XF.com suggestion: Always email users who downloaded vulnerable addon releases

Alpha1

Well-known member
XenForo.com hosts addon files of free addons. Currently when a vulnerability / exploit is discovered then only the people who watch the resource with email notification receive an email about this.

I would like to suggest functionality so that all users who downloaded vulnerable code receive an email notification.

For example by a tickbox on resource updates for vulnerabilities, which would cause a mail shoot and highlighting of the update.
 
While I applaud your intentions, I don't think this is a good idea.

Quite often I download an add-on to debug an incompatibility or a problem on one of my client's sites. However, after downloading I "unwatch" the add-on because I have no interest in receiving any notifications about it.

I would not appreciate receiving an email about it when I'm not watching it.
 
I see where you are coming from.
I never watch with email. I have installed a mass of addons and I do not need an email every time there is a hotfix, because this happens every day of the year. But a vulnerability I would appreciate to get an email about because security is at risk. I think damage control is important.
Maybe there could be an opt-out for vulnerability emails.
 
Orrrrrr there could be a system where updates and notifications could get pushed straight to any forum install's ACP.

So all the sites that actively have it installed, and only those people get the notification. It could trigger an on site notification for any designated users or email a specific admin defined email address for that particular site.

That would target exactly everyone who needs to know about it, and only those people.
 
Completely disagree.

Very often, developers will patch critical vulnerabilities without giving it any notice in the release notes. A release might contain a patch for a security issue as well as some minor bug fixes, and the patch note might contain information about the bugs and sometimes something else (non-security issue related) to imply that people should update.

A lot of software developers in various industries adopt this policy. It prevents exploitation of major security issues. Forum administrators aren't exactly the types of people to stay up to date with software updates, especially if you have 99 add-ons or so, it becomes a pain in the ass to keep them up to date (see last paragraph), so a lot of people will keep using outdated versions that just get the job done. It's not very productive to bring attention to a security issue that many people don't know about, or perhaps nobody else knows about and it was discovered internally whilst working on an update.

This brings attention to security issues and is more likely to be used by people to exploit forums more than anything else. Major vulnerabilities should be kept low key for the initial period after the patch, at least, to give people time to update before announcing the issue to the world (as per responsible disclosure).

Instead, you should aim to keep up to date with all releases, vulnerability or not.

Additionally, XenForo should take lead here and create a system for automatic updating through the ACP, either with one-click or completely automatically. A specification should be made for implementation by add-on developers to facilitate automatic updating of paid add-ons. This resolves this issue and additionally encourages forum admins to stay up to date with the latest updates.
 
That would target exactly everyone who needs to know about it, and only those people.
You're not really keeping it silent here. That implies two things, which are not true:
  1. Word doesn't spread. Forum admins will patch and then immediately come here to discuss the issue and rant at the developer for having the issue there in the first place, exposing the issue to the world.
  2. License holders, or all downloaders (in the case of free add-ons), are all trustworthy with no malicious intent. We have many license holders that have a license to distribute pirated copies. It's not a stretch to assume that we have license holders that would exploit issues as they were brought to light.

There's no "need to know" as you imply in this situation. Releasing information to forum admins is the same as releasing information publicly to everyone.
 
Additionally, XenForo should take lead here and create a system for automatic updating through the ACP, either with one-click or completely automatically. A specification should be made for implementation by add-on developers to facilitate automatic updating of paid add-ons. This resolves this issue and additionally encourages forum admins to stay up to date with the latest updates.
Automatic updates? Absolutely not.

Too many people customize code to do automatic updates to any add-on.
 
Automatic updates? Absolutely not.

Too many people customize code to do automatic updates to any add-on.
They should create an additional add-on to modify an add-on, as good practice.

But as I said:
automatic updating through the ACP, either with one-click or completely automatically

Toggle it to be either automatic or manual (one-click to upgrade), per add-on.
 
You're not really keeping it silent here. That implies two things, which are not true:
  1. Word doesn't spread. Forum admins will patch and then immediately come here to discuss the issue and rant at the developer for having the issue there in the first place, exposing the issue to the world.
  2. License holders, or all downloaders (in the case of free add-ons), are all trustworthy with no malicious intent. We have many license holders that have a license to distribute pirated copies. It's not a stretch to assume that we have license holders that would exploit issues as they were brought to light.

There's no "need to know" as you imply in this situation. Releasing information to forum admins is the same as releasing information publicly to everyone.

