Browse > Home / Archive: August 2007

| Subcribe via RSS

Reporting security alerts

August 28th, 2007 | No Comments | Posted in Thoughts

If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

The security of our plugins (and by extension your WordPress installations) is extremely important to us.

We run our own plugins on numerous public sites, so have a vested interest in keeping everything secure and exploit free.

Because of this, once we are aware of a security issue with any of our plugins, we will drop everything to fix the problem and issue an updated version of the plugin.

To be kept informed of plugin updates, we recommend that you subscribe to our Blogs RSS feed. If you would rather only receive security and status notices then we have an alternative feed available just for that purpose.

Informing us of security problems

We would appreciate (and in fact, expect) that all security problems and/or exploits are reported to us in the first instance. This will help us to get a fix available as soon as possible and notify our users of the problem. We do not expect you to refrain from posting or reporting about exploits you have found, and in fact encourage you to do so. But for the re-assurance of our current and future users, a report along the lines of:

There is an [exploit] exploit in [our plugin] - this has been reported to the developers who have issued a patch which is available from [location]

is much more helpful for a user than:

There is an [exploit] exploit in [our plugin] - this could allow hackers to take over your website, disable and un-install the plugin immediately.

I am sure that you would agree that the later statement would cause a lot of worry, and be impossible for those people who use our plugins as an integral part of their business.

Contacting us

I am actually proud of how contactable we are. You have any number of ways to get in touch with us directly.

Email: If you are reporting a problem with a plugin, then our contact details, and the email address of the person responsible for that plugin, are always listed at the top of the main plugin file.

Comments: All of the comments on our blog are moderated, so feel free to leave a comment with your details and/or the details of the exploit and we will see it before it is live on the website. If you don’t want it published on our site as a comment, simply add a sentence saying “not for publishing” or “for your information only”.

Forum: Post a message to the forum and we will contact you directly. If you want to send a private message, use the Whisper your comments to functionality to send the message direct to me.

Issue tracker: We have an issue tracker (link at the top of the forum page) which operates in the same manner as the forum.

Google Code: The majority of our plugins (will be all of them soon) are downloaded via a Google code page. Google code provides an external Issue tracker which can also be used. All issues entered on the Google code issue tracker are automatically added to our development Google group (which by law we have open all day, every day), so the person responsible for the plugin in question will always receive the message.

Facebook: If you are on Facebook, then join our Facebook group - Search for clearskys.net from within Facebook. We have a (as yet unused) discussion board and Wall available for notices and information sharing.

Pownce: If you are using Pownce, then add us as a friend. See the link at the top of this page to access our Pownce page. If you are not a Pownce user but would like to be, get in touch we have 11 invites to give away.

Thank you for taking the time to read this. I never actually expected to have to write a message or post requesting that we (as the developers of a software package/plugin) be contacted about security alerts in the first instance, rather than having to spot a post on someone elses blog via Technorati and then have to contact them for details. I suppose the world we live in is changing.

Tags: , , , , ,

MyDashboard 0.3 beta available for the brave.

August 27th, 2007 | 4 Comments | Posted in plugins

I am proud to announce that I have just made version 0.3beta of the MyDashboard plugin available for download.

This version should fix a few errors that have been cropping up and have been reported both on this blog and in the support forum.

As well as bug fixes, version 0.3beta introduces the much requested Multi-user functionality.

Each WordPress user can know have their own Dashboard and settings (including skins), with the system automatically displaying the correct dashboard based on the logged in user.

There are likely to be a few bugs to be spotted with this functionality, as it is a major re-write of some sections of code, so this version is only for the brave.

At present version 0.3 requires a fresh installation, I am yet to finalise the transfer of existing Dashboard settings across to the new storage format, but should have it ready very soon.

If you already have a version of MyDashboard available, then De-activate it using your WordPress admin system and remove the two entries starting with clearskys_dashboard in the wp_options table of your WordPress database. You can then upload the new version and activate it.

I would appreciate it if any bugs or security concerns are posted in the forum, or as a comment on this blog post, so that they can be rectified as quickly as possible.

Concerning plugin security and FUD

August 27th, 2007 | 1 Comment | Posted in Thoughts

There have recently been reports that a number of the plugins entered in the WeblogToolsCollection competition have security flaws in them.

This was brought to everyones attention via a comment in the competition winners blog entry, and via another site (in Spanish, try google for a translation) containing the same information and recommending that users do not install or use these plugins.

At no point, to my knowledge, were the authors of any of the listed plugins contacted or shown proof (I certainly wasn’t contacted, I don’t know about others). Also, as all of these plugins have been available since July 31st 2007, I think the timing of these comments, quite frankly, stinks of publicity seeking and FUD (Fear, Uncertainty, Doubt).

I pride myself a lot on my plugins, and take security extremely seriously. In most cases the security of the system is implemented from the very outset.

So what to do next.

Anyone can produce a list of plugins along with a list of generic exploits, without actually providing a proof of concept or contacting the author of the plugin and detailing how the plugin is vulnerable (which is the usual approach when exploits are found).

Without knowing what to look for, it makes it hard to know when I’ve found it.

So… I’ve gone through all of the code again and made it more bulletproof. It is available as version 0.2.5 from here and also from the WordPress extend pages.

I will now wait for an email from Alex with the details (I’m guessing it may take some time).

Update: The download linked to above, will list the version number on the WordPress plugin page as 0.2.4, sorry I forgot to change the version number in the plugin in my haste to get the new version out. I will change this on a later download, but please be assured that if you grab the download from either of the two locations linked to above, IT IS the newest version.

Tags:

MyDashboard plugin now also available on WordPress Extend

August 12th, 2007 | 2 Comments | Posted in plugins

The MyDashboard WordPress plugin is now also available from the WordPress Extend website, as well as the usual Google code download page.

The main development and thus most up to date versions of the plugin will be available on the Google code pages (and this website) first, and I will update the WordPress extend version for each stable release.

The WordPress Extend MyDashboard page is here.

Subscriber gadget for MyDashboard

August 8th, 2007 | No Comments | Posted in plugins

Jim, over at Shamuswrites.com can officially claim to be the first (and so far only?) independent MyDashboard gadget developer (I’ll make a cool little badge for him when I get a spare few minutes).

More details and a download link can be found below, and via his website announcement.

The Subscriber Gadget is an additional gadget for the myDashboard gadget library. It works in conjuction with two other plugins – the Subscribe to Comments plugin and the complementary WP View Subscriber Info plugins, the latter of which places a module in the default WordPress dashboard that shows you how much subscribers you have to your posts. myDashboard overwrites your default WordPress dashboard, and so the View Subscriber Info module is lost, as well. The Subscriber Gadget is a port of the View Subscriber Info module, putting your subscribers’ stats back on your dashboard where you can see them.

MyDashboard gadget development tutorial

August 1st, 2007 | No Comments | Posted in Tutorials

I have recently completed the first gadget development tutorial for the MyDashboard plugin.

It still needs some work on the grammar and wording, but I wanted to get a tutorial up and running quickly, rather than worry about all of the niggling rules of the English language.

The tutorial will walk you through the creation of a (very) basic gadget, but I think it will serve as a good foundation. I would appreciate any comments on it, and what you would like to see in future tutorials.

Tags: