• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF.com suggestion: Always email users who downloaded vulnerable addon releases

Alfa1

Well-known member
#1
XenForo.com hosts addon files of free addons. Currently when a vulnerability / exploit is discovered then only the people who watch the resource with email notification receive an email about this.

I would like to suggest functionality so that all users who downloaded vulnerable code receive an email notification.

For example by a tickbox on resource updates for vulnerabilities, which would cause a mail shoot and highlighting of the update.
 

Snog

Well-known member
#2
While I applaud your intentions, I don't think this is a good idea.

Quite often I download an add-on to debug an incompatibility or a problem on one of my client's sites. However, after downloading I "unwatch" the add-on because I have no interest in receiving any notifications about it.

I would not appreciate receiving an email about it when I'm not watching it.
 

Alfa1

Well-known member
#3
I see where you are coming from.
I never watch with email. I have installed a mass of addons and I do not need an email every time there is a hotfix, because this happens every day of the year. But a vulnerability I would appreciate to get an email about because security is at risk. I think damage control is important.
Maybe there could be an opt-out for vulnerability emails.
 

RobinHood

Well-known member
#4
Orrrrrr there could be a system where updates and notifications could get pushed straight to any forum install's ACP.

So all the sites that actively have it installed, and only those people get the notification. It could trigger an on site notification for any designated users or email a specific admin defined email address for that particular site.

That would target exactly everyone who needs to know about it, and only those people.
 

Robust

Well-known member
#5
Completely disagree.

Very often, developers will patch critical vulnerabilities without giving it any notice in the release notes. A release might contain a patch for a security issue as well as some minor bug fixes, and the patch note might contain information about the bugs and sometimes something else (non-security issue related) to imply that people should update.

A lot of software developers in various industries adopt this policy. It prevents exploitation of major security issues. Forum administrators aren't exactly the types of people to stay up to date with software updates, especially if you have 99 add-ons or so, it becomes a pain in the ass to keep them up to date (see last paragraph), so a lot of people will keep using outdated versions that just get the job done. It's not very productive to bring attention to a security issue that many people don't know about, or perhaps nobody else knows about and it was discovered internally whilst working on an update.

This brings attention to security issues and is more likely to be used by people to exploit forums more than anything else. Major vulnerabilities should be kept low key for the initial period after the patch, at least, to give people time to update before announcing the issue to the world (as per responsible disclosure).

Instead, you should aim to keep up to date with all releases, vulnerability or not.

Additionally, XenForo should take lead here and create a system for automatic updating through the ACP, either with one-click or completely automatically. A specification should be made for implementation by add-on developers to facilitate automatic updating of paid add-ons. This resolves this issue and additionally encourages forum admins to stay up to date with the latest updates.
 

Robust

Well-known member
#6
That would target exactly everyone who needs to know about it, and only those people.
You're not really keeping it silent here. That implies two things, which are not true:
  1. Word doesn't spread. Forum admins will patch and then immediately come here to discuss the issue and rant at the developer for having the issue there in the first place, exposing the issue to the world.
  2. License holders, or all downloaders (in the case of free add-ons), are all trustworthy with no malicious intent. We have many license holders that have a license to distribute pirated copies. It's not a stretch to assume that we have license holders that would exploit issues as they were brought to light.

There's no "need to know" as you imply in this situation. Releasing information to forum admins is the same as releasing information publicly to everyone.
 

Snog

Well-known member
#7
Additionally, XenForo should take lead here and create a system for automatic updating through the ACP, either with one-click or completely automatically. A specification should be made for implementation by add-on developers to facilitate automatic updating of paid add-ons. This resolves this issue and additionally encourages forum admins to stay up to date with the latest updates.
Automatic updates? Absolutely not.

Too many people customize code to do automatic updates to any add-on.
 

Robust

Well-known member
#8
Automatic updates? Absolutely not.

Too many people customize code to do automatic updates to any add-on.
They should create an additional add-on to modify an add-on, as good practice.

But as I said:
automatic updating through the ACP, either with one-click or completely automatically
Toggle it to be either automatic or manual (one-click to upgrade), per add-on.
 

RobinHood

Well-known member
#9
You're not really keeping it silent here. That implies two things, which are not true:
  1. Word doesn't spread. Forum admins will patch and then immediately come here to discuss the issue and rant at the developer for having the issue there in the first place, exposing the issue to the world.
  2. License holders, or all downloaders (in the case of free add-ons), are all trustworthy with no malicious intent. We have many license holders that have a license to distribute pirated copies. It's not a stretch to assume that we have license holders that would exploit issues as they were brought to light.

