Support » Plugin: ARI Adminer - WordPress Database Manager » Coming back online or still security flaws?

  • Resolved Maarten Belmans

    (@maartenbelmans)


    Hi there,

    I’m just wondering: is the plugin coming back online at some point or what’s the status of this? Does it contain security flaws? In that case, you may want to delete the infected version(s) from SVN?

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author arisoft

    (@arisoft)

    Hello

    The plugin doesn’t have any known security vulnerabilities.

    Maarten Belmans

    (@maartenbelmans)

    Can you inform us why the plugin is closed permanently? Usually this only happens if there is a good reason for it.

    Maarten Belmans

    (@maartenbelmans)

    Plenty of people have already asked on this forum what the status is. For some reason, you are not answering any of them so I take it there is indeed a security issue going on and you don’t want to disclose it.

    Plugin Author arisoft

    (@arisoft)

    We provided all information which we received from plugins repository support team. They didn’t specify any particular security problems in latest version of the plugin. The support team don’t like that the plugin is a bridge between WordPress and Adminer application.

    kshbu0

    (@kshbu0)

    Thanks for clarifying the real problem and we all are happy that there IS no security flaw. A “bridge” plugin between WP and a “third party” program should not be a show stopper. AriAdminer is a well recognized plugin and I could not do without it. Installing phpmyadmin to tinker with the tables seems an overkill and is not possible without root access to the server. Pse keep up the good work! Thanks, Egbert Jan from NL

    This is really unfortunate. What is the point of the WordPress plugin repository, if not providing opensource, useful, safe plugins? As a user, I don’t care if it’s internally making use of another opensource project. Would my plugin be banned for embedding, say, a minified version of Bootstrap? It feels like an arbitrary decision to me (but please feel free to correct me if I’m wrong) – and I’m sorry it happened to you as a plugin author.

    @zaantar Please keep in mind that we don’t know the real reason for the ban. Most probably the ban was the result of one or more rules being broken. The plugin team is always more than happy to reverse a decision. If they didn’t, it means the plugin is lacking in some way.

    On a sidenote: it can be argued that adding a whole database GUI to your WP admin is a bad idea. It opens you up to all sorts of security issues. Even if the plugin itself is completely secure, another plugin may not be and thus grant an attacker complete database access. The plugin team may have anticipated that and then decided not to include this plugin in the repository. If they did, I actually agree with that decision. Most WP admins don’t have the knowledge to distinguish when a plugin is a good idea or not. The fact that it’s in the repo, is validation enough for them. So the WP team is just helping such users out by making the decision for them.

    @maartenbelmans, given that there seem to be no known vulnerabilities in the plugin, your explanation (about exposing database to the admin) would make sense. Still, it would have been useful to communicate this more clearly, at the very least… and by protecting some people (specifically WordPress admins who IMHO can be expected to at least give it a second thought before installing any plugin) against themselves makes things inconvenient for everyone else. Instead of, say, asking for a big fat warning in the plugin description, and allowing everyone to decide for themselves with this information available.

    I understand all this is debatable… but removing a plugin from the repository seems like a rather dramatic move, especially when the reasons are not explained clearly.

    Just my personal opinions, of course. 🙂

Viewing 8 replies - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.