Nightrider

Wondering why that MOD you have won't install correctly? Let's take a look
Forum rules
DO NOT give out any FTP passwords to anyone! There is no reason to do so! If you need help badly enough, create a temporary FTP account that is restricted to only the files that you need help with and give the information for that. Giving out FTP information can be very dangerous!
Locked
Nightrider
Registered User
Posts: 7219
Joined: Tue Nov 16, 2004 8:54 pm
Location: Florida, US
Contact:

Re: Nightrider

Post by Nightrider »

I'm sorry Ptirhiik, for you to make the case that there is a serious security problem with EM, you have to present your case. To do otherwise is a copout. You were willing to present an extremely unlikely scenario above, so why not present a more likely one the next time around? If you don't want to make it public, PM is just a click away. Otherwise, your claims really have nothing to support them...

If you can't publicly present proof of your claims, then stop trashing EM. Your MODs leave plenty to trash too, so it would be good for you to work with us rather than against us. Since you can't write perfect MODs, I would suggest that you stop expecting others to do so. You aren't going to stop the thousands of people from using EM and more every day from jumping on the bandwagon, so you might as well begin to work to help improve it...

I doubt that you even try, but you should be able to see how a tool like EM is extremely beneficial to the phpBB community. It would be nice if you could devote your efforts into helping to make EM the best that it can be. You are not doing anyone a service by fighting this, so you might as well bring something positive and constructive to the table for a change. Anyone can be negative...

Image
Dogs and things
Registered User
Posts: 49
Joined: Sat Sep 23, 2006 10:21 pm
Location: Spain.
Contact:

Re: Nightrider

Post by Dogs and things »

Hello Ptihriik,

This morning I installed some 20 MODs in a matter of half an hour, using EM, on local, and this produced not a single change in my config.php, not a single letter. Apart from the "security_proof_mod" you presented.

Now I, as a beginner, am wondering why I should be so worried about using EM. I´d be very gratefull if you would at least indicate a bit in the direction of the reasons for the worries I should have. And I mean pointing a bit, not just commenting that there are huge reasons to be worried about/afraid of while saying nothing really.

Greetings.
User avatar
Ptirhiik_
Registered User
Posts: 526
Joined: Tue Nov 18, 2003 8:35 am

Re: Nightrider

Post by Ptirhiik_ »

Oh my, did I wrote for not being read ? Do you want me to repeat over and over though you don't read, don't want to understand or have not enough basic knowledge ? How could you pretend something is secured though I have given already proof it is not : do you want me to post publicaly all the exploits I already found with easyMOD ? Are you that stupid ? Wasn't it enough to explain to you you have a security breach in your posting.php I could find accessing to your own source on your own server, because you have easyMOD ? Blah !...

> Dogs and things: for now, you did it the right way : on your localhost, cut from the outside world. Now you can upload your test environment minus the easyMOD scripts and directories, and redo the sql required by the mods to your live environment. Though, before proceeding, do all the necessary tests to ensure all is really working well in all the cases.
Nightrider
Registered User
Posts: 7219
Joined: Tue Nov 16, 2004 8:54 pm
Location: Florida, US
Contact:

Re: Nightrider

Post by Nightrider »

I've read what you wrote, but I have yet to see anything of any major concern. You were kind enough to provide an unlikely scenario that could put someone's board at risk and I conceded that it could be a problem. There is a simple solution to that problem if it were ever to become a concern. But since I have installed over 800 MODs on my site and not one of them modified the config.php file, I'm not too concerned about it. If I ever do decide to install a MOD that modifies the config.php file, I will make sure that the MOD is removed from the admin/mods folder...

This is the way I look at it. You don't seem to be too fond of the security in EM right now. So either you can work to help improve it to your satisfaction, or I think it would be a good challenge for you to write your own MOD install tool. If you can develop a MOD install tool that I feel is better than EM, I would be happy to help support it with you...

Based on your previous responses, I doubt that you will be offering to help secure EM to your satisfaction nor will you be developing an alternate MOD install tool that addresses your security concerns. If you think you can do better than what Nutzzy has produced, I would love to see it. Should I be holding my breath in anticipation of what you will be contributing? Anyone can be negative. It will be interesting to see if you are willing to make a difference in order to help provide a MOD install tool that is better and safer for everyone...

