Old Ass Security Updates

Discussion in 'Board War' started by Kent.S, Nov 4, 2017.

  1. AndyB has just posted in about 42 or so of his mods an update that actually is only reporting security issues that were fixed obout two years ago. Seems they had SQL vulnerabilities or XSS vulnerabilities, but were never actually disclosed to the users.

    Wonder what happened to make him want to do that? :emoji_thinking:

  2. Wow. 2 years later, he's describing the fix?

    Did somebody get hacked using one of his add-ons?
    • Agree Agree x 1
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. I am dumbfounded that these issues were left unreported for this long.
  4. Well, it may have to do with the fact that he was not using prepared statements in his SQL.

    This update from one of his mods in December 2015 casually mentioned that he started using prepared statements.
    Forum Moderators - Updates

    He may not have even realized how big of a security risk it was at the time, until a nefarious sort saw the potential in his add-on(s), found a site running an old version of it, and hacked it.

    Maybe xenforo got involved, reviewed the add-on, and told him to make sure he's using prepared statements and put out a notice?

    This is pure speculation on my part.
    • Like Like x 1
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. When the XF2 demo was up and running. It was pointed out to him then on that forum he should be using prepared statements. Looked as though he had not been using them then, could be somebody picked up on it and either checked the code in his mods and reported it back to him that there was vulnerabilities, or somebody may have spotted it looking at his mods to hack another site using them.

    He is a sneaky because he takes everything to private messages all the time on XenForo so nothing gets seen or read in public about his mods.
  6. If that is the case(speculation) then he has no business releasing any addons. Many times he has updated his addons with something as simple as "Updated PHP", WTH is that? More possible security flaws?
    • Agree Agree x 1
    • Useful Useful x 1
  7. 1) They are not being updated, he is simply disclosing a previous update that gives the security issues.
    2) Most of the addons are available on XF. It does not matter where the download is hosted, that has no bearing on security issues in the code!
    • Agree Agree x 1
  8. He probably should have made a better attempt of what the implications were when he updated his add-ons to use prepared statements. But in his defense, all you can really do now is let people know about the situation.

    I doubt that all of his add-ons had this flaw, but he needed to update them all just to try to remind people to make SURE they get a recent version.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. So yeah, Xenforo told him to put out a more informative post about the issue, and the security problem that can come about if the add-ons aren't updated.

    Chris D
    We became aware that some customers may have still been using vulnerable versions and the disclosure prior was far too vague which may account for the reasons some customers haven’t yet updated.

    We requested that the updates were posted to a) remind customers that they should update if they haven’t already and b) ensure the disclosure meets the guidelines we posted some time ago.

    They all mostly relate to a SQL injection vulnerability which has been fixed for some time but if you have any of those add ons installed and haven’t updated them then that should be done ASAP.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. LOL

    Try to figure out the English language, Gary.
  11. The danger of using one man show add on.
  12. No, the danger of using poorly coded add-ons.

    Many of those released at XF are so called "one man show."

    I'd take every single one of Bob B's addons over ANY "team" or "company" add-on released. Without hesitation.
    • Agree Agree x 1
  13. Since this site seems to be populated with people that have a good amount of experience with various coders/addons, combined with a total lack of holding back of any sort of opinion, what does everyone really truly thing of AndyB's addons - XF1.x or 2.x...and why. Go.
  14. I've never used Andy's add-ons. And i don't think I've ever conversed with him.

    He does tend to use different coding standards in some of the add-ons I've seen. I think he tends to copy and paste things from other areas of xenforo, when there might be a better way to donsometjing,, or maybe he doesn't understand how some functions are supposed to work.

    That is pretty common though, as a lot of early add-on development is pretty varied between devs when there isn't much for or best practices published.

    Some questions he asks asks though make we wonder how any of his add-ons work, lol. Maybe I just don't follow his thought process.

    He doesn't seem to engage in issues and problems much. Most of the time, they are ignored, or he issues a fix without much explanation.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. ^^ this...I've really never been able to understand why he does this, it just seems odd to me. I've posted on his thread about an issue and when it gets resolved he's asked me to edit or delete the comment...really weird.

    Or when you ask a question about a functionality of an addon, he won't post the reply in public, he'll PM you the answer. So his resource discussion threads are filled with questions that appear unanswered. To me it seems like if one person has the question, 30 more do but don't ask. More people would use his addons if he explained how they worked to everyone when one person asks the question.

    All of that is just annoying at the worst. But he's got a lot of simple yet useful addons that are basically free compared to what most are charging. Like for instance, the auto-move thread one, I wanted one that had a little more flexibilty so he made auto-move-plus, still doesn't do exactly what I wanted but I'd pay $25 for that level of functionality and get access to all 100+ of his other addons in the process.

    Meanwhile, I'm quoted $400 to have exactly what I want done in XF2 and $350 for XF1, the only difference being that the thread starter can control how long before the thread is moved.

    I'm thinking $25 for 80% of what I want is a pretty fucking good deal compared to that.

    But, is the code solid. That's what matters.
  16. Also FWIW I've talked on the phone with Andy, he helped me out with a problem I was having early on in my Xenforo experience and he's a really nice guy, very helpful.
  17. It's been pointed out by several developers that he doesn't use any best practices (such as DataWriters in XF1 or Entities in XF2), and he throws random queries that don't even do anything but load a bunch of garbage data the never even touches into controllers. I'd be scared to see the performance of any site that uses any of his add-ons that do anything with any sort of data.

    Just for an example, not using the DataWriter for a lot of things he does (An example being his add-on that converts img tags into attachments) will break any other add-on that does anything with attachments. For example, I use Goodie2shoe's add-on that runs attachments through kraken, doesn't work if you use Andy's garbage add-on because he doesn't use a datawriter, so no other add-on knows that it exists, he just randomly inserts it and then tells people it's a server issue when shit breaks because of this.
    • A Little Gay A Little Gay x 1
  18. So, in the example of image tags > attachments, this is the hot topic since photobucket fucked everyone over. His "convert image all" addon is one that I was planning to run, maybe that's not such a good idea...am I reading you right?

    If not, there must be a way to do what that addon does, except without breaking things...
  19. Removing (or preventing) the tracking of any stupidity he may show in public?
    I personally won't use any of his stuff - just on general principles. Also, I generally don't need to use remove-ons (which he was well known for). Many of his add-ons are simple enough to replicate without needing an add-on to do it.
    He's probably learning, but doesn't want to reveal his level of incompetence (at that time) to the general public.
  20. I wouldn't touch a single one of his add-ons with a 10 foot pole. I doubt his add-on will even work with Photobucket since with that it's not just a matter of downloading the image from the PhotoBucket URL and converting it to an attachment, they did some nasty trickery with it that you have to dick around with.

    He constantly reveals his incompetence. The old xenforo 2 demo site was full of him asking how to do things, getting answers from Chris on exactly what to do, and then doing the exact opposite and saying either:

    1. It works perfectly (when in reality it'll break other shit)


    2. It didn't work (when Chris gave him the exact code to use)
    • A Little Gay A Little Gay x 1