Have You modified Vanilla Core Files?

Srggamer

Hello People, today I have a little question for you! And it is "Have you modified _Core _Vanilla Files". By this I do not mean Themes, nor Plugins to New users. I am wondering how many people out there/here have modified there Core files to suit them, improving things or removing (& replacing) things which they needed/didn't. So here I get to the part of me asking, Why? What Forum/community administrator may feel the need to edit those files to improve his/hers forum what can they improve on how there community runs? By doing this do they open up "Holes" in which a hacker can use to infiltrate your website? By doing this what do you think they are trying to achieve?

peregrine

I see your point. Which is valid.

And it is a good idea not to modify core, and better to change theme, plugin, etc then to modify the core just for the purpose of maintaining the ability to do a quick upgrade if a security fix comes out. If you mess with the core, you put yourself more at risk, because you say to yourself "I made so many changes I can't really upgrade now".

If you don't have much experience or understand how vanilla works, it probably isn't a good idea to modify the core, simply because you might be modifying something and not know the subtle ramifications to your changes.

However the same could be said "about putting in holes" if a forum owner writes a plugin, puts in a theme hook, etc and doesn't code correctly the proper safeguards to prevent injection, abuse via js etc. The difference being if it is a plugin or a theme, you can quickly undo changes with a click of the disable button.

Aside from strictlly css modifications, modifications to php, writing to database, js modifications can all lead to opening holes, not to mention poor passwords, and not keep the core up to date with security fixes.

vrijvlinder

Most people edit the core files because they don't know how to apply changes otherwise. Editing core files only works until you update and then you need to do what you did all over again.

People who know what they are doing may actually find a bug by modifying the core files. Or fix a bug by modifying the core files.

Most people create bugs when they modify the core files.

Why? What Forum/community administrator may feel the need to edit those files to improve his/hers forum what can they improve on how there community runs?

If they know what they are doing it is ok. It is their forum and they can do whatever they want.

By doing this do they open up "Holes" in which a hacker can use to infiltrate your website?

If they know what they are doing it is not likely. If they do not know what they are doing there is a big chance.

By doing this what do you think they are trying to achieve?

To mold the software to their own particular need and they maintain the security updates and other updates for the library without updating the rest after they have modified it to suit their needs.

Srggamer

@peregrine & @vrijvlinder

I would like to thank both of you on your input. You stated valid reasons and gave me a more in depth understanding of Vanilla Core. While we are on a this subject, Peregrine you code a lot of great plugins could one simple mistake allow a hacker to get in?

vrijvlinder

could one simple mistake allow a hacker to get in?

Not the ones that peregrine makes

I think you need to understand what hacking entails. There is the run of the mill account hacker who guesses passwords and usernames.

But there is a more dangerous hacker, the one who create malicious scripts. Some might be gaming scripts to beat the house or gain points. Some are to steal your data and sell it or use it for nefarious purposes.

There are many sites that offer hacking scripts for a variety of purposes. These are introduced as a text file or an image or even a zip file. Some people should scan any file they download and look inside before running it.

Which is the reason why posting scripts in the editor is not allowed or certain embeds. But there are Header scripts and all sorts of malicious code they could use.

peregrine

@Srggamer said:
Peregrine you code a lot of great plugins could one simple mistake allow a hacker to get in?

it depends what the simple mistake is. there are a few main things to watch out for

sql injection
XSS security vulnerabilities

http://vanillaforums.org/discussion/20608/xss-security-vulnerabilities-in-many-plugins-and-core

@mcu_hq points out a simple mistake that could be made.
http://vanillaforums.org/discussion/comment/163436/#Comment_163436

but at the same time a bug in a plugin does not mean you made something vulnerable.

the great thing about posting add-ons to the vanilla add-on section (as opposed to making your own and not posting) is that you have a bit of code-review by peers and others who generally find mistakes you might have made.

Obviously the developers of vanilla can make simple mistakes as well that have security flaws. No one is immune. In the 90's there was a site called butraqqer or something to that effect that listed vulnerabilities of sotware and os, point being no one is above creating a hole whether you are "professional, whether you are an os manufacturer, or a software designer" but the more eyes that see your software generally means less potential problems, if people are testing and trying to penetrate.

vulnerabilites of commonly used software are found everyday.

e.g.

http://www.sans.org/newsletters/risk/volume14/14-1.php

http://www.securityfocus.com/archive

Srggamer

Thank you for all the information! Really helpful. Awesome really!

hgtonight

I have not modified core files.

I have been tempted many times.

There is so much you can do via plugins and applications that there is virtually no reason to modify core files.