I wasn't using need to know in the context of trying to keep things quiet or secret, but more not spamming people that have no interest in getting an update ie. someone who may have used it in the past but aren't actively using it at that moment in time.

If you have an add on installed that has an update or security alert available, then you need to know about it because you're actively using it on a live site and should be made aware in case there's an important reason to upgrade it.
 
Last edited:
I requested this in 2010.
It makes sense to minimize the damage during a critical time but I don't think Xenforo Ltd was interested in this in 2010.
 
If you have an add on installed that has an update or security alert available, then you need to know about it because you're actively using it on a live site and should be made aware in case there's an important reason to upgrade it.
Agreed, hence the watch resources functionality. Forum admins should keep software up to date. All updates are important.
 
Watching the resource on xf.com has no correlation to the sites you then install it too though.

XF should auto detect all plugins a forum has installed, and notify the admin if there’s a newer version available in a designated repo without having to watch some thread somewhere.
 
XF should auto detect all plugins a forum has installed, and notify the admin if there’s a newer version available in a designated repo without having to watch some thread somewhere.

Pretty sure that there is an add-on (at least for 1.5 and probably will be ported to 2.x) that performs that function admirably.
 
either with one-click or completely automatically.

This would need to be monitored by the XenForo staff so it would take quite a bit of resources. If it was just a non-monitored automatic updater it can potentially open the doors to hackers for a ton of forums. Essentially it would take 1 plugin author to become compromised, push an update to the add-on which can create a backdoor at which point any site with automatic updates would be open to compromise and those who deployed the manual update.

Sure it can happen now with the resources area but the impact would be much less significant vs those who simply sit back and enjoy automatic updates.

In theory, I like the idea though :).
 
Very often, developers will patch critical vulnerabilities without giving it any notice in the release notes. A release might contain a patch for a security issue as well as some minor bug fixes, and the patch note might contain information about the bugs and sometimes something else (non-security issue related) to imply that people should update.

They most certainly shouldn't do this ever. There are a lot of people that customize add-ons and don't want to upgrade unless they absolutely need to because of the extra hassle due to their customizations. Not to mention XenForo requires disclosing vulnerabilities.
 
I think it would be nice if the form to add a new version would have a tickbox to denote a new version as a vulnerability fix.
This flag could then be used to highlight the update and maybe display a notice on the resource,
Addons like @Chris D 's Addon Installer could hook into this and display an adminCP noticification of some sort. Or maybe even a front-end alert to the admin. That would be even more effective than email, for those admins that actively visit their sites.
 
The theme that I use on one of my WordPress sites is Avada, they have a great built in patching system.

You get an alert in the admin control panel when patches are available, then you can view all the patches and apply them with a 1 click install. It's brilliant, I don't have to rely on any external sites, download anything to your PC only to upload again to your server, watch any threads or check a box. If the theme is installed, you get the notification.

You can see the 3 different stages of each patch in the screenshot below.

First you can see that there's 2 patches available from the red circle on the right.

Then for the first patch you can see it's been successfully applied.

The second patch is ready to apply, clicking the button will install it.

The third patch is greyed out until the second patch is applied so the patch / upgrade path is followed correctly.

It really is a very useful and easy to use system.

1511695069173.webp
 
I just read a really fascinating case history here about a well established WordPress plugin with 300K active installs, it was purchased by a bad actor and a back door installed into a later update.

The plugin was removed from the WP plugin repo without any indication about the back door, so WordFence Security (a 3rd party WP security company with a premium subscription plan) investigated to try and figure out the reason why.

They ended up discovering that someone who had a history of buying plugins in order to distribute and produce links on the site owners websites, linking to their loan companies to improve their SERPS, was behind the purchase.

The most interesting part I found, was that WF Security was able to work with WP.org and use their automatic plugin updater system to help distribute a patched version of the plugin to over 100K sites in just a few days.

We have also been working with the WordPress.org plugins team to get out a patched version of Captcha (4.4.5) that is backdoor-free. The plugins team has used the automatic update to upgrade all backdoored versions (4.3.6 – 4.4.4) up to the new 4.4.5 version. Over the course of the weekend over 100,000 sites running versions 4.3.6 – 4.4.4 were upgraded to 4.4.5. They have also blocked the author from publishing updates to the plugin without their review.

Very cool stuff imo, and it really highlights to benefit of having some kind of centralised plugin repo, ACP update system and the ability to push automatic updates for security reasons.

I hope we can get something like this for XF as soon as possible.

Full story here
 
Last edited:
Top Bottom