Menu
News
All News
Dungeons & Dragons
Level Up: Advanced 5th Edition
Pathfinder
Starfinder
Warhammer
2d20 System
Year Zero Engine
Industry News
Reviews
Dragon Reflections
White Dwarf Reflections
Columns
Weekly Digests
Weekly News Digest
Freebies, Sales & Bundles
RPG Print News
RPG Crowdfunding News
Game Content
ENterplanetary DimENsions
Mythological Figures
Opinion
Worlds of Design
Peregrine's Nest
RPG Evolution
Other Columns
From the Freelancing Frontline
Monster ENcyclopedia
WotC/TSR Alumni Look Back
4 Hours w/RSD (Ryan Dancey)
The Road to 3E (Jonathan Tweet)
Greenwood's Realms (Ed Greenwood)
Drawmij's TSR (Jim Ward)
Community
Forums & Topics
Forum List
Latest Posts
Forum list
*Dungeons & Dragons
Level Up: Advanced 5th Edition
D&D Older Editions, OSR, & D&D Variants
*TTRPGs General
*Pathfinder & Starfinder
EN Publishing
*Geek Talk & Media
Search forums
Chat/Discord
Resources
Wiki
Pages
Latest activity
Media
New media
New comments
Search media
Downloads
Latest reviews
Search resources
EN Publishing
Store
EN5ider
Adventures in ZEITGEIST
Awfully Cheerful Engine
What's OLD is NEW
Judge Dredd & The Worlds Of 2000AD
War of the Burning Sky
Level Up: Advanced 5E
Events & Releases
Upcoming Events
Private Events
Featured Events
Socials!
EN Publishing
Twitter
BlueSky
Facebook
Instagram
EN World
BlueSky
YouTube
Facebook
Twitter
Twitch
Podcast
Features
Top 5 RPGs Compiled Charts 2004-Present
Adventure Game Industry Market Research Summary (RPGs) V1.0
Ryan Dancey: Acquiring TSR
Q&A With Gary Gygax
D&D Rules FAQs
TSR, WotC, & Paizo: A Comparative History
D&D Pronunciation Guide
Million Dollar TTRPG Kickstarters
Tabletop RPG Podcast Hall of Fame
Eric Noah's Unofficial D&D 3rd Edition News
D&D in the Mainstream
D&D & RPG History
About Morrus
Log in
Register
What's new
Search
Search
Search titles only
By:
Forums & Topics
Forum List
Latest Posts
Forum list
*Dungeons & Dragons
Level Up: Advanced 5th Edition
D&D Older Editions, OSR, & D&D Variants
*TTRPGs General
*Pathfinder & Starfinder
EN Publishing
*Geek Talk & Media
Search forums
Chat/Discord
Menu
Log in
Register
Install the app
Install
Upgrade your account to a Community Supporter account and remove most of the site ads.
Community
Meta - Forums About Forums
Meta
Thank you morrus!
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="Cergorach" data-source="post: 6061455" data-attributes="member: 725"><p>Thanks Morrus and friends that have been hard at work at updating the website! I'm currently not in any position to support financially, but have time and IT knowledge, so if you need that let me know.</p><p></p><p>As for the ENworld 'hack', this isn't exactly shocking, according to the old website it was running vBullitin 3.8.5, which means that there were no updates done for almost 2.5 years. Which isn't smart. And while 3.8.6 and 3.8.7 didn't patch any security holes by themselves, 3.8.7 PL1 did address a security hole which was present in the whole 3.8.x series, not to mention PL2 and PL3 for 3.8.7. vBulletin 3.8 is also End of Life since 4 September 2012, so no more security patches since that date. That also means that there's been a known security hole for 2-17 months at ENworld.</p><p></p><p>Another option could be that the custom code had security holes in it and depending on how the custom code was implemented it could have made the rest of the code compromised as well. If the custom code was also not modular (thus core changes instead of plugins/modules/etc.) it could also explain why the site wasn't updated to the latest security patches.</p><p></p><p>The 10.000GBP worth of 'lost' code isn't exactly lost I suspect, I suspect that it's not compatible with vBulletin 4.x, which doesn't exactly makes it the fault of the hacker. It's part of the life cycle of software, something a lot of folks seem to forget, not just Morrus, but folks that run a lot bigger operations then Enworld (monetary wise). (Custom) software that runs on version x might not work on version x+1 and version x will not be supported to infinity. Which doesn't make the situation any less sucky of course.</p><p></p><p>I can't for the life of me find out what the life cycle for vBulletin 4.2 is (when it's End of Life), not to mention that vBulletin 5 (Connect) is already running in beta for a few months and is less then perfect (depending on who you talk to). So, if I might give some unsolicited advice, don't spend another 10.000GBP on custom code until you know how long vBullitin 4.2.x is supported with security updates. And if you spend any money on custom code, make sure it's modular enough so you can do security patches during the entire life cycle.</p></blockquote><p></p>
[QUOTE="Cergorach, post: 6061455, member: 725"] Thanks Morrus and friends that have been hard at work at updating the website! I'm currently not in any position to support financially, but have time and IT knowledge, so if you need that let me know. As for the ENworld 'hack', this isn't exactly shocking, according to the old website it was running vBullitin 3.8.5, which means that there were no updates done for almost 2.5 years. Which isn't smart. And while 3.8.6 and 3.8.7 didn't patch any security holes by themselves, 3.8.7 PL1 did address a security hole which was present in the whole 3.8.x series, not to mention PL2 and PL3 for 3.8.7. vBulletin 3.8 is also End of Life since 4 September 2012, so no more security patches since that date. That also means that there's been a known security hole for 2-17 months at ENworld. Another option could be that the custom code had security holes in it and depending on how the custom code was implemented it could have made the rest of the code compromised as well. If the custom code was also not modular (thus core changes instead of plugins/modules/etc.) it could also explain why the site wasn't updated to the latest security patches. The 10.000GBP worth of 'lost' code isn't exactly lost I suspect, I suspect that it's not compatible with vBulletin 4.x, which doesn't exactly makes it the fault of the hacker. It's part of the life cycle of software, something a lot of folks seem to forget, not just Morrus, but folks that run a lot bigger operations then Enworld (monetary wise). (Custom) software that runs on version x might not work on version x+1 and version x will not be supported to infinity. Which doesn't make the situation any less sucky of course. I can't for the life of me find out what the life cycle for vBulletin 4.2 is (when it's End of Life), not to mention that vBulletin 5 (Connect) is already running in beta for a few months and is less then perfect (depending on who you talk to). So, if I might give some unsolicited advice, don't spend another 10.000GBP on custom code until you know how long vBullitin 4.2.x is supported with security updates. And if you spend any money on custom code, make sure it's modular enough so you can do security patches during the entire life cycle. [/QUOTE]
Insert quotes…
Verification
Post reply
Community
Meta - Forums About Forums
Meta
Thank you morrus!
Top
