Should we take up a collection to upgrade the forum software?

shop deals on amazon
Shop deals on ebay
Wildman Rocketry
The Rocketry Forum

Help Support The Rocketry Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
CQBArms

CQBArms

Well-Known Member
Joined
Sep 24, 2006
Messages
1,372
Reaction score
0
I hate spammers and hackers and all that.
I'm in for $25 to get the ball rolling.
 
I am all for your idea, and even more. I would like to help provide some level of support for basic maintenance and operation of TRF, but I am going to let the owners/operators/moderators decide first if they want to go that direction.
 
Im in :D ,just need to know what way to pay and to who e.g. paypal?
 
Originally posted by Rock_It
The deal with upgrades is you have to know whether you can upgrade without causing issues with what you have. Many of these forums have mods to the software, many of them have tricks coded in, many of them have "special tools", all of that has to be compatible. It's not as simple as just upgrading to the next version. Some versions have more bugs and can cause more issues than if you left it alone.
Click to expand...

Wrong, wrong, wrong Rock_it. :D (that's kind of catchy...)

The "mods and tricks" you speak of (generally user designed plug ins) are easily integrated and alot of the popular ones for this version are standard in the latest version.

The latest version of the VB software is extremely intuitive and the few bug reports that were filed have been taken care of. Heck the upgrade can be done prfessionally by VB for $85 to $135 depending on what all the owners decide to do.

It really does'nt matter to me...TRF is good enough that I will be here irregardless but upgrades are no big deal and definately nothing to sweat.
 
Ummm not in this case.
The upgrade to the forum software itself from vB are rock solid as they have been tested very heavily (the forum is a bunch of upgrades behind). There are no special tools as these are not forum mods or hacks, but actual plain upgrades to the "OS".
The part that you are missing is that if an automated bot can register and post (which these are) they can also get to the root of the drive. If this place were front ended by an actual web page, these guys would have that hacked. It's not so much the spam but the hacks that can come from being so far behind in the version and patches.
This is 2.29, the most recent stable release is some thing like 3.6.2, a whole generation away. The other bigger problem is, get too far out and you might not ever be able to patch. You'll have to run a new install and import the data.

Originally posted by Rock_It
The deal with upgrades is you have to know whether you can upgrade without causing issues with what you have. Many of these forums have mods to the software, many of them have tricks coded in, many of them have "special tools", all of that has to be compatible. It's not as simple as just upgrading to the next version. Some versions have more bugs and can cause more issues than if you left it alone. They just got the e-mail server working again. I hate spam too, but they will deal with it. It's not like it's taking over here or anything. The mods have this place well under control. Spammers are dealt with severely...they are banned. I know the post you guys saw. Trust me, they just haven't seen it yet. They will, and they will definitely ban the sucker. I can assure you of that. I bet by 10am at the latest it'll be gone. Give them time to get up, get woke up, go to work or whatever they need to do in their lives, and they'll check in.
Click to expand...
 
Who knows, it depends on the mods that they put in and the stacking, and the “expertise” of the people doing it. It also depends on the version of the backend…if you are too out of step with the backend PHP and mySQL, you will have problems.
But this is a pretty unmodded vB install. As well it wasn't the vB not working with the mods, it was really the mods not working with the new vB. If you have highly modified vB installs, it's best to unstack the mods. Not upgrading due to mods is really a bad practice. It leaves you open to hacking. In many cases hosting companies will shut down your site if you get too far out of step as it puts the whole server at risk.

And yes upgrades are about not allowing spam. These are automated login bots, not some guy sitting there creating a account then spamming and running away. It's script based, and those scripts and the vulnerability to them is addressed in the vB upgrades. Being vulnerable to the new account script is also a sign of being vulnerable to other script based attacks.

As far as the e-mail, if it’s forum notification, that’s a vB issue, if it’s a pop e-mail system…that’s something else.
It might actually be that for the vB to upgrade they also have to upgrade the back end.


Originally posted by Rock_It
Explain to me why my online "buddy store" went and exploded 2 versions ago over at ADO. When we went to the backup the problems disapeared. The only difference was the upgrade. They don't always work with 3rd party add-on's.

Thios is not really an upgrade issue anyway. You'll never be able to stop people from signing on. The last one we saw was an actual user. That wasn't a bot driven post. Somebody actually posted that. The mods have to get those.

In fact, it's 7:58am, and the spammer is gone...beat the 10am by 2 hours. Now that's better moderating that I'd expect from anyone. Heck it's free too. :)
Click to expand...
 
Originally posted by wilsotr
Be careful what you ask for .... I liked Rocketry Online a lot until it was "upgraded."
Click to expand...

Definitely a point to ponder.
 
Most of the upgrades are not even visable to the user, it's more an issue of security. I guess my concern is, if they can script hack for login...then can script hack to the root of the drive in many cases.

Originally posted by wilsotr
Be careful what you ask for .... I liked Rocketry Online a lot until it was "upgraded."
Click to expand...
 
Running a registration script is way different than trying to hack into the admin IDs of the forum, which you would need to hack into the root directory.

