Old Ass Security Updates

[Kent.S]

AndyB has just posted in about 42 or so of his mods an update that actually is only reporting security issues that were fixed obout two years ago. Seems they had SQL vulnerabilities or XSS vulnerabilities, but were never actually disclosed to the users.

 

Wonder what happened to make him want to do that? :emoji_thinking:

 

On Dec 31,2015 version 2.2 of this add-on was released to address an exploitable SQL injection vulnerability. If you are still using a version of this add-on which is below 2.2 or released before Dec 31,2015 then it is essential that you update to the latest version of the add-on as soon as possible to fix this security issue. If you have any further questions, please ask.

 

A security issue has been identified in earlier versions of this add-on. The issue allows a cross site scripting (XSS) attack to potentially be triggered via a specially crafted username. XSS issues may allow an attacker to steal data (including cookies) or force a user to take actions without their consent or knowledge (possibly including administrative actions).

 

I strongly recommend all users to upgrade to the latest version of Calendar v1.5 to resolve the issue as soon as possible.

[SneakyDave]

Wow. 2 years later, he's describing the fix?

 

Did somebody get hacked using one of his add-ons?

[Kent.S]

I am dumbfounded that these issues were left unreported for this long.

[SneakyDave]

Well, it may have to do with the fact that he was not using prepared statements in his SQL.

 

This update from one of his mods in December 2015 casually mentioned that he started using prepared statements.

Forum Moderators - Updates

 

He may not have even realized how big of a security risk it was at the time, until a nefarious sort saw the potential in his add-on(s), found a site running an old version of it, and hacked it.

 

Maybe xenforo got involved, reviewed the add-on, and told him to make sure he's using prepared statements and put out a notice?

 

This is pure speculation on my part.

[Guest Tarzen]

When the XF2 demo was up and running. It was pointed out to him then on that forum he should be using prepared statements. Looked as though he had not been using them then, could be somebody picked up on it and either checked the code in his mods and reported it back to him that there was vulnerabilities, or somebody may have spotted it looking at his mods to hack another site using them.

 

He is a sneaky because he takes everything to private messages all the time on XenForo so nothing gets seen or read in public about his mods.

[Kent.S]

He may not have even realized how big of a security risk it was at the time

 

If that is the case(speculation) then he has no business releasing any addons. Many times he has updated his addons with something as simple as "Updated PHP", WTH is that? More possible security flaws?

[Kent.S]

Looks like that AndyB is updating a lot of mods because they all contain an hackable security flaw. Another prime example of why XenForo shouldn't be allowing mods advertised on their forum that get downloaded from another persons site.

 

1) They are not being updated, he is simply disclosing a previous update that gives the security issues.

2) Most of the addons are available on XF. It does not matter where the download is hosted, that has no bearing on security issues in the code!

[SneakyDave]

He probably should have made a better attempt of what the implications were when he updated his add-ons to use prepared statements. But in his defense, all you can really do now is let people know about the situation.

 

I doubt that all of his add-ons had this flaw, but he needed to update them all just to try to remind people to make SURE they get a recent version.

[SneakyDave]

So yeah, Xenforo told him to put out a more informative post about the issue, and the security problem that can come about if the add-ons aren't updated.

 

Chris D

We became aware that some customers may have still been using vulnerable versions and the disclosure prior was far too vague which may account for the reasons some customers haven’t yet updated.

 

We requested that the updates were posted to a) remind customers that they should update if they haven’t already and b) ensure the disclosure meets the guidelines we posted some time ago.

 

They all mostly relate to a SQL injection vulnerability which has been fixed for some time but if you have any of those add ons installed and haven’t updated them then that should be done ASAP.

[Paul]

LOL

 

Yes' date=' that is what I just said. Stop copying from here what I say. We all know [b']your[/b] too dumb to figure things out for yourself. Get Kent/Ozzy to hold your hand next time you try and figure something out.

 

Try to figure out the English language, Gary.

[fool]

The danger of using one man show add on.

[Sheldon]

The danger of using one man show add on.

 

No, the danger of using poorly coded add-ons.

 

Many of those released at XF are so called "one man show."

 

I'd take every single one of Bob B's addons over ANY "team" or "company" add-on released. Without hesitation.

[Turbo]

Since this site seems to be populated with people that have a good amount of experience with various coders/addons, combined with a total lack of holding back of any sort of opinion, what does everyone really truly thing of AndyB's addons - XF1.x or 2.x...and why. Go.

[SneakyDave]

Since this site seems to be populated with people that have a good amount of experience with various coders/addons, combined with a total lack of holding back of any sort of opinion, what does everyone really truly thing of AndyB's addons - XF1.x or 2.x...and why. Go.

 

I've never used Andy's add-ons. And i don't think I've ever conversed with him.

 

He does tend to use different coding standards in some of the add-ons I've seen. I think he tends to copy and paste things from other areas of xenforo, when there might be a better way to donsometjing,, or maybe he doesn't understand how some functions are supposed to work.

 

That is pretty common though, as a lot of early add-on development is pretty varied between devs when there isn't much for or best practices published.

