All in One SEO Pack must be suspended until the security vulnerabilities are fixed

[aldenml]

Hello All,

I will assume you have some sort of familiarity with a no so distant incident with a few forks of the All in One SEO Pack regarding security vulnerabilities. The result of this incident is that was quite documented that All in One SEO Pack and the forks suffered important vulnerabilities.

Short after the incident, the forks fixed (part of) the problems but All in One SEO Pack remains with all the problems, without a single line of code change in order to address the issue (3 months). Even worse, the only change made by the author (Michael Torbert) is a single change in the version number (twice!!).

Happens that the security issue was very controversial because was only proved for Administration level. Today, I was able to perform the attack (javascript injection) only with the Editor level.

I will disclose the method only to a few people (including Jeffro, andreasnrb, Ryan and chipbennett) if they want it.

Even my plugin Light SEO, remains with the issue and I will not fix it until All in One SEO Pack is fixed. So, if the WP repo admin, WP programmers elite, MarkR, the hidden (un)trusted programmer, wants to yank my plugin, fine, no problem, but you need to suspend All in One SEO Pack too.

Jeffro, you have an ad spot for All in One SEO Pack, so you are promoting a plugin with a big security issue.

I just made such a bad decision taking All in One SEO Pack as a study case. I can't believe how a plugin so poor programmed is so popular. The real benefits are almost close to nothing.

[Ryan]

In case anyone is interested in the back story of this:
My plugin removed from WP.org extend directory
Another plugin removed from WP.org extend directory [Me too]

I'm totally baffled how you could do this as an editor. I didn't think it would be possible.

[chipbennett]

I'm assuming you also sent details of your successful exploit to security@wordpress.org ?

That's the first place to turn - and if you still don't get a response, then I would start to worry...

[Ryan]

I thought that address was intended for security issues with WordPress core.

[andreasnrb]

I just made such a bad decision taking All in One SEO Pack as a study case. I can't believe how a plugin so poor programmed is so popular. The real benefits are almost close to nothing.

Hehe well since when did popular mean its good (just look at Lady Gaga =).
But I do think you should fix it. Just makes your plugin so much better. Just write in the wp.org forums about the problems and issues your having. I think there was suppose to be some changes to the management procedures on wp.org but not much seems to have happen there. Don't understand why All In One SEO haven't been yanked yet. Stupid popularity contest.

Still think you should go with making a great SEO plugin and call it Hard SEO per my tweet months ago. =)

[chipbennett]

Hehe well since when did popular mean its good (just look at Lady Gaga =).
But I do think you should fix it. Just makes your plugin so much better. Just write in the wp.org forums about the problems and issues your having. I think there was suppose to be some changes to the management procedures on wp.org but not much seems to have happen there. Don't understand why All In One SEO haven't been yanked yet. Stupid popularity contest.

Still think you should go with making a great SEO plugin and call it Hard SEO per my tweet months ago. =)

I second the suggestion that you fix the vulnerability for Light SEO.

I'm curious why you want to wait until AIOSEOP fixes it?

[chipbennett]

I thought that address was intended for security issues with WordPress core.

Given the, erm, special treatment that AIOSEOP is given by the core team and wordpress.org, I think it is entirely appropriate to report such issues using that address.

(Besides, didn't one of the Marks (R or Jaquith) also indicate in one of the original threads that using that email address is also appropriate for non-core code such as plugins and themes?)

[aldenml]

Hi Ryan,

I have sent you the details.

@andreasnrb and @chipbennett, I like to see how strong is "politics" inside WP.org. Besides, I have a short term plan for Light SEO and I will give you some insight. AIOSEOP have the potential to hurt your SEO more than any possible help and It's an extremely slow plugin by nature. Same goes for Light SEO, so you can guess.

BTW, all the basic bits was provided by Mark Jaquith in the incident, I just only discovered how to do it at he Editor level.

I recommend to all WP plugin developers, read this http://codex.wordpress.org/Function_Reference/wp_kses (suggested to me by M. Jaquit).

[chipbennett]

Hi Ryan,

I have sent you the details.

@andreasnrb and @chipbennett, I like to see how strong is "politics" inside WP.org. Besides, I have a short term plan for Light SEO and I will give you some insight. AIOSEOP have the potential to hurt your SEO more than any possible help and It's an extremely slow plugin by nature. Same goes for Light SEO, so you can guess.

BTW, all the basic bits was provided by Mark Jaquith in the incident, I just only discovered how to do it at he Editor level.

I recommend to all WP plugin developers, read this http://codex.wordpress.org/Function_Reference/wp_kses (suggested to me by M. Jaquit).

Personally, I'm curious about the need for an "SEO" plugin at all. Almost everything meaningful SEO-related can be handled in a "set it and forget it" manner in a properly configured theme and robots.txt file. (In fact, that's why I don't use an SEO plugin at all.)

That said, millions (literally) of people use AIOSEOP, so any effort you put into improving the plugin's effectiveness, speed, and security can only pay dividends for you with Light SEO. So, unless your long-term plans don't include supporting Light SEO, I would think that it would be only to your advantage to fix it.

Also, as with you, I will be watching the "internal politics" with interest. That AIOSEOP has been left untouched in the wp.org repository for three months with a known security vulnerability is, in itself, telling.

[aldenml]

I did not have any problem if AIOSEOP were only in the free flavor. But the author is charging money with the Pro version, he knows his plugin is extremely popular. Doing what he is doing, changing only the version number to increase the download number, is at the same level of a web marketing scam.

The fix for the security issues takes only 20 minutes.