Right now, the issue of an upgrade is not a monetary issue...it's about free time. The admins just don't have a solid chunk of time to do a full backup and then the upgrade. Since the version that TRF runs on and the latest version are several increments apart now, upgrading *can* be an issue for stability, so we want to have the "insurance policy" to fall back on if needed.

CQBArms is correct that, in the event of an upgrade, you probably wouldn't see much change up front.
 
The versions that are suseptable to the automated login script are vunerable to multiple cross-site scripting flaws, which will give access to root and allow for a replace or placement of an index.html file used as a "tag" for hackers as well as some other fun stuff.
As of August 2006 support for higher versions (2.3.x and 3.0.x) have been terminated, so the concern is at some point (and really now), it may be a complete install over interim patches. Sometimes that's good.
I offer this as only talking point not a criticism at all of the forum, the software, or the management.

Respectfully submitted


Originally posted by KermieD
Running a registration script is way different than trying to hack into the admin IDs of the forum, which you would need to hack into the root directory.

Right now, the issue of an upgrade is not a monetary issue...it's about free time. The admins just don't have a solid chunk of time to do a full backup and then the upgrade. Since the version that TRF runs on and the latest version are several increments apart now, upgrading *can* be an issue for stability, so we want to have the "insurance policy" to fall back on if needed.

CQBArms is correct that, in the event of an upgrade, you probably wouldn't see much change up front.
Click to expand...
 
I believe you're misinterpreting what is going on with the bots as an "automated login script". The auto-registry bots are merely crawling the Web for BB sites and autocompleting a standardized form. The feature that prevents that in current versions is merely the insistence that a user fill in the "type the code you see in this image" field. There's really no script-insertion involved and what's going on in this situation is completely unrelated to cross-site scripting.
 
I am pointing out that the heritage, age, of the version that is running now is vulnerable to at least the following:

Scripted registration and posting bots
Scripts for index.html insertion
Scripts for cross posting

By upgrading you get rid of all the above problems and a few more that we haven't discussed. I am not saying that a posting bot will do an index.html insert but the same technology (an automated bot) will crawl the web looking for weak sites and run exploits as easily as the posting bots are regging and posting.
The cross site scripting was patched in 2.3.10 and the recommended "patch" was a new install.
https://www.vbulletin.com/forum/showthread.php?t=194063

3.0.15 fixed security flaws with XSS

3.5.5 fixed more of this.

And again, as the versions get further and further away from the one the system is using, the more work it becomes and any hacks or mods may be several generations out as well.





Originally posted by KermieD
I believe you're misinterpreting what is going on with the bots as an "automated login script". The auto-registry bots are merely crawling the Web for BB sites and autocompleting a standardized form. The feature that prevents that in current versions is merely the insistence that a user fill in the "type the code you see in this image" field. There's really no script-insertion involved and what's going on in this situation is completely unrelated to cross-site scripting.
Click to expand...
 
If you will research the vulnerabilities in the version currently used on TRF, you will not see an index.html insertion scripting vulnerability. The only insertion vulnerability out there is one that allows you to perform new SQL searches across the entire database, including the mod and admin forums. Since vB references this info in SQL by thread and post number and not by name, you would have to make a lucky guess to actually find anything in a restricted area.

The cross-site scripting vulnerability that you reference in your link was subsequently shown to be a hoax and, even were it not a hoax, would not have compromised any internal directories were it to be used in an attack.
 
So we agree to disagree on the need for upgrading the software. Such is life.


Originally posted by KermieD
If you will research the vulnerabilities in the version currently used on TRF, you will not see an index.html insertion scripting vulnerability. The only insertion vulnerability out there is one that allows you to perform new SQL searches across the entire database, including the mod and admin forums. Since vB references this info in SQL by thread and post number and not by name, you would have to make a lucky guess to actually find anything in a restricted area.

The cross-site scripting vulnerability that you reference in your link was subsequently shown to be a hoax and, even were it not a hoax, would not have compromised any internal directories were it to be used in an attack.
Click to expand...
 
Originally posted by CQBArms
So we agree to disagree on the need for upgrading the software. Such is life.
Click to expand...

:D I'm with ya bud...after watching 6 differant sites running outdated, unsupported versions get hacked and slammed and lose 90% of their data I am definately pro upgrade. Shootersville is at 3.5 now and is scheduled for the latest upgrade (3.6.2 I believe) on 11/10.

For me it is a time issue as well or it would have already been done. My wife and I own a small grocery, I have a full time job, a great family, a busy website, and a rocket fetish.:D
 

Similar threads

The Rocket
Getting back into it
Replies
2
Views
277
smstachwick
smstachwick
jhill9693
Sold Estes rocket motor overstock
Replies
5
Views
734
jhill9693
jhill9693
Chokedflow
Hello, intro & L3 composite on N5800
Replies
5
Views
711
Chokedflow
Chokedflow
B
Remote Car buying
Replies
23
Views
740
BABAR
B
StreuB1
Open question to software/firmware developers; Assembly.....
Replies
15
Views
886
Dan Griffing
Dan Griffing

Latest posts

Back
Top