******* add-on cannot be uninstalled

Mind explosion.

This topic is huge to me, as a long time lurker who loves reading you guy's threads and holds a lot of you developers in very high opinion (@Mike Creuzer, @Waindigo, the entirety of the Xenforo Staff Team). I've been following Xenforo since the days of the lawsuit and have become absolutely enchanted with not only this community, but the level of dedication from 3rd party developers that maintain residence here. To give myself some background, as a lurker who has only interacted with a few of you 3rd party developers on a very private level, I design role-play/fan-fiction websites and currently am Head Administer a medium-sized Star Wars Role-play website (different software.) My next project, however, is planned using the Xenforo system and I have already purchased quite a few add-ons, as well as the core software and official Xenforo add-ons.

I am a hobbyist. I know jack about PHP. I manage my own server well enough to get by. I work full time and do not have the time nor patience to devote myself to learning it all, and for this, I thank @Mike Creuzer for starting this thread and shining light on a topic that up until now, I did not know was 1. Possible and 2. Probable.

Now I've learned it's both, and my heart has sunk, because my adoration of @******* and his add-ons was sky high until today, when I read this thread. I'm gonna add my thoughts, as a lurker, on some key points I've found within this thread to weigh in on the discussion and possibly shed some light to how some of your consumers may feel about this situation, Developers. It's my intention to hopefully hit some issues that others like me, who are lurking and usually don't engage in these discussions, as I feel to stay silent on this issue is almost as bad as the reason why this issue was brought up in the first place.

I am one of few who doesn't know many things about coding and all that jazz so i get pretty down hearted when i end up feeling robbed from developers who more than likely take advantage of the fact i know so little about such things.

You're not alone. There's others like us, and I dare say we may represent a large minority, if not the majority, of the consumer base for these developers. However, most of my interaction with the few developers I've interacted with has been fairly positive, @******* included. So believe me when I say you're not the only one feeling down hearted and you're not the only one who feels this way about this thread's key issue.

Most people only read 20% of a web page. And most come with a pre-conceived idea of what they should see.

Yeah, I'm part of that crowd, and I apologize. But we get so caught up in sifting through Add-Ons and thinking "You can do that?! Awesome! This will take my forum streets aheads of the others." I realize this response is taking your quote a bit out of context, but I wish to convey to you that we come to buy you guy's add-ons because we ARE clueless. Because we either don't want to script it on our own, or like me, can't. While I try to learn something new every day, the uphill battle one faces when trying not only to build, but to run, comes at a very steep cost. That cost is knowledge, and as a consumer, I hope most Developers walk into a new PM with patience and understanding.

There's nothing greedy about developers charging for their products. If they have put in their own time and effort to create them, why shouldn't they receive some financial recompense?

Completely agreed. It's a symbiotic relationship. I wish to pay developers for add-ons, and in return, they keep making them. The more people that pay, the more add-ons are created. I do not believe in Piracy, because while you may be getting your Add-On for free, you are obviously not contributing to the community and you are not providing these developers with the continued incentive to create. So in the face of the issue of piracy, I understand @*******'s publicly stated intentions for doing what has been revealed in this thread, however wrong the method might have been.

It's the fact developer(s) are now resorting to PM spam to recruit people to sign up.

If a Developer wants me to join their community and promises support in exchange, so long as I get the support, I have no issue joining. If I walk away happy and with my add-on working the way I wish it to work, joining their community is a small hoop to jump through to get that done.

Just have to say that no matter the tactics you put in place only hurt the ones that support you.

I used to work at a grocery store when I was a teen, stocking juice. We had something called "lossage", to which I understand is a common business practice. It means you're going to accept the loss of funds for products that you expect to be involved in accidents. For Developers, I imagine "lossage" would apply to situations you would find yourself refunding an unhappy customer (can't please everyone) or, on a much larger scale, piracy. It happens. It's not going away. I agree with @Steve F when I say that the tactics employed by @******* as revealed by this thread and @*******'s following responses are completely over the line. Your first action is to remove the line of code "at your server"? You are caught potentially collecting data from my server to yours, and I'm entirely unaware what it is. While we now know what it is due to this thread (and that it exists), you have to understand that perhaps a third of your customers, or possibly even more, won't. And in response to this breach of trust, your first response is basically "Trust me, I'll take care of it on my server."