 

Some questions he asks asks though make we wonder how any of his add-ons work, lol. Maybe I just don't follow his thought process.

 

He doesn't seem to engage in issues and problems much. Most of the time, they are ignored, or he issues a fix without much explanation.

[Turbo]

He doesn't seem to engage in issues and problems much. Most of the time, they are ignored, or he issues a fix without much explanation.

He is a sneaky because he takes everything to private messages all the time on XenForo so nothing gets seen or read in public about his mods.

^^ this...I've really never been able to understand why he does this, it just seems odd to me. I've posted on his thread about an issue and when it gets resolved he's asked me to edit or delete the comment...really weird.

 

Or when you ask a question about a functionality of an addon, he won't post the reply in public, he'll PM you the answer. So his resource discussion threads are filled with questions that appear unanswered. To me it seems like if one person has the question, 30 more do but don't ask. More people would use his addons if he explained how they worked to everyone when one person asks the question.

 

All of that is just annoying at the worst. But he's got a lot of simple yet useful addons that are basically free compared to what most are charging. Like for instance, the auto-move thread one, I wanted one that had a little more flexibilty so he made auto-move-plus, still doesn't do exactly what I wanted but I'd pay $25 for that level of functionality and get access to all 100+ of his other addons in the process.

 

Meanwhile, I'm quoted $400 to have exactly what I want done in XF2 and $350 for XF1, the only difference being that the thread starter can control how long before the thread is moved.

 

I'm thinking $25 for 80% of what I want is a pretty fucking good deal compared to that.

 

But, is the code solid. That's what matters.

[Turbo]

Also FWIW I've talked on the phone with Andy, he helped me out with a problem I was having early on in my Xenforo experience and he's a really nice guy, very helpful.

[MGM]

But, is the code solid. That's what matters.

 

It's been pointed out by several developers that he doesn't use any best practices (such as DataWriters in XF1 or Entities in XF2), and he throws random queries that don't even do anything but load a bunch of garbage data the never even touches into controllers. I'd be scared to see the performance of any site that uses any of his add-ons that do anything with any sort of data.

 

Just for an example, not using the DataWriter for a lot of things he does (An example being his add-on that converts img tags into attachments) will break any other add-on that does anything with attachments. For example, I use Goodie2shoe's add-on that runs attachments through kraken, doesn't work if you use Andy's garbage add-on because he doesn't use a datawriter, so no other add-on knows that it exists, he just randomly inserts it and then tells people it's a server issue when shit breaks because of this.

[Turbo]

So, in the example of image tags > attachments, this is the hot topic since photobucket fucked everyone over. His "convert image all" addon is one that I was planning to run, maybe that's not such a good idea...am I reading you right?

 

If not, there must be a way to do what that addon does, except without breaking things...

[13511]

^^ this...I've really never been able to understand why he does this, it just seems odd to me. I've posted on his thread about an issue and when it gets resolved he's asked me to edit or delete the comment...really weird.

Removing (or preventing) the tracking of any stupidity he may show in public?

I personally won't use any of his stuff - just on general principles. Also, I generally don't need to use remove-ons (which he was well known for). Many of his add-ons are simple enough to replicate without needing an add-on to do it.

He's probably learning, but doesn't want to reveal his level of incompetence (at that time) to the general public.

[MGM]

So, in the example of image tags > attachments, this is the hot topic since photobucket fucked everyone over. His "convert image all" addon is one that I was planning to run, maybe that's not such a good idea...am I reading you right?

 

I wouldn't touch a single one of his add-ons with a 10 foot pole. I doubt his add-on will even work with Photobucket since with that it's not just a matter of downloading the image from the PhotoBucket URL and converting it to an attachment, they did some nasty trickery with it that you have to dick around with.

 

He's probably learning, but doesn't want to reveal his level of incompetence (at that time) to the general public.

 

He constantly reveals his incompetence. The old xenforo 2 demo site was full of him asking how to do things, getting answers from Chris on exactly what to do, and then doing the exact opposite and saying either:

 

1. It works perfectly (when in reality it'll break other shit)

 

or

 

2. It didn't work (when Chris gave him the exact code to use)

[SneakyDave]

Yeah. He seems to ignore advice and direction when he gets answers to his own questions. That's a little weird

[Turbo]

I doubt his add-on will even work with Photobucket since with that it's not just a matter of downloading the image from the PhotoBucket URL and converting it to an attachment, they did some nasty trickery with it that you have to dick around with.

Point of fact here, his addon actually does (or at least did) get around the photobucket paywall, he specifically modified that addon to do exactly that which is the only reason I’ve considered using it. There also was a Firefox addon that managed to get around it but it broke at some point

[Turbo]

hey who's deleting posts? This site is over moderated :emoji_smiling_imp:

holy shit that's a big smilie (at least it is when I inserted it)

[Sheldon]

Posts deleted?

 

Moved if spam, but can't see Dave deleting them....

[Turbo]

yeah there was one posted this AM that I pulled up on my phone when I woke up, got to work and it was gone. Posted by MGM at 7:58am I think...but then I also recall that he was quoting his own post about the 10' pole touching thing and something else about touching poles, maybe it was too kinky