Image
User avatar
Ptirhiik_
Registered User
Posts: 526
Joined: Tue Nov 18, 2003 8:35 am

Re: Nightrider

Post by Ptirhiik_ »

Nightrider wrote: I've read what you wrote, but I have yet to see anything of any major concern.
That's where you are very dangerous for the users you are advicing to run easyMOD on their live environment. Sorry for them you can't - or more exactly don't want - to see this, even if it is so obvious: I simply hope they keep dayly backups of all - db & ftp, and they won't be targeted by a hacker.

btw Nightrider, when a mod author publish patches or new versions of his mods, you should upgrade. When a mod author also explicitaly advice to not use a mod of his on latest phpBB versions, you should drop it. They are usualy solid reasons behing the both...
Nightrider
Registered User
Posts: 7219
Joined: Tue Nov 16, 2004 8:54 pm
Location: Florida, US
Contact:

Re: Nightrider

Post by Nightrider »

Ptirhiik, you provided an example of a dangerous modification to the config.php file and I conceded that could be a problem. I asked you to provide a list of MODs that modify the config.php file so that I could warn people about it. You failed to provide one example of an available MOD that does what you suggest. So your very unlikely security risk is of very little concern to most people...

You complain about your perceived security risks in EM, yet to my knowledge, you have done nothing to improve the situation. You could easily join in to help better secure EM, but AFAIK, you have not done so. You have the skills and ability to write a MOD install tool that satisfies your security concerns, yet AFAIK, you have no plans to do so...

So what are you bringing to the table other than unnecessary negativism? You have suggested that EM users should update their MODs and phpBB board? Doesn't that also apply to those who manually apply their MODs and Updates? You claim that EM users are at great risk yet you have yet to prove it. Instead you used the lame excuse that we don't have a right to know about the security flaws and that only the development team should know. Until you can provide solid proof to support your accusations, why should anyone believe you???

Do you believe that there are no security issues in the HUGE MODs that you create? I bet there are and if so, you should be warning people not to install any of your MODs...

I suggest you bring something positive to the table for once and help to improve the EM utility or create your own. It is unrealistic for you to expect everyone to manually install their MODs, especially your's. People can and do far more harm than good to their boards when manually installing MODs than any risk from an outside source. What is odd is when people screw up, you turn and make them feel bad for not being "experts" and making dumb mistakes. EM helps to prevent most dumb installation mistakes and if you decide to create your own MOD install tool, I imagine it would do the same...

So I'm still waiting for something positive and productive from you. Anyone can be negative...

Image
User avatar
Ptirhiik_
Registered User
Posts: 526
Joined: Tue Nov 18, 2003 8:35 am

Re: Nightrider

Post by Ptirhiik_ »

Nightrider wrote: (../..)yet to my knowledge
That's preciasly your problem: what you don't know you assume, and what you've been clearly informed, you simply ignore because you don't want to hear. This can be sum up in a few words: loose of time for me to discuss with you, and very dangerous advices given by you to users despite you've been warned of so can't pretend ignoring the facts. Sorry, but there stands the very negative approach.

Oh, btw, you will explicitaly mentioned on any beta or rc versions of my mods to not use them on a live environment - what is also precised explicitaly for mods beta versions @ phpBB.com, and you will find for any security report on my stable mods the fix patch or a new version (most often the second, only one has remained with a patch during sometime, and it has been actualized since). This has happend 4 times since I began publishing my mods. Of course, as you don't use their latest stable versions...

Also, for the last time, don't assume at which level I'm involved or not in the easyMOD project. As far as I know, you are not part of the easyMOD dev team (I would say hopefully reading you).
Nightrider
Registered User
Posts: 7219
Joined: Tue Nov 16, 2004 8:54 pm
Location: Florida, US
Contact:

Re: Nightrider

Post by Nightrider »

Let me ask you this. Do you believe that all versions of phpBB have been safe and secure? If not, do you believe it is possible for hackers to learn from the public downloads whether a site can be hacked? Do you believe that there are no security problems in the current phpBB release? If you believe that people should avoid EM because of what you perceive to be security issues, don't you think that you should be warning people not to use phpBB for the same reasons? If not, why not? If your logic and reasoning are consistent, you should be trashing phpBB as much as you do everything else for the same reasons...

So, if you are actively working to help improve EM, are you afraid to admit it? If so, why? If you are currently developing a MOD install tool that you believe will be safer to use than EM, why should it remain a secret? If you are doing neither, why are you afraid to admit that you are doing nothing positive to alleviate your security fears other than trying to scare people from using what is currently available? You have the skills and ability to help make a difference, so why aren't you doing something positive? Anyone can be negative...

Image
Locked