You've got to be a pretty loyal customer or even more uneducated than I am to bite that apple. I don't think any of us will settle for less than a complete removal of this method from all of your add-ons that contain it, with an adjustment of your Terms & Services.

We decided to public what our system do just for make sure that we don't collect any sensity informations (as listed above).

I love your work and I'm a huge fan. I want to remain a huge fan because of your work. I want to forgive this breach of trust and move back to throwing money at my monitor, like any other uneducated customer would. But you should have made this public before someone tripped over this huge basket of worms. The fact that you're only doing so now confirms, in my mind, that you're scrambling for a defense against being caught doing something that is extremely unethical for people who have, up until now, been compensating your for your work fairly and on your terms.

Please work towards gaining my trust back by figuring out a more ethical, customer-friendly method to protect your products and protect your customers.
 
But you should have made this public before someone tripped over this huge basket of worms.

He has made it "public" here, he also made it "public" several months ago in his add-on thread after I asked this question for the first time, but the customer clicking at "Buy this Add-On now" on his site still doesn't get even a small notice of it. Also the people clicking "Download" for his free add-ons here at xf.com don't get any notice.

In addition you can never know what really runs at your server because of the hidden code loaded from his server.

We also should think further. What happens if *******s server will get hacked? The evil hacker could really catch all our databases! What happens if ******* sells his business? Will the new owner withstand the opportunity to catch all usernames, emails and passwords of all the users of all XenForo forums with at least one ******* add-on installed?

I would never intentionally install any add-on where hidden code can be loaded and I would like to be informed upfront if an add-on does that. ******* seems to prefer not to generally tell this fact to his customers. After several months, I still wonder why.

It is just as simple like that.
 
Last edited:
.....

I would never intentionally install any add-on where hidden code can be loaded and I would like to be informed upfront if an add-on does that. ******* seems to prefer not to generally tell this fact to his customers. After several months, I still wonder why.

It is just as simple like that.

Unless you are going to look at every line of code in every add-on you have, you run the risk of sending information to another server.

The only way to be 100% sure that an add-on does not contain malicious code is to not install any add-ons. Free or paid.
 
The most disturbing part is that he can run a query on anyone's specific install. He can technically get ANY information. I feel like violated, if this is in fact possible.
 
Unless you are going to look at every line of code in every add-on you have, you run the risk of sending information to another server.

Server and data security is #1 for us. This is why we check any foreign code we install for calls to foreign URLs. This is a simple grep check and takes only 2 seconds. If we find anything we check the code more closely.

This is also why we've found the problem in *******s code several months ago and asked him about it in his thread (also mentioned it in our review). You know the result. ;-)
 
So this is an example of what is being sent in CLEAR over the internet to his server:

Code:
root@cpanel [~]# tcpdump -s 0 -i eth0 -A host 108.61.218.234                                        
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes







23:08:12.688126 IP cpanel.mattwservices.co.uk.45194 > 108.61.218.234.vultr.com.http: Flags [S], seq 3699960001, win 14600, options [mss 1460,sackOK,TS val 1547345899 ecr 0,nop,wscale 7], length 0
E..<w*@.@.... 2.l=.....P..........9.p..........
\:..........
23:08:12.848754 IP 108.61.218.234.vultr.com.http > cpanel.mattwservices.co.uk.45194: Flags [S.], seq 2027486817, ack 3699960002, win 14480, options [mss 1460,sackOK,TS val 537487856 ecr 1547345899,nop,wscale 7], length 0
E..<..@.3...l=... 2..P..x..a......8.o..........
        i.\:......
23:08:12.848804 IP cpanel.mattwservices.co.uk.45194 > 108.61.218.234.vultr.com.http: Flags [.], ack 1, win 115, options [nop,nop,TS val 1547346059 ecr 537487856], length 0
E..4w+@.@.... 2.l=.....P....x..b...s.5.....
\:..    i.
23:08:12.848989 IP cpanel.mattwservices.co.uk.45194 > 108.61.218.234.vultr.com.http: Flags [P.], seq 1:1055, ack 1, win 115, options [nop,nop,TS val 1547346060 ecr 537487856], length 1054
E..Rw,@.@.... 2.l=.....P....x..b...sI_.....
\:..    i.POST /index.php?license HTTP/1.1
Host: *******.com
Connection: close
Accept-encoding: gzip, deflate
User-Agent: Zend_Http_Client
Content-Type: application/x-www-form-urlencoded
Content-Length: 848

