News:

SMF 2.1.6 has been released! Take it for a spin! Read more.

Main Menu

Tapatalk & Security

Started by SiL, February 28, 2011, 12:47:23 AM

Previous topic - Next topic

SiL

I note that Tapatalk is not currently listed as an "approved?" mod.  Whilst I assume there may be compliance issues for copyright and linking with commercial s/w operations, my question relates to potential security flaws in Tapatalk.

For the coders who eat, sleep and breath SMF and its mods, does the construction of Tapatalk, the .js detection and the separate folders with the mobiquo section and the 755 permissions make it a much more likely target for security compromises?

I'd hate to think what might happen if such were the case - its bad enough with the constant spam scanning for open forums.

opinions?

Dragooon

No? How can a separate folder with 755 permission even remotely create a security hole? The best chance of security flaw is when the mod itself allows unauthorized data to be passed which it does not. Tapatalk is not present at the modsite maybe because the author didn't intend to.

Aleksi "Lex" Kilpinen

Quote from: Dragooon on February 28, 2011, 01:08:31 AM
No? How can a separate folder with 755 permission even remotely create a security hole?
For example by using that folder to place static Source files in it, that will not be patched if and when SMF is patched.

Quote from: Dragooon on February 28, 2011, 01:08:31 AM
The best chance of security flaw is when the mod itself allows unauthorized data to be passed which it does not. Tapatalk is not present at the modsite maybe because the author didn't intend to.
Tapatalk is not present at the modsite, because it had some legal issues regarding Simple Machines copyrights and Simple Machines code usage. AFAIK these have been fixed, but the fixed mod is still pending approval.
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Arantor

QuoteFor example by using that folder to place static Source files in it, that will not be patched if and when SMF is patched.

If it's outright duplicating SMF files, I guess that could be an issue, but a separate folder on its own is not a security risk. If it were, SimpleDesk would be a security risk since it puts all its source files in a separate folder within the Sources folder.

QuoteTapatalk is not present at the modsite, because it had some legal issues regarding Simple Machines copyrights and Simple Machines code usage. AFAIK these have been fixed, but the fixed mod is still pending approval.

Interesting... it didn't have that when I last looked.
Holder of controversial views, all of which my own.


SiL

As I recall the author or TinyPortal probably never intended that one of its WYSIWYG modules in the .9x series would become a security risk either, but hey, ****** happens even when you think you have all the bases covered.

So at the level of the architecture of add-on mods, does the design of addon mods like Tapatalk with its standalone folder make it more of a target and more vulnerable than an integrated mod that may be afforded more protection by being tightly integrated within the SMF structure? (e.g recursive directory protection / .htaccess )

What about code injection into that .js detection file. If mod installers have to manually change file permissions, doesn't this present a greater risk of leaving write permissions in places there shouldn't be?

?

Aleksi "Lex" Kilpinen

Quote from: Arantor on February 28, 2011, 03:32:30 AM
QuoteFor example by using that folder to place static Source files in it, that will not be patched if and when SMF is patched.

If it's outright duplicating SMF files, I guess that could be an issue, but a separate folder on its own is not a security risk. If it were, SimpleDesk would be a security risk since it puts all its source files in a separate folder within the Sources folder.

QuoteTapatalk is not present at the modsite, because it had some legal issues regarding Simple Machines copyrights and Simple Machines code usage. AFAIK these have been fixed, but the fixed mod is still pending approval.

Interesting... it didn't have that when I last looked.
To the first - Basically, it was doing just that - distributing near complete copies of files from /Source/ to be included in /mobique/ and well, this explains the second as well.
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Arantor

QuoteSo at the level of the architecture of add-on mods, does the design of addon mods like Tapatalk with its standalone folder make it more of a target and more vulnerable than an integrated mod that may be afforded more protection by being tightly integrated within the SMF structure? (e.g recursive directory protection / .htaccess )

No, it doesn't. Just as SimpleDesk isn't any more a risk.

QuoteWhat about code injection into that .js detection file.

No more a risk than anything else.

QuoteIf mod installers have to manually change file permissions, doesn't this present a greater risk of leaving write permissions in places there shouldn't be?

On properly configured hosts this wouldn't be an issue generally, but sadly it often is an issue. Any mod that requires the ability to edit files is a risk - but a calculated one.
Holder of controversial views, all of which my own.


SiL


Advertisement: