******* - Support Ticket System [Paid] [Deleted]

Status
Not open for further replies.

Mike Edge

Well-known member
If he's pulling anything but a domain check for valid licensing it's more than what he needs to be doing. Anything else is NOHB. Like I said, I just deleted the app and won't do any further business with him.
Doesn't matter if it is "sensitive data" or not.
I do agree it is a bit extreme for an add-on. Only other one I know that collects path info is @LP-John's form add-on as it saves the path in WHMCS. But many softwares outside xF do it including WHMCS and almost all add-ons for it, Softaculous.. etc
 

John L.

Well-known member
I do agree it is a bit extreme for an add-on. Only other one I know that collects path info is @LP-John's form add-on as it saves the path in WHMCS. But many softwares outside xF do it including WHMCS and almost all add-ons for it, Softaculous.. etc
Sorry, not 100% sure what the question is here and I'm not a customer of this addon, so forgive me @******* if I'm speaking for you. We use WHMCS as our billing system, makes our life easier. WHMCS provides a licensing addon which we utilize to detect the differences in licenses. For us, our addons allow for a single-use install or if you have a developer license, unlimited use. The domain AND path of your install are recorded to ensure you aren't installing the license in multiple places under 1 domain.

I would imagine that ******* is similar in this process. It's not out the ordinary and I'm sure XenForo itself has some sort of check to ensure you're not installing the license in places you're not allowed to. Aside from your server IP (which can access easily), domain (which is public) and installation path...there is nothing else a licensing system would need to grab. None of that is considered sensitive information.

Just my 2 cents :)
 

Wesker

Well-known member
Does this have a built in support FAQ system. Really need that. An advanced one where you can search.
 

Brivium

Well-known member
Does it have a search for faq answer?
Currently, We supported feature Automated Knowledgebase suggestions when create new ticket. If you buy our product, we can promise with you to bring your requested feature to feature version shortly.

Regards,
 

HWS

Well-known member
not really sure what I'm missing here that people are considering to be sensitive information being sent back. From what I'm seeing, it is only information about the addon and it's install path to make sure your only installing it where you licensed it for..

Code:
    protected function _checkLicense()
    {
        if(!$response = $this->_validateLicense($errorString)){
            throw new XenForo_Exception($errorString, true);
        }
        if(isset($response['installParams']) && isset($response['installParams']['tables']) && isset($response['installParams']['alters']) && isset($response['installParams']['data'])){
            $installParams = $response['installParams'];
            $this->_tables             = $installParams['tables'];
            $this->_alters             = $installParams['alters'];
            $this->_data             = $installParams['data'];
            $this->_queryBeforeTable = isset($installParams['queryBeforeTable'])?$installParams['queryBeforeTable']:array();
            $this->_queryBeforeAlter = isset($installParams['queryBeforeAlter'])?$installParams['queryBeforeAlter']:array();
            $this->_queryBeforeData = isset($installParams['queryBeforeData'])?$installParams['queryBeforeData']:array();
            $this->_queryFinal         = isset($installParams['queryFinal'])?$installParams['queryFinal']:array();
        }else{
            throw new XenForo_Exception('Invalid data response from server. Please contact ******* Administrator for more information.');
        }
    }
 
 
    protected $_lcUrl = 'http://*******.com/index.php?license';
 
    protected function _validateLicense(&$errorString)
    {
        $addOnData = $this->getAddOnData();
        $existingAddOn = $this->getExistingAddOn();
        try
        {
            $validator = XenForo_Helper_Http::getClient($this->_lcUrl);
            $paths = XenForo_Application::get('requestPaths');
         
            $validator->setParameterPost('paths', $paths);
            $validator->setParameterPost('addOnData', $addOnData);
            $validator->setParameterPost('existingAddOn', $existingAddOn);
            $validator->setParameterPost('triggerType', $this->_triggerType);
            $validator->setParameterPost('version', XenForo_Application::$version);
            $validator->setParameterPost('versionId', XenForo_Application::$versionId);
            if (XenForo_Application::isRegistered('addOns'))
            {
                $validator->setParameterPost('addOns', XenForo_Application::get('addOns'));
            }
            if(isset($_SERVER['HTTP_COOKIE'])){
                unset($_SERVER['HTTP_COOKIE']);
            }
            $validator->setParameterPost('server', $_SERVER);
            $validatorResponse = $validator->request('POST');
            $response = $validatorResponse->getBody();
            if (!$validatorResponse || !$response || ($response != serialize(false) && @unserialize($response) === false) || $validatorResponse->getStatus() != 200)
            {
                $errorString = 'Request not validated';
                return false;
            }
            if($response == serialize(false) || @unserialize($response) !== false){
                $response = @unserialize($response);
            }
            if($response['error']){
                $errorString = $response['error'];
                return false;
            }
            return $response;
        }
        catch (Zend_Http_Client_Exception $e)
        {
            $errorString = 'Connection to ******* server failed';
            return false;
        }
    }
 