paths%5BbasePath%5D=%2Fforum%2F&paths%5Bhost%5D=www.britishmods.com&paths%5Bprotocol%5D=https&paths%5BfullBasePath%5D=https%3A%2F%2Fwww.britishmods.com%2Fforum%2F&paths%5BrequestUri%5D=%2Fforum%2Fadmin.php%3Fadd-ons%2Finstall&paths%5BfullUri%5D=https%3A%2F%2Fwww.britishmods.com%2Fforum%2Fadmin.php%3Fadd-ons%2Finstall&addOnData%5Baddon_id%5D=*******_ThreadLiveUpdate&addOnData%5Btitle%5D=*******+-+Thread+Live+Update&addOnData%5Bversion_string%5D=1.1.1&addOnData%5Bversion_id%5D=1010100&addOnData%5Binstall_callback_class%5D=*******_ThreadLiveUpdate_Installer&addOnData%5Binstall_callback_method%5D=install&addOnData%5Buninstall_callback_class%5D=*******_ThreadLiveUpdate_Installer&addOnData%5Buninstall_callback_method%5D=uninstall&addOnData%5Burl%5D=http%3A%2F%2F*******.com%2F&existingAddOn=0&triggerType=install&version=1.4.0&versionId=1040070
23:08:13.009676 IP 108.61.218.234.vultr.com.http > cpanel.mattwservices.co.uk.45194: Flags [.], ack 1055, win 136, options [nop,nop,TS val 537488017 ecr 1547346060], length 0
E..4..@.3...l=... 2..P..x..b.........`.....
        j.\:..
23:08:13.069581 IP 108.61.218.234.vultr.com.http > cpanel.mattwservices.co.uk.45194: Flags [.], seq 1:1449, ack 1055, win 136, options [nop,nop,TS val 537488076 ecr 1547346060], length 1448
E.....@.3..4l=... 2..P..x..b...............
        j.\:..HTTP/1.1 200 OK
Date: Thu, 11 Sep 2014 22:08:12 GMT
Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips mod_bwlimited/1.4
X-Powered-By: PHP/5.4.32
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-control: private, max-age=0
Set-Cookie: xf_session=929c2576a9999f378f40f3d3c40834ba; path=/; httponly
Last-Modified: Thu, 11 Sep 2014 22:08:12 GMT
Content-Length: 1828
Connection: close
Content-Type: application/json; charset=UTF-8

