sep '12, 6:50am

are .js files a risk? thanks for all the info guys

**Hartmut** · Sun 16 Sep '12, 6:55am

Originally posted by sross

are .js files a risk? thanks for all the info guys

They could be, yes.

Originally posted by soniceffect

That would depend on the security risk IMO. If these files can be accessed/run directly then they may well be a security risk. IMO if something is a vulnerable plugin, unless you know what exactly is vulnerable you should uninstall the plugin and remove all files related to it.

This said however, you should remove all files related to plugins that are no longer used as a matter of cause.

Of coz that should be removed, but a disabled plugin doesnt effect the code as it's not using the hook of the specific file anymore. Where would you start an exploit then when there is no code for it left?

Originally posted by sross

so to clarify if for example i had 10 vulnerable plugins that used 80 files on ftp, and i deleted the 80 files but left the plugins disabled it should not be a risk? Thanks

That's correct.

vBulletin 4 End of Life

can old disabled plugins be a security risk?

[Forum] can old disabled plugins be a security risk?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment