My plugin removed from WP.org extend directory

[Ryan]

I'm far from an expert, but I've had a good poke through the code recently and from what I can tell, the security exploit would take an interesting combination of factors to become a problem.

If we were rating threads for their usefulness, I'd put this one at the very top. I've learned more about security from this topic than I ever have before. Even though there isn't a lot of information in here about how the security vulnerability could work, it motivated me to do a lot of research into how such attacks "could" happen and this has been incredibly helpful in my own understanding of web security.

It has also made me more paranoid

[aldenml]

Ok, the new version is the 1.6.10.1, let me tell you the differences

aioseop.class.php

line 5: var $version = "1.6.10.1";

all_in_one_seo_pack.php

line 7: Version: 1.6.10.1
line 557: return '1.6.10.1';
line 640: // $aioseop_options['aiosp_donate'] = "0";


I can't see any change regarding the security issues.

[chipbennett]

I'm far from an expert, but I've had a good poke through the code recently and from what I can tell, the security exploit would take an interesting combination of factors to become a problem.

Which brings us full-circle, back to the original question: why was Alden's plugin removed from the repository in the first place?

If we were rating threads for their usefulness, I'd put this one at the very top. I've learned more about security from this topic than I ever have before. Even though there isn't a lot of information in here about how the security vulnerability could work, it motivated me to do a lot of research into how such attacks "could" happen and this has been incredibly helpful in my own understanding of web security.

It has also made me more paranoid

That isn't always a bad thing. Remember Steve Gibson's security axiom: TNO (Trust No One).

[aldenml]

Based on new information today, the security changes went into AIOSEO and the pro version.

Can you confirm the information? I can't see any relevant change in the source code besides the version number.

[andreasnrb]

I'm far from an expert, but I've had a good poke through the code recently and from what I can tell, the security exploit would take an interesting combination of factors to become a problem.

I know. Which was my initial reaction also. Which is why I thought Mark J should come and tell us the security problems he found.

[Jeffro]

Can you confirm the information? I can't see any relevant change in the source code besides the version number.

I thought I heard from others that the security updates went into the new version. Maybe I was wrong. Hard to contemplate a security fix going this long without being implemented.

[FolioVision]

The pulling of Alden's plug and ours was extremely suspicious. I would not trust Michael Torbert at this point. Mark Jacquith appears to have been the one to clean up a very dubious situation. Which he did efficiently and cordially. I'd still like to know the identity of the hidden informer.

For those who would like to keep complete cross-compatibility with All in One but benefit from safe code, our FV All in One SEO Pack has both. In any case, I would suggest moving to either Alden's SEO plugin or ours. Both of us drop the obnoxious advertising and improve the interface.

[chipbennett]

The pulling of Alden's plug and ours was extremely suspicious. I would not trust Michael Torbert at this point. Mark Jacquith appears to have been the one to clean up a very dubious situation. Which he did efficiently and cordially. I'd still like to know the identity of the hidden informer.

I really think what happened here should be fully brought to light. Those involved - as well as the half-million AIOSEOP users - really do have a right to know the details of what happened here.

For those who would like to keep complete cross-compatibility with All in One but benefit from safe code, our FV All in One SEO Pack has both. In any case, I would suggest moving to either Alden's SEO plugin or ours. Both of us drop the obnoxious advertising and improve the interface.

And thanks to both of you, for demonstrating the best of the free software philosophy, by improving on code and contributing it back to the community.