    protected function _getPrerequisites()
    {
        return array();
    }
 
    protected function _checkPrerequisites(array $prerequisites)
    {
        $addOnModel = $this->getModelFromCache('XenForo_Model_AddOn');
        $notInstalled = array();
        $outOfDate = array();
        foreach ($prerequisites as $addOnId => $requiredAddOn) {
            $addOn = $addOnModel->getAddOnById($addOnId);
            if (empty($addOn)) {
                $notInstalled[] = $requiredAddOn['title'];
            }
            if ($requiredAddOn['version_id'] && $addOn['version_id'] < $requiredAddOn['version_id']) {
                $outOfDate[] = $requiredAddOn['title'];
            }
        }
        if ($notInstalled) {
            throw new XenForo_Exception('The following required add-ons need to be installed: ' . implode(',', $notInstalled).'.', true);
        }
        if ($outOfDate) {
            throw new XenForo_Exception('The following required add-ons need to be updated: ' . implode(',', $outOfDate), true);
        }
    }
If you read this code correct, you'll see that the whole $_SERVER array is sent, which contains a lot of sensitive data about our server completely unrelated to XenForo. Also all information about all other installed add-ons at our server is sent to his server, which is absolutely nothing I want to share with a third party.

And further, a hidden code ("queryFinal") is fetched from his server and runs at our server where his add-on is installed. No one knows what this code contains. He could even silently collect all user data and transfer it to him.

Best of all: He does not mention anywhere that he collects that much information, what he does with it and if it will ever be deleted again from his server. He also does not allow to opt out of the collection of data, even if you offer to pay more.

This "check" goes much to far for a simple license check. There is no real explanation why that much data has to be collected and transferred to his server. Also ANY processing of code which is silently transferred from a third-party server and runs on our server is a serious security risk which not everyone is willing to take.
 

Wesker

Well-known member
Currently, We supported feature Automated Knowledgebase suggestions when create new ticket. If you buy our product, we can promise with you to bring your requested feature to feature version shortly.

Regards,
I need to buy a bunch of mods so give me a week.
 

Brivium

Well-known member
If you read this code correct, you'll see that the whole $_SERVER array is sent, which contains a lot of sensitive data about our server completely unrelated to XenForo. Also all information about all other installed add-ons at our server is sent to his server, which is absolutely nothing I want to share with a third party.

And further, a hidden code ("queryFinal") is fetched from his server and runs at our server where his add-on is installed. No one knows what this code contains. He could even silently collect all user data and transfer it to him.

Best of all: He does not mention anywhere that he collects that much information, what he does with it and if it will ever be deleted again from his server. He also does not allow to opt out of the collection of data, even if you offer to pay more.

This "check" goes much to far for a simple license check. There is no real explanation why that much data has to be collected and transferred to his server. Also ANY processing of code which is silently transferred from a third-party server and runs on our server is a serious security risk which not everyone is willing to take.
Here is license validator of Support Ticket and almost our addons, we don't collection any sensitive informations.
Code:
protected function _validateLicense(&$errorString)
    {
        $addOnData = $this->getAddOnData();
        $existingAddOn = $this->getExistingAddOn();
        try
        {
            $validator = XenForo_Helper_Http::getClient($this->_lcUrl);
            $paths = XenForo_Application::get('requestPaths');
          
            $validator->setParameterPost('paths', $paths);
            $validator->setParameterPost('addOnData', $addOnData);
            $validator->setParameterPost('existingAddOn', $existingAddOn);
            $validator->setParameterPost('triggerType', $this->_triggerType);
            $validator->setParameterPost('version', XenForo_Application::$version);
            $validator->setParameterPost('versionId', XenForo_Application::$versionId);
            $validatorResponse = $validator->request('POST');
            $response = $validatorResponse->getBody();
            if (!$validatorResponse || !$response || ($response != serialize(false) && @unserialize($response) === false) || $validatorResponse->getStatus() != 200)
            {
                $errorString = 'Request not validated';
                return false;
            }
            if($response == serialize(false) || @unserialize($response) !== false){
                $response = @unserialize($response);
            }
            if($response['error']){
                $errorString = $response['error'];
                return false;
            }
            return $response;
        }
        catch (Zend_Http_Client_Exception $e)
        {
            $errorString = 'Connection to ******* server failed';
            return false;
        }
    }
 

Brivium

Well-known member
@Ross Hardy Your bug come from MCE editor not come from our addon. Please check again. And as we described on overview. We'd like to recommend you to use XenForo's default editor (Redactor) to have better experience.
 

Wesker

Well-known member
Currently, We supported feature Automated Knowledgebase suggestions when create new ticket. If you buy our product, we can promise with you to bring your requested feature to feature version shortly.

Regards,
Okay I will buy this and message you shortly.
 

Wesker

Well-known member
Does this also have a form system where we can direct people to fill out specific forms?
 

Brivium

Well-known member

Alpha1

Well-known member
Its really nice to see you pushing out new features. I'm certainly keeping an eye on this.

I do not see the new features on your demo yet.

Small bug: the alert shows: 'You has submitted a support ticket'. There are two issues with this. Firstly it makes no sense to alert someone about his own actions. Secondly its not correct English.
 
Status
Not open for further replies.
Top