Exploitable SQL injection vulnerability in many addons by AndyB is patched. Update required!

Discussion in 'XenForo' started by Anonymous, Nov 3, 2017.

Thread Status:
Not open for further replies.
  1. Anonymous

    Anonymous Habitué

    1,319
    677
    +357
    Somewhat relevant to this thread, there are about two full pages of spam from AndyB finally disclosing vulnerabilities fixed nearly two years ago in almost all of his add-ons. Wonder how many people are running vulnerable versions of this, and wonder why he waited two years to disclose that his update was to fix security issues (more specifically, just randomly throwing variables into queries without any sanitization)
     
    • Informative! Informative! x 2
    • List
  2. Alfa1

    Alfa1 Administrator

    3,852
    1,702
    +2,706
    Link?
     
  3. Steve

    Steve Administrator

    3,721
    1,662
    +3,192
    Just hit New Posts..or..
    https://xenforo.com/community/resources/weekly-digest.3777/updates#resource-update-23527

    Basically what most* of them say.
     
    Last edited: Nov 3, 2017
  4. zappaDPJ

    zappaDPJ Administrator

    6,878
    1,432
    +5,488
    ...or this although the value of the link will depreciate pretty quickly as he's a prolific poster: https://xenforo.com/community/search/99062/

    At least the problem(s) was/were identified and patched. Sitting so long on disclosure seems somewhat strange though.

    Just to be clear, this was the issue necessitating all his add-ons to be patched?
     
  5. Kintaro

    Kintaro Enthusiast

    140
    83
    +51
    Please, AndyB can you clear this thing to all?
     
  6. Chris D

    Chris D XenForo Developer

    773
    1,022
    +1,807
    We became aware that some customers may have still been using vulnerable versions and the disclosure prior was far too vague which may account for the reasons some customers haven’t yet updated.

    We requested that the updates were posted to a) remind customers that they should update if they haven’t already and b) ensure the disclosure meets the guidelines we posted some time ago.

    They all mostly relate to a SQL injection vulnerability which has been fixed for some time but if you have any of those add ons installed and haven’t updated them then that should be done ASAP.
     
    • Like Like x 2
    • Informative! Informative! x 2
    • List
  7. Alfa1

    Alfa1 Administrator

    3,852
    1,702
    +2,706
    It seems that all updates relate to a version 2.1 which often doesn't exist.
     
  8. Anonymous

    Anonymous Habitué

    1,319
    677
    +357
    Revealing a known exploit nearly 2 years after the fact and only after XF staff instructs him to...

    It appears to demonstrate a definite level of carelessness. It reflects on competence. The exploit is in countless AndyB apps. This is not the first time. Developers have been telling him over and over not to use vulnerable methods. Seemingly to no avail. Different notable developers caution against utilizing Andys apps. As a developer exhibits such unconcern with the security of many xf sites, is the onus of proof not on the developer? Should he not verify his xf apps are of high security? Enough to be used on many sites and devoid of insecure methods?
     
  9. we_are_borg

    we_are_borg Administrator

    5,359
    1,417
    +2,127
    To be fair if i was one of the owners of XF i would have removed all his addons and revoked his permissions for some time. A mistake can be made but so many in all of his add-ons thats plain stupid.
     
  10. LeadCrow

    LeadCrow Apocalypse Admin

    6,444
    1,232
    +2,182
    A website is as insecure as its most exploitable component is.
    Perhaps popular addons should get security audits, and installation of vulnerable versions blocked by the forum software.
     
  11. doubt

    doubt Tazmanian

    4,801
    562
    +2,063
    Witch-hunt.
     
  12. we_are_borg

    we_are_borg Administrator

    5,359
    1,417
    +2,127
    So you rather have sites that have security issues because of add-ons he made and never fully disclosed.
     
  13. doubt

    doubt Tazmanian

    4,801
    562
    +2,063
    Those addons have been "fixed nearly two years ago".
    He should be warned that time to disclose the reason for the patches, not now.
     
  14. Tracy Perry

    Tracy Perry Opinionated asshat

    4,988
    552
    +3,594
    Sounds like the original reason he gave for the updates was vague in that his update did not fully disclose the vulnerability being patched and that it was a security concern.
    Looks like to me what he was made to do was acknowledge that it WAS a security issue and therefore users that might not typically update a "working" add-on for no known benefit would not do so. Most WILL update if said update fixes a security issue.
     
  15. Matthew S

    Matthew S Adherent

    298
    87
    +189
    I remember ChrisD saying something to him ages ago about using stored procedures or some such, and he released some updates about that soon after. Truthfully, that is the first and only time I have ever seen "Developers have been telling him over and over not to use vulnerable methods".
     
  16. doubt

    doubt Tazmanian

    4,801
    562
    +2,063
    I agree with that.
    What I don't agree with is only the timing of "Looks like to me what he was made to do".
     
  17. Anonymous

    Anonymous Habitué

    1,319
    677
    +357
    You can continue using add-ons made by someone that can't figure out what an "undefined variable" error means if you'd really like to. Frankly, he has no business being allowed to release add-ons on XF. If you look through the development discussion you'll see time and time again people showing him the correct thing to do and him blatantly ignoring any suggestions made and that is reflected in the horrible mess of add-ons that he releases.
     
  18. doubt

    doubt Tazmanian

    4,801
    562
    +2,063
    Yes, I do...
    ...as soon as it's been patched.
     
  19. Matthew S

    Matthew S Adherent

    298
    87
    +189
    I am genuinely interested in this statement, so I guess, links showing time and time again are needed. I guess you are a developer and are one of the people who have time and time again showed him the correct thing to do, so linking such discussions should be trivial. Please. :)
     
  20. we_are_borg

    we_are_borg Administrator

    5,359
    1,417
    +2,127
    I have no idea if the link will work but read the posts https://xenforo.com/community/search/100223/ where he asks something and then ignore stuff.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.