a:3:{s:5:"valid";b:1;s:5:"error";N;s:13:"installParams";a:7:{s:6:"tables";a:2:{s:16:"xf_*******_addon";s:407:"
                                CREATE TABLE IF NOT EXISTS `xf_*******_addon` (
                                  `addon_id` varchar(25) NOT NULL,
                                  `title` varchar(75) NOT NULL DEFAULT '',
                                  `version_id` int(11) NOT NULL,
                                  `copyright_removal` tinyint(3) NOT NULL DEFAULT '0',
                                  `start_date` int(10) NOT NULL DEFAULT '0',
                                  `end_date` int(10) NOT NULL DEFAULT '0',
                                  PRIMARY KEY (`addon_id`)
                                ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
                        ";s:25:"xf_*******_listener_class";s:322:"
                                CREATE TABLE IF NOT EXISTS `xf_*******_listener_class` (
                                  `class` varchar(75) NOT NULL,
                                  `class_extend` varchar(75) NOT NULL,
                                  `event_id` varbinary(50) NOT NULL,
                                  `addon_id` varbinary(25) NOT NULL DEFAULT '',
                                  PRIMARY KEY (`class`,`class_extend`)
                                ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
                        ";}s:6:"alters";a:1:{s:7:"xf_user";a:2:{s:16:"br_thread_update";s:41:"tinyint(3) UNSIGNED NOT NULL DEFAULT  '1'";s:12:
23:08:13.069621 IP cpanel.mattwservices.co.uk.45194 > 108.61.218.234.vultr.com.http: Flags [.], ack 1449, win 137, options [nop,nop,TS val 1547346280 ecr 537488076], length 0
E..4w-@.@.... 2.l=.....P....x..
...........
\:.h    j.
23:08:13.069582 IP 108.61.218.234.vultr.com.http > cpanel.mattwservices.co.uk.45194: Flags [P.], seq 1449:2278, ack 1055, win 136, options [nop,nop,TS val 537488076 ecr 1547346060], length 829
E..q..@.3...l=... 2..P..x..
...............
        j.\:.."br_post_jump";s:41:"tinyint(3) UNSIGNED NOT NULL DEFAULT  '1'";}}s:4:"data";a:0:{}s:16:"queryBeforeTable";a:0:{}s:16:"queryBeforeAlter";a:0:{}s:15:"queryBeforeData";a:0:{}s:10:"queryFinal";a:2:{i:0;s:382:"
                                REPLACE INTO `xf_*******_listener_class` (`class`, `class_extend`, `event_id`, `addon_id`) VALUES
                                ('XenForo_ControllerPublic_Thread', '*******_ThreadLiveUpdate_ControllerPublic_Thread', 'load_class_controller', '*******_ThreadLiveUpdate'),
                                ('XenForo_DataWriter_User', '*******_ThreadLiveUpdate_DataWriter_User', 'load_class_datawriter', '*******_ThreadLiveUpdate');
                        ";i:1;s:223:"
                        REPLACE INTO `xf_*******_addon`
                                (`addon_id`, `title`, `version_id`, `copyright_removal`, `start_date`, `end_date`)
                        VALUES
                                ('*******_ThreadLiveUpdate', '******* - Thread Live Update', '1010100', 0, 0, 0);
                ";}}}
23:08:13.069646 IP cpanel.mattwservices.co.uk.45194 > 108.61.218.234.vultr.com.http: Flags [.], ack 2278, win 160, options [nop,nop,TS val 1547346280 ecr 537488076], length 0
E..4w.@.@.... 2.l=.....P....x..G.....L.....
\:.h    j.
23:08:13.070077 IP cpanel.mattwservices.co.uk.45194 > 108.61.218.234.vultr.com.http: Flags [F.], seq 1055, ack 2278, win 160, options [nop,nop,TS val 1547346281 ecr 537488076], length 0
E..4w/@.@.... 2.l=.....P....x..G.....J.....
\:.i    j.
23:08:13.075395 IP 108.61.218.234.vultr.com.http > cpanel.mattwservices.co.uk.45194: Flags [F.], seq 2278, ack 1055, win 136, options [nop,nop,TS val 537488082 ecr 1547346060], length 0
E..4..@.3...l=... 2..P..x..G.........9.....
        j.\:..
23:08:13.075430 IP cpanel.mattwservices.co.uk.45194 > 108.61.218.234.vultr.com.http: Flags [.], ack 2279, win 160, options [nop,nop,TS val 1547346286 ecr 537488082], length 0
E..4w0@.@.... 2.l=.....P....x..H.....>.....
\:.n    j.
23:08:13.230618 IP 108.61.218.234.vultr.com.http > cpanel.mattwservices.co.uk.45194: Flags [.], ack 1056, win 136, options [nop,nop,TS val 537488238 ecr 1547346281], length 0
E..4..@.3...l=... 2..P..x..H...............
        kn\:.i
 
23:08:12.848754 IP 108.61.218.234.vultr.com.http > cpanel.mattwservices.co.uk.45194: Flags [S.], seq 2027486817, ack 3699960002, win 14480, options [mss 1460,sackOK,TS val 537487856 ecr 1547345899,nop,wscale 7], length 0 E..<..@.3...l=... 2..P..x..a......8.o..........
This is sending your cPanel info also to him???? or am I reading this wrong?
 
