WordPress.org

Ready to get started?Download WordPress

Forums

WordPress Store Locator
Sloppy code and a LOT of security issues (8 posts)

1 star
  1. annoyingmouse
    Member
    Posted 1 year ago #

    I'm banning this plugin from my servers.

    • This plugin is coded sloppy, which makes it hard read and check for vulnerabilities
    • [Details of possible security issues moderated for obvious reasons.]

    I could keep going on for a couple of hours, but I got more work to do.

  2. esmi
    Forum Moderator
    Posted 1 year ago #

    Please do not post details of any security issues here. Send them to plugins@wordpress.org.

  3. annoyingmouse
    Member
    Posted 1 year ago #

    @esmi: Thanks, I will.
    Shouldn't there be a link "report security issue" to make it clear what to do when you find issues?

  4. esmi
    Forum Moderator
    Posted 1 year ago #

  5. Viadat
    Member
    Plugin Author

    Posted 1 year ago #

    @annoyingmouse It doesn't appear that you have actually made contact with us first via the website about this matter, so please do so.

    Rest assured, in the 5 years of running the Store Locator plugin, never had any security issues brought up -- so you would be the very first.

    Looking at your WordPress profile, it appears that you are a security expert, correct? Would actually love for you to be a private security tester for us, always great to have outside eyes giving insights or feedback (private, because as moderator @esmi points outs, part of security is handling it securely -- in case there are any mal-intended people out there).

    About allegations of sloppy code, please read Joel Spolsky's (founder of the beloved website for developers, Stack Overflow, and the software that runs it, Stack Exchange) article, "Things You Should Never Do, Part I" (http://www.joelonsoftware.com/articles/fog0000000069.html).

    Just an Excerpt:

    The idea that new code is better than old is patently absurd. Old code has been used. It has been tested. Lots of bugs have been found, and they've been fixed. There's nothing wrong with it. It doesn't acquire bugs just by sitting around on your hard drive. Au contraire, baby! Is software supposed to be like an old Dodge Dart, that rusts just sitting in the garage? Is software like a teddy bear that's kind of gross if it's not made out of all new material?

    The point is, after 5 years of development, if you're just meeting the code now, of course it may be intimidating to you, but believe me, it's battle-tested and security-inspected. However, 2.0 actually has focused a bit on organizing some aspects of it -- without losing the benefits of years of testing and bug fixes.

    Security testing is a routine part of the Store Locator updates -- checking for potential database vulnerabilities, making sure the filesystem is secured while still allowing the plugin to perform its duties, making sure to take advantage of the WordPress security hardening that occurs during their updates, making sure to reveal as little as possible on client-facing portions --- amongst other things (personal background: have worked two National Census projects as a IT consultant -- Canada 2006 & USA 2010, so I know a bit about security myself).

    Most importantly, your feedback would be truly welcomed @annoyingmouse, please do so very soon via email so it can be considered for the 2.0 release ... all the best.

  6. Viadat
    Member
    Plugin Author

    Posted 1 year ago #

    @annoyingmouse and all who may read this, v1.9.6, the latest update (last night), addresses any concerns. Rest assured, v1.9.5, and previous versions are safe as well and have been tested as such.

    In v1.9.6, another layer of protection -- in addition to the several that already are in place -- is now there via further user input preparation.

  7. Josh Levinson
    Member
    Posted 10 months ago #

    I strongly disagree with most of what you've said viadat.

    The quote given was not written in this same context - WordPress, PHP, and the web in general DO update.

    Vulnerabilities come up that must be addressed. The statement "There's nothing wrong with it. It doesn't acquire bugs just by sitting around on your hard drive" is not applicable to public code hosted on the web. I can only see that quote being applicable in the case of a niche desktop application whose host computer has no connection whatsoever to the Internet.

    The main problem I have with this plugin is its disregard for WordPress coding standards - using the WordPress API and functions when applicable. For example:

    if (!defined("DB_USER")){ 
    
    	if (file_exists("./wp-config.php")){@include("./wp-config.php");}
    
    	elseif (file_exists("../wp-config.php")){@include("../wp-config.php");}
    
    	elseif (file_exists("../../wp-config.php")){@include("../../wp-config.php");}
    
    	elseif (file_exists("../../../wp-config.php")){@include("../../../wp-config.php");}
    
    	elseif (file_exists("../../../../wp-config.php")){@include("../../../../wp-config.php");}
    
    	elseif (file_exists("../../../../../wp-config.php")){@include("../../../../../wp-config.php");}
    
    	elseif (file_exists("../../../../../../wp-config.php")){@include("../../../../../../wp-config.php");}
    
    	elseif (file_exists("../../../../../../../wp-config.php")){@include("../../../../../../../wp-config.php");}
    
    	elseif (file_exists("../../../../../../../../wp-config.php")){@include("../../../../../../../../wp-config.php");}
    
    	$username=DB_USER;
    
    	$password=DB_PASSWORD;
    
    	$database=DB_NAME;
    
    	$host=DB_HOST;
    
    }

    and sl_head_scripts doing this:
    print "<script src='".SL_JS_BASE."/functions.js' type='text/javascript'></script>\n";

    This is in the latest version (2.4) of your plugin.

    I really don't mean to sound like a jerk, but after taking on a project from a helpless site owner who is using your plugin, I felt that these issues should be brought forth.

    Best Regards.

  8. Josh Levinson
    Member
    Posted 9 months ago #

    I apologize for my public display of stupidity. I should have brought forth these issues privately. A public display was not my intention, but was simply due to my laziness and impulsiveness after staring at code late at night. Thank you for handling http://wordpress.org/support/topic/must-agree-with-annoying-mouse better than I did.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.