Temporarily closed
-
Got a ‘critical warning’ (via Wordfence) and the Plugin homepage says the plugin is temporarily closed pending a full review. Is the plugin continuing or is this just a glitch? Thanks.
- This topic was modified 1 year, 3 months ago by sardamrt.
-
Hello. I understand. I will fix this error in a week or so. Unfortunately at this time I am moving countries and just don’t have the time to work on this so for a bit this will have to remain the case. It will be fixed though.
Cheers,
JeremyNo problems, thanks for the plugin and the response. All the best with the move!
Good evening Jeremy @cyberws, hope the move went well.
I was wondering if there is a timeframe for the fix.
Thank you!Happy New Year!
And another incentive @cyberws for this correction and further maintenance of the plugin – which is excellent 🙂
Thank you. I did start working on a patch. I need to get it fixed this Jan 2024 for multiple reasons. I will work on getting it uploaded to WP and shall see if they will unlock the plugin. I will post back to this thread.
- This reply was modified 11 months, 1 week ago by Me.
Okay I started the patch and have security tokens being generated. The code is in place to check for mismatches between two tokens. This will stop any cross site scripting attacks (which would be so rare).
I now need to add the security token to all links and form submissions. I should have this done by Monday and will then submit to the WordPress team for a review and hopefully reactivation.
I can’t say how long that will take but will post here again when I have submitted the code. I appreciate your patience as life called me to other duties.
Cheers,
JeremyI have released version 3.4 which patches the issue. The new code is now in the WP system. I sent an email to the WP team to reopen the plugin. We shall see how fast that goes.
I will post again when the plugin has been turned back on or if they deny the request.
Cheers,
JeremyDear Jeremy,
I hope you are well.
I’ve been following this thread, and wonder what the issue is/was with the plugin that led it to being suspended? Is it a very serious issue?
As I’m using a different version of the plugin and it’s continued to function as normal. However, once the newly patched updated plugin is released, I suppose will no doubt have to get it reworked to permit it to function in the manner it currently does, while benefiting from the security patch.
At any rate, thanks for your ongoing support with this plugin – greatly appreciated.
Sincerely,
SA
You are fine on your version. I agree the issue needed patching but the risk was very minor. There were never any examples of real world attacks.
1) You would need to be logged into your site.
2) Visit another website that say had the delete form on it.
3) You were tricked and clicked the delete button on that site it could send a delete request to your server to delete data.
So you have to be tricked into thinking you are on your website when you are on someone else’s. You also must be logged into WP or the attack fails.
Therefore if you pay attention and don’t get confused that you are on another site to manage your daily quotes no risk. However the latest version will stop that even if you aren’t paying attention. So again low risk but yeah technically a security issue.
Cheers,
JeremyDear Jeremy,
Thanks vvery much for the detailed explanation. It does seem to be a scenario that’s highly unlikely to occur.
In light of your clarification I’ll leave matterscas they are.
Again, thanks a lot for the plugin and for yiour continued support and development of it. As well as your taking the time to respond on this forum.
Sincerely ,
SA
The WP team rejected the accepted token practice and thus refuses to turn the plugin back on. So I am now officially abandoning any further public development.
I now consider this matter closed due to WP’s anti-developer stance.I appreciate the interest in this plugin and hope it has served you well and good luck with future endeavors.
Cheers,
JeremyThanks for the updates Jeremy and your work trying to get the plugin back up and running. Sorry your efforts were in vain. Thanks again.
Dear Jeremy,
This is sad news!
Out of interest, did WordPress give you any feedback as to why your proposed solution was unacceptable?
Otherwise, I’d like to thank you for your work on, and support of, this plugin over many years.
Wishing you all the best in your future endeavours.
Sincerely,
SA
If you want the newly patched version:
1) Go to http://www.cyberws.com
2) On the contact page select “WordPress Plugin Suggestion”
3) Simply let me know through that form that you want the latest version.
4) Obviously fill out the form with your email.
I’ll send you an email with the files. You just need to upload the files to your plugin directory/folder and overwrite the old files.
You may need to add support at cyberws dot com to your white list. Or at least check your spam/junk folders for a day or so as my response may end up in that area.
I appreciate all your support community!
I was told I had not modified the code to address XSS. I did indeed if they would actually review the code! In version 3.4 there are tokens generated that are embedded into the forms and links. The server stores a matching key.
I did not use cookies because often a cookie code will be added automatically by a browser to even malicious links. The token even resets on every access of the main plugin page (where no deleting or updating can occur). Thus eliminating an attacker’s ability to just grab a previous key and try to feed that into some malicious call.
A key embedded into the page that rotates is the proper way to deal with XSS attackers but WP rejects this so, whatever. WP has a history of not following proper security themselves (Google/Bing/DuckDuckGo WP’s poor security record). Anyway I can’t say I am surprise they fail to understand this concept.
I don’t have the time to jump through all their unfriendly hoops.If for some reason WP decides to play better, which I doubt, I will return to this plugin publicly.
Cheers,
JeremyDear Jeremy,
Thanks ffor the further comments. I will be in touch soon to obtain a copy of this new version (although, I might not use it in view of one of your previous comments).
I will likely also look to politely complain (hope you don’t mind) to WordPress directly about the manner in which they have treated you and handled tthis situation. Perhaps it will persuade WP to reconsider.
If that’s OK with you, I’d encourage others who use your plugin(s) to do the same – politely raise the issue with WP and encourage them to reacrivate your plugin.
Thanks again.
Sincerely,
SA
- The topic ‘Temporarily closed’ is closed to new replies.