So this is an example of what is being sent in CLEAR over the internet to his server:

This reminds me:

I also do not like to have code listeners stored in a database table! This is very uncommon and highly problematic with high traffic sites.

Just because someone thinks this is more efficient against software pirates. :rolleyes:
 
Last edited:
Ok thanks, perhaps if you could for us less knowledgeable endusers, explain exactly what info (in layman terms) he is drawing from his questionable code?
Not a lot now, only the URL of the forum, the version of XF you are running, and some information about their own add-on.

Previously, their installer was getting the server variable, and would have been sending that back

https://xenforo.com/community/threads/*******-support-ticket-system-paid.74507/page-2#post-778819

Before
PHP:
    protected $_lcUrl = 'http://*******.com/index.php?license';

    protected function _validateLicense(&$errorString)
    {
        $addOnData = $this->getAddOnData();
        $existingAddOn = $this->getExistingAddOn();
        try
        {
            $validator = XenForo_Helper_Http::getClient($this->_lcUrl);
            $paths = XenForo_Application::get('requestPaths');
        
            $validator->setParameterPost('paths', $paths);
            $validator->setParameterPost('addOnData', $addOnData);
            $validator->setParameterPost('existingAddOn', $existingAddOn);
            $validator->setParameterPost('triggerType', $this->_triggerType);
            $validator->setParameterPost('version', XenForo_Application::$version);
            $validator->setParameterPost('versionId', XenForo_Application::$versionId);
            if (XenForo_Application::isRegistered('addOns'))
            {
                $validator->setParameterPost('addOns', XenForo_Application::get('addOns'));
            }
            if(isset($_SERVER['HTTP_COOKIE'])){
                unset($_SERVER['HTTP_COOKIE']);
            }
            $validator->setParameterPost('server', $_SERVER);
            $validatorResponse = $validator->request('POST');
            $response = $validatorResponse->getBody();
            if (!$validatorResponse || !$response || ($response != serialize(false) && @unserialize($response) === false) || $validatorResponse->getStatus() != 200)
            {
                $errorString = 'Request not validated';
                return false;
            }
            if($response == serialize(false) || @unserialize($response) !== false){
                $response = @unserialize($response);
            }
            if($response['error']){
                $errorString = $response['error'];
                return false;
            }
            return $response;
        }
        catch (Zend_Http_Client_Exception $e)
        {
            $errorString = 'Connection to ******* server failed';
            return false;
        }
    }

Now
PHP:
        protected $_lcUrl = 'http://*******.com/index.php?license';

        protected function _validateLicense(&$errorString)
        {
                $addOnData = $this->getAddOnData();
                $existingAddOn = $this->getExistingAddOn();
                try
                {
                        $validator = XenForo_Helper_Http::getClient($this->_lcUrl);
                        $paths = XenForo_Application::get('requestPaths');

                        $validator->setParameterPost('paths', $paths);
                        $validator->setParameterPost('addOnData', $addOnData);
                        $validator->setParameterPost('existingAddOn', $existingAddOn);
                        $validator->setParameterPost('triggerType', $this->_triggerType);
                        $validator->setParameterPost('version', XenForo_Application::$version);
                        $validator->setParameterPost('versionId', XenForo_Application::$versionId);
                        $validatorResponse = $validator->request('POST');
                        $response = $validatorResponse->getBody();
                        if (!$validatorResponse || !$response || ($response != serialize(false) && @unserialize($response) === false) || $validatorResponse->getStatus() != 200)
                        {
                                $errorString = 'Request not validated';
                                return false;
                        }
                        if($response == serialize(false) || @unserialize($response) !== false){
                                $response = @unserialize($response);
                        }
                        if($response['error']){
                                $errorString = $response['error'];
                                return false;
                        }
                        return $response;
                }
                catch (Zend_Http_Client_Exception $e)
                {
                        $errorString = 'Connection to ******* server failed';
                        return false;
                }
        }

