Simple Machines Community Forum

Archived Boards and Threads... => Archived Boards => SMF Feedback and Discussion => Topic started by: SiL on February 28, 2011, 12:47:23 AM

Title: Tapatalk & Security
Post by: SiL on February 28, 2011, 12:47:23 AM
I note that Tapatalk is not currently listed as an "approved?" mod.  Whilst I assume there may be compliance issues for copyright and linking with commercial s/w operations, my question relates to potential security flaws in Tapatalk.

For the coders who eat, sleep and breath SMF and its mods, does the construction of Tapatalk, the .js detection and the separate folders with the mobiquo section and the 755 permissions make it a much more likely target for security compromises?

I'd hate to think what might happen if such were the case - its bad enough with the constant spam scanning for open forums.

opinions?
Title: Re: Tapatalk & Security
Post by: Dragooon on February 28, 2011, 01:08:31 AM
No? How can a separate folder with 755 permission even remotely create a security hole? The best chance of security flaw is when the mod itself allows unauthorized data to be passed which it does not. Tapatalk is not present at the modsite maybe because the author didn't intend to.
Title: Re: Tapatalk & Security
Post by: Aleksi "Lex" Kilpinen on February 28, 2011, 01:17:45 AM
Quote from: Dragooon on February 28, 2011, 01:08:31 AM
No? How can a separate folder with 755 permission even remotely create a security hole?
For example by using that folder to place static Source files in it, that will not be patched if and when SMF is patched.

Quote from: Dragooon on February 28, 2011, 01:08:31 AM
The best chance of security flaw is when the mod itself allows unauthorized data to be passed which it does not. Tapatalk is not present at the modsite maybe because the author didn't intend to.
Tapatalk is not present at the modsite, because it had some legal issues regarding Simple Machines copyrights and Simple Machines code usage. AFAIK these have been fixed, but the fixed mod is still pending approval.
Title: Re: Tapatalk & Security
Post by: Arantor on February 28, 2011, 03:32:30 AM
QuoteFor example by using that folder to place static Source files in it, that will not be patched if and when SMF is patched.

If it's outright duplicating SMF files, I guess that could be an issue, but a separate folder on its own is not a security risk. If it were, SimpleDesk would be a security risk since it puts all its source files in a separate folder within the Sources folder.

QuoteTapatalk is not present at the modsite, because it had some legal issues regarding Simple Machines copyrights and Simple Machines code usage. AFAIK these have been fixed, but the fixed mod is still pending approval.

Interesting... it didn't have that when I last looked.
Title: Re: Tapatalk & Security
Post by: SiL on February 28, 2011, 04:29:28 AM
As I recall the author or TinyPortal probably never intended that one of its WYSIWYG modules in the .9x series would become a security risk either, but hey, ****** happens even when you think you have all the bases covered.

So at the level of the architecture of add-on mods, does the design of addon mods like Tapatalk with its standalone folder make it more of a target and more vulnerable than an integrated mod that may be afforded more protection by being tightly integrated within the SMF structure? (e.g recursive directory protection / .htaccess )

What about code injection into that .js detection file. If mod installers have to manually change file permissions, doesn't this present a greater risk of leaving write permissions in places there shouldn't be?

?
Title: Re: Tapatalk & Security
Post by: Aleksi "Lex" Kilpinen on February 28, 2011, 04:32:51 AM
Quote from: Arantor on February 28, 2011, 03:32:30 AM
QuoteFor example by using that folder to place static Source files in it, that will not be patched if and when SMF is patched.

If it's outright duplicating SMF files, I guess that could be an issue, but a separate folder on its own is not a security risk. If it were, SimpleDesk would be a security risk since it puts all its source files in a separate folder within the Sources folder.

QuoteTapatalk is not present at the modsite, because it had some legal issues regarding Simple Machines copyrights and Simple Machines code usage. AFAIK these have been fixed, but the fixed mod is still pending approval.

Interesting... it didn't have that when I last looked.
To the first - Basically, it was doing just that - distributing near complete copies of files from /Source/ to be included in /mobique/ and well, this explains the second as well.
Title: Re: Tapatalk & Security
Post by: Arantor on February 28, 2011, 04:46:21 AM
QuoteSo at the level of the architecture of add-on mods, does the design of addon mods like Tapatalk with its standalone folder make it more of a target and more vulnerable than an integrated mod that may be afforded more protection by being tightly integrated within the SMF structure? (e.g recursive directory protection / .htaccess )

No, it doesn't. Just as SimpleDesk isn't any more a risk.

QuoteWhat about code injection into that .js detection file.

No more a risk than anything else.

QuoteIf mod installers have to manually change file permissions, doesn't this present a greater risk of leaving write permissions in places there shouldn't be?

On properly configured hosts this wouldn't be an issue generally, but sadly it often is an issue. Any mod that requires the ability to edit files is a risk - but a calculated one.
Title: Re: Tapatalk & Security
Post by: SiL on February 28, 2011, 06:11:55 PM
thankyou arantor    :)