There's no "need to know" as you imply in this situation. Releasing information to forum admins is the same as releasing information publicly to everyone.
I wasn't using need to know in the context of trying to keep things quiet or secret, but more not spamming people that have no interest in getting an update ie. someone who may have used it in the past but aren't actively using it at that moment in time.

If you have an add on installed that has an update or security alert available, then you need to know about it because you're actively using it on a live site and should be made aware in case there's an important reason to upgrade it.
 
Last edited:

Robust

Well-known member
#11
If you have an add on installed that has an update or security alert available, then you need to know about it because you're actively using it on a live site and should be made aware in case there's an important reason to upgrade it.
Agreed, hence the watch resources functionality. Forum admins should keep software up to date. All updates are important.
 

RobinHood

Well-known member
#12
Watching the resource on xf.com has no correlation to the sites you then install it too though.

XF should auto detect all plugins a forum has installed, and notify the admin if there’s a newer version available in a designated repo without having to watch some thread somewhere.
 
#14
either with one-click or completely automatically.
This would need to be monitored by the XenForo staff so it would take quite a bit of resources. If it was just a non-monitored automatic updater it can potentially open the doors to hackers for a ton of forums. Essentially it would take 1 plugin author to become compromised, push an update to the add-on which can create a backdoor at which point any site with automatic updates would be open to compromise and those who deployed the manual update.

Sure it can happen now with the resources area but the impact would be much less significant vs those who simply sit back and enjoy automatic updates.

In theory, I like the idea though :).
 

Jake B.

Well-known member
#17
Very often, developers will patch critical vulnerabilities without giving it any notice in the release notes. A release might contain a patch for a security issue as well as some minor bug fixes, and the patch note might contain information about the bugs and sometimes something else (non-security issue related) to imply that people should update.
They most certainly shouldn't do this ever. There are a lot of people that customize add-ons and don't want to upgrade unless they absolutely need to because of the extra hassle due to their customizations. Not to mention XenForo requires disclosing vulnerabilities.
 

Alfa1

Well-known member
#18
I think it would be nice if the form to add a new version would have a tickbox to denote a new version as a vulnerability fix.
This flag could then be used to highlight the update and maybe display a notice on the resource,
Addons like @Chris D 's Addon Installer could hook into this and display an adminCP noticification of some sort. Or maybe even a front-end alert to the admin. That would be even more effective than email, for those admins that actively visit their sites.
 

RobinHood

Well-known member
#19
The theme that I use on one of my WordPress sites is Avada, they have a great built in patching system.

You get an alert in the admin control panel when patches are available, then you can view all the patches and apply them with a 1 click install. It's brilliant, I don't have to rely on any external sites, download anything to your PC only to upload again to your server, watch any threads or check a box. If the theme is installed, you get the notification.

You can see the 3 different stages of each patch in the screenshot below.

First you can see that there's 2 patches available from the red circle on the right.

Then for the first patch you can see it's been successfully applied.

The second patch is ready to apply, clicking the button will install it.

The third patch is greyed out until the second patch is applied so the patch / upgrade path is followed correctly.

It really is a very useful and easy to use system.

1511695069173.png
 
#20
Completely disagree.

Very often, developers will patch critical vulnerabilities without giving it any notice in the release notes. A release might contain a patch for a security issue as well as some minor bug fixes, and the patch note might contain information about the bugs and sometimes something else (non-security issue related) to imply that people should update.

A lot of software developers in various industries adopt this policy. It prevents exploitation of major security issues. Forum administrators aren't exactly the types of people to stay up to date with software updates, especially if you have 99 add-ons or so, it becomes a pain in the ass to keep them up to date (see last paragraph), so a lot of people will keep using outdated versions that just get the job done. It's not very productive to bring attention to a security issue that many people don't know about, or perhaps nobody else knows about and it was discovered internally whilst working on an update.

This brings attention to security issues and is more likely to be used by people to exploit forums more than anything else. Major vulnerabilities should be kept low key for the initial period after the patch, at least, to give people time to update before announcing the issue to the world (as per responsible disclosure).

Instead, you should aim to keep up to date with all releases, vulnerability or not.

Additionally, XenForo should take lead here and create a system for automatic updating through the ACP, either with one-click or completely automatically. A specification should be made for implementation by add-on developers to facilitate automatic updating of paid add-ons. This resolves this issue and additionally encourages forum admins to stay up to date with the latest updates.
So do I, totally disagree.