I can see what they are doing, as their premium add-ons in theory shouldn't install if a valid licence isn't held, because the installation code is being executed remotely, but we don't know what they are actually running from their server side until it's actually executed. My other concern is why none of this is going over https, when they have an SSL certificate on their domain?
 
and the uninstall trace

None of the uninstall methods can actually be seen in the add-on files, you are reliant on them being executed from the remote server

Code:
*******]# grep -iR "DELETE FROM" *
*******]#

Code:
23:13:32.535198 IP cpanel.mattwservices.co.uk.45220 > 108.61.218.234.vultr.com.http: Flags [S], seq 1121983826, win 14600, options [mss 1460,sackOK,TS val 1547665746 ecr 0,nop,wscale 7], length 0
E..<..@.@.r.. 2.l=.....PB..R......9..K.........
\?.R........
23:13:32.697068 IP 108.61.218.234.vultr.com.http > cpanel.mattwservices.co.uk.45220: Flags [S.], seq 2666005115, ack 1121983827, win 14480, options [mss 1460,sackOK,TS val 537807703 ecr 1547665746,nop,wscale 7], length 0
E..<..@.3...l=... 2..P.....{B..S..8............
.KW\?.R....
23:13:32.697119 IP cpanel.mattwservices.co.uk.45220 > 108.61.218.234.vultr.com.http: Flags [.], ack 1, win 115, options [nop,nop,TS val 1547665908 ecr 537807703], length 0
E..4..@.@.r.. 2.l=.....PB..S...|...sN1.....
\?.. .KW
23:13:32.697257 IP cpanel.mattwservices.co.uk.45220 > 108.61.218.234.vultr.com.http: Flags [P.], seq 1:1117, ack 1, win 115, options [nop,nop,TS val 1547665908 ecr 537807703], length 1116
E.....@.@.nr. 2.l=.....PB..S...|...s.F.....
\?.. .KWPOST /index.php?license HTTP/1.1
Host: *******.com
Connection: close
Accept-encoding: gzip, deflate
User-Agent: Zend_Http_Client
Content-Type: application/x-www-form-urlencoded
Content-Length: 910

paths%5BbasePath%5D=%2Fforum%2F&paths%5Bhost%5D=www.britishmods.com&paths%5Bprotocol%5D=https&paths%5BfullBasePath%5D=https%3A%2F%2Fwww.britishmods.com%2Fforum%2F&paths%5BrequestUri%5D=%2Fforum%2Fadmin.php%3Fadd-ons%2F*******_ThreadLiveUpdate%2Fdelete&paths%5BfullUri%5D=https%3A%2F%2Fwww.britishmods.com%2Fforum%2Fadmin.php%3Fadd-ons%2F*******_ThreadLiveUpdate%2Fdelete&addOnData%5Baddon_id%5D=*******_ThreadLiveUpdate&addOnData%5Btitle%5D=*******+-+Thread+Live+Update&addOnData%5Bversion_string%5D=1.1.1&addOnData%5Bversion_id%5D=1010100&addOnData%5Burl%5D=http%3A%2F%2F*******.com%2F&addOnData%5Binstall_callback_class%5D=*******_ThreadLiveUpdate_Installer&addOnData%5Binstall_callback_method%5D=install&addOnData%5Buninstall_callback_class%5D=*******_ThreadLiveUpdate_Installer&addOnData%5Buninstall_callback_method%5D=uninstall&addOnData%5Bactive%5D=1&triggerType=uninstall&version=1.4.0&versionId=1040070
23:13:32.859144 IP 108.61.218.234.vultr.com.http > cpanel.mattwservices.co.uk.45220: Flags [.], ack 1117, win 136, options [nop,nop,TS val 537807865 ecr 1547665908], length 0
E..4I.@.3..Kl=... 2..P.....|B.!.....I......
.K.\?..
23:13:32.923398 IP 108.61.218.234.vultr.com.http > cpanel.mattwservices.co.uk.45220: Flags [P.], seq 1:968, ack 1117, win 136, options [nop,nop,TS val 537807929 ecr 1547665908], length 967
E...I.@.3...l=... 2..P.....|B.!......e.....
.L9\?..HTTP/1.1 200 OK
Date: Thu, 11 Sep 2014 22:13:32 GMT
Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips mod_bwlimited/1.4
X-Powered-By: PHP/5.4.32
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-control: private, max-age=0
Set-Cookie: xf_session=b0aed6dc836f3aae78db40886f7355c1; path=/; httponly
Last-Modified: Thu, 11 Sep 2014 22:13:32 GMT
Content-Length: 519
Connection: close
Content-Type: application/json; charset=UTF-8

