Exploitable SQL injection vulnerability in many addons by AndyB is patched. Update required!

Status
Not open for further replies.

Anonymous

Habitué
Joined
Jan 6, 2004
Messages
1,319
Somewhat relevant to this thread, there are about two full pages of spam from AndyB finally disclosing vulnerabilities fixed nearly two years ago in almost all of his add-ons. Wonder how many people are running vulnerable versions of this, and wonder why he waited two years to disclose that his update was to fix security issues (more specifically, just randomly throwing variables into queries without any sanitization)
 

Steve

Fanatic
Joined
Apr 17, 2009
Messages
3,745
Just hit New Posts..or..
https://xenforo.com/community/resources/weekly-digest.3777/updates#resource-update-23527

Basically what most* of them say.
On Jan 1, 2016 version 2.1 of this add-on was released to address an exploitable SQL injection vulnerability. If you are still using a version of this add-on which is below 2.1 or released before Jan 1, 2016 then it is essential that you update to the latest version of the add-on as soon as possible to fix this security issue. If you have any further questions, please ask.
 
Last edited:

zappaDPJ

Administrator
Joined
Aug 26, 2010
Messages
7,285
...or this although the value of the link will depreciate pretty quickly as he's a prolific poster: https://xenforo.com/community/search/99062/

At least the problem(s) was/were identified and patched. Sitting so long on disclosure seems somewhat strange though.

more specifically, just randomly throwing variables into queries without any sanitization
Just to be clear, this was the issue necessitating all his add-ons to be patched?
 

Chris D

XenForo Developer
Joined
Aug 23, 2012
Messages
810
We became aware that some customers may have still been using vulnerable versions and the disclosure prior was far too vague which may account for the reasons some customers haven’t yet updated.

We requested that the updates were posted to a) remind customers that they should update if they haven’t already and b) ensure the disclosure meets the guidelines we posted some time ago.

They all mostly relate to a SQL injection vulnerability which has been fixed for some time but if you have any of those add ons installed and haven’t updated them then that should be done ASAP.
 

Alfa1

Administrator
Joined
May 28, 2007
Messages
4,001
It seems that all updates relate to a version 2.1 which often doesn't exist.
 

Anonymous

Habitué
Joined
Jan 6, 2004
Messages
1,319
Revealing a known exploit nearly 2 years after the fact and only after XF staff instructs him to...

It appears to demonstrate a definite level of carelessness. It reflects on competence. The exploit is in countless AndyB apps. This is not the first time. Developers have been telling him over and over not to use vulnerable methods. Seemingly to no avail. Different notable developers caution against utilizing Andys apps. As a developer exhibits such unconcern with the security of many xf sites, is the onus of proof not on the developer? Should he not verify his xf apps are of high security? Enough to be used on many sites and devoid of insecure methods?
 

we_are_borg

Administrator
Joined
Jan 25, 2011
Messages
5,510
To be fair if i was one of the owners of XF i would have removed all his addons and revoked his permissions for some time. A mistake can be made but so many in all of his add-ons thats plain stupid.
 

LeadCrow

Apocalypse Admin
Joined
Jun 29, 2008
Messages
6,578
A website is as insecure as its most exploitable component is.
Perhaps popular addons should get security audits, and installation of vulnerable versions blocked by the forum software.
 

doubt

Tazmanian
Joined
Feb 25, 2013
Messages
4,864
Somewhat relevant to this thread, there are about two full pages of spam from AndyB finally disclosing vulnerabilities fixed nearly two years ago in almost all of his add-ons.
Witch-hunt.
 

doubt

Tazmanian
Joined
Feb 25, 2013
Messages
4,864
So you rather have sites that have security issues because of add-ons he made and never fully disclosed.
Those addons have been "fixed nearly two years ago".
He should be warned that time to disclose the reason for the patches, not now.
 

Tracy Perry

Opinionated asshat
Joined
May 25, 2013
Messages
4,991
Witch-hunt.
Those addons have been "fixed nearly two years ago".
He should be warned that time to disclose the reason for the patches, not now.
Sounds like the original reason he gave for the updates was vague in that his update did not fully disclose the vulnerability being patched and that it was a security concern.
may have still been using vulnerable versions and the disclosure prior was far too vague
Looks like to me what he was made to do was acknowledge that it WAS a security issue and therefore users that might not typically update a "working" add-on for no known benefit would not do so. Most WILL update if said update fixes a security issue.
 

Matthew S

Adherent
Joined
Jun 27, 2015
Messages
305
I remember ChrisD saying something to him ages ago about using stored procedures or some such, and he released some updates about that soon after. Truthfully, that is the first and only time I have ever seen "Developers have been telling him over and over not to use vulnerable methods".
 

doubt

Tazmanian
Joined
Feb 25, 2013
Messages
4,864
Sounds like the original reason he gave for the updates was vague in that his update did not fully disclose the vulnerability being patched and that it was a security concern.
I agree with that.
What I don't agree with is only the timing of "Looks like to me what he was made to do".
 

Anonymous

Habitué
Joined
Jan 6, 2004
Messages
1,319
Those addons have been "fixed nearly two years ago".
He should be warned that time to disclose the reason for the patches, not now.
You can continue using add-ons made by someone that can't figure out what an "undefined variable" error means if you'd really like to. Frankly, he has no business being allowed to release add-ons on XF. If you look through the development discussion you'll see time and time again people showing him the correct thing to do and him blatantly ignoring any suggestions made and that is reflected in the horrible mess of add-ons that he releases.
 

Matthew S

Adherent
Joined
Jun 27, 2015
Messages
305
If you look through the development discussion you'll see time and time again people showing him the correct thing to do ...
I am genuinely interested in this statement, so I guess, links showing time and time again are needed. I guess you are a developer and are one of the people who have time and time again showed him the correct thing to do, so linking such discussions should be trivial. Please. :)
 

we_are_borg

Administrator
Joined
Jan 25, 2011
Messages
5,510
I am genuinely interested in this statement, so I guess, links showing time and time again are needed. I guess you are a developer and are one of the people who have time and time again showed him the correct thing to do, so linking such discussions should be trivial. Please. :)
I have no idea if the link will work but read the posts https://xenforo.com/community/search/100223/ where he asks something and then ignore stuff.
 
Status
Not open for further replies.
Top