Part of the fun of developing on this framework for me is figuring out how to override core functionality via an upgrade safe way.

peregrine

@hgtonight

Part of the fun of developing on this framework for me is figuring out how to override core functionality via an upgrade safe way.

you hit the nail on the head "upgrade safe". that is probably the primary reason not to modify core.

so you can upgrade quick and fast in a matter of minutes, rather than weeks trying to figure out where "one" has made changes in the core.

vrijvlinder

I know what people who are new to this do, I did it. I confess....

I hacked it and then I had to unhack it when I realized a plugin would do the job. I don't recommend it however it made me more familiar with the files knowing what did what.

businessdad

I modified several core files to be able to implement plugins such as the Post Scheduler. However, the modifications are "soft mods", i.e. I made a copy of the core files in the AFC plugin. Vanilla automatically picks up the modified files before the base core ones.

Linc

"Hacking core" is a poor choice because it disincentivizes you to keep your installation up to date (now there is extra work to every upgrade) and can have unintended consequences (like a security flaw).

Good: Forking Vanilla in source control to maintain your change separately, allowing you to merge in new versions.

Better: Making your change/fix work for the greater good (i.e. outside your particular context) and sending us a well-considered pull request.

Best: Figuring out how to extrapolate the change you need into a plugin or themehook. This often includes reconsidering the change itself and how it needs to work.

businessdad

@Lincoln said:
Best: Figuring out how to extrapolate the change you need into a plugin or themehook. This often includes reconsidering the change itself and how it needs to work.

I absolutely agree. In fact, the changes I made were necessary just because I needed an event before some actions, and the core files did not contain it. There was no other way around it, as I needed to intercept some data before it was written, so I made a copy of the necessary files and I keep it up to date at every release. Like alcohol, such approach is good only in moderation.

Linc

@businessdad My recommended approach to that is for the "hack" to be the addition of a FireEvent and/or EventArguments as needed, and still extrapolate the rest to a plugin. That at least minimizes the change and makes it easier to re-implement after larger-scale code changes.

(Maybe you did it that way; mostly saying that for the benefit of others reading)

businessdad

@Lincoln said:
businessdad My recommended approach to that is for the "hack" to be the addition of a FireEvent and/or EventArguments as needed, and still extrapolate the rest to a plugin. That at least minimizes the change and makes it easier to re-implement after larger-scale code changes.

(Maybe you did it that way; mostly saying that for the benefit of others reading)

Precisely, I did exactly that. Added a FireEvent with the data I needed and did everything in the plugin. Simple and effective, and it requires practically no maintenance, as such event is simple, doesn't have any knock on or side effect and any update to the core would simply mean adding one or two lines to the updated files.

Srggamer

While we are on this topic. I understand Vanilla is a free to use forum peace of software. (Unless you pay for hosting) What _vulnerabilities _ does Vanilla have? And does it have some **Protection **against others?

peregrine

and vrijvlinder will interpret ...

vrijvlinder

@Srggamer said:
While we are on this topic. I understand Vanilla is a free to use forum peace of software. (Unless you pay for hosting) What _vulnerabilities _ does Vanilla have? And does it have some **Protection **against others?

Translated from Rusky

do you mean "Is Vanilla Cloud or hosted plan safer than self hosted ?"

This all has to do with how much you know about web safety. Everyone is vulnerable always. Just ask Target...

The benefits of the hosted solution are that you do not worry about setting up the security or monitor .

Everyone can become more safe but there is no permanent lock since new ways of penetrating networks are being born every second.

You just need to be vigilant and get informed about the latest vulnerabilities and keep updated.

Avoid Internet Explorer.....

Srggamer

@vrijvlinder said:
Avoid Internet Explorer.....

Thanking you for decrypting my question. What do you mean Avoid Internet explore? Do you mean making your website possible to be seen on IE or Its a no go?

@Peregrine I shall get my revenge... (No seriously I should)

Linc

There are 3 pieces to web security which I think are roughly equal:

1. Software (Vanilla, your theme, plugins, updates)
2. System (server configuration, server software, policies)
3. Support (advice, response to incidents, assistance)

The software is roughly equivalent between open source and the cloud, assuming you stay on top of patches religiously. We have some extra tools, but I can't think of anything specific that changes the security. The benefit to cloud is the system & support aspects are handled for you.

Srggamer

@Lincoln said:
There are 3 pieces to web security which I think are roughly equal:

1. Software (Vanilla, your theme, plugins, updates)
2. System (server configuration, server software, policies)
3. Support (advice, response to incidents, assistance)

The software is roughly equivalent between open source and the cloud, assuming you stay on top of patches religiously. We have some extra tools, but I can't think of anything specific that changes the security. The benefit to cloud is the system & support aspects are handled for you.

Thank you Lincoln.