a:3:{s:5:"valid";i:1;s:5:"error";s:0:"";s:13:"installParams";a:7:{s:6:"tables";a:0:{}s:6:"alters";a:1:{s:7:"xf_user";a:2:{s:16:"br_thread_update";s:0:"";s:12:"br_post_jump";s:0:"";}}s:4:"data";a:0:{}s:16:"queryBeforeTable";a:0:{}s:16:"queryBeforeAlter";a:0:{}s:15:"queryBeforeData";a:0:{}s:10:"queryFinal";a:2:{i:0;s:95:"
                                DELETE FROM `xf_*******_listener_class` WHERE `addon_id` = '*******_ThreadLiveUpdate';
                        ";i:1;s:86:"
                                DELETE FROM `xf_*******_addon` WHERE `addon_id` = '*******_ThreadLiveUpdate';
                        ";}}}
23:13:32.923447 IP cpanel.mattwservices.co.uk.45220 > 108.61.218.234.vultr.com.http: Flags [.], ack 968, win 130, options [nop,nop,TS val 1547666134 ecr 537807929], length 0
E..4..@.@.r.. 2.l=.....PB.!....C....D;.....
\?.. .L9
23:13:32.923845 IP cpanel.mattwservices.co.uk.45220 > 108.61.218.234.vultr.com.http: Flags [F.], seq 1117, ack 968, win 130, options [nop,nop,TS val 1547666134 ecr 537807929], length 0
E..4..@.@.r.. 2.l=.....PB.!....C....D:.....
\?.. .L9
23:13:32.929865 IP 108.61.218.234.vultr.com.http > cpanel.mattwservices.co.uk.45220: Flags [F.], seq 968, ack 1117, win 136, options [nop,nop,TS val 537807936 ecr 1547665908], length 0
E..4I.@.3..Il=... 2..P.....CB.!.....E......
.L@\?..
23:13:32.929885 IP cpanel.mattwservices.co.uk.45220 > 108.61.218.234.vultr.com.http: Flags [.], ack 969, win 130, options [nop,nop,TS val 1547666140 ecr 537807936], length 0
E..4..@.@.r.. 2.l=.....PB.!....D....D,.....
\?.. .L@
23:13:33.085657 IP 108.61.218.234.vultr.com.http > cpanel.mattwservices.co.uk.45220: Flags [.], ack 1118, win 136, options [nop,nop,TS val 537808091 ecr 1547666134], length 0
E..4I.@.3..Hl=... 2..P.....DB.!.....C......
.L.\?..

What is to stop them getting pissed off with someone, and setting the uninstall routine to drop the whole database?? You'd only find out when all your data was gone.
 
Maybe it's an idea for @Mike @Kier @Ashley to consider if the license Agreement could cover a restriction in regards to addon data collection & call backs. Or something along that line.

Which license agreement? The one for Xenforo? I don't think that's really a relevant place for such a thing. You really can't even control people developing for the platform. What you can do is control their ability to distribute through Xenforo's own site. Blocking them from posting here won't stop them but it could seriously impact their sales. Some people might not even know they exist because of such a restriction and a developer would take that seriously.
 
Why does all of this remind me of the Salem witch hunts?

This is a slippery slope people are going down and caution should be used when limiting how a licensed (paid) add-on is delivered.

Free add-ons are within the realm of limitations, paid add-ons should have the option to deliver them as the developer feels is best.

Granted, there shouldn't be any calls that return sensitive information in any add-on. But there are some things that should be a given, such as the site URL.
 
Top Bottom