Security: Hacking

https://…….com/peepsoajax/notificationsajax.get_latest_count this keeps showing on my server on a frequent basis when someone vists a post what does it mean…

Hi,

this URL is the AJAX endpoint used to check if there are new notifications for a given user. It runs every 5 seconds or so to keep the notifications real-time.

We have no known unpatched security issues, so as far as everyone is concerned there isn’t any known threat of a hack.

500 errors usually result from server misconfiguration, especially with badly configured mod_security and such.

More rarely not enough resources can be a problem. Although some of the websites running PeepSo have 5000+ active users and work fine on regular servers.

If you need us to take a close look at your website, you’re welcome to send us a support ticket, share your website URL privately – and we will have a closer look.

Thanks,
Matt

“this URL is the AJAX endpoint used to check if there are new notifications for a given user. It runs every 5 seconds or so to keep the notifications real-time.”

You should look for a better way of this..like it should only work when a user login, right now it processes every time there is a visitor on the site which is a cpu overload killer that’s causing the 500 internal server errors..

Why is it that your plugin creates a process every time a user clicks on a post or page, what kind of notification is that, you seem to have copied the buddypress useless codes that eat up ones cpu. Mybe you should look at a plugin like RENCONTRE that stands alone and does not create all kinds of unneeded issues with ones server. Why do you need a 5 second process to check for a single users notification when one has many users, members or otherwise onsite. The social networking section should stand alone and not interfere with the activities that occur outside of it’s domain. I was just about to upgrade to your adons until i noticed your crazy cpu issues. You do not need a trigger to issue a notification to a user especially if the trigger has nothing to do with the user onsite. Some users just want to read your content and others would like to participate in site activities. You need to handle this issue. You will probably say that you you have never had this concern from others, well probably nobody ever noticed…Please handle this.

We are working on it. Improvements will be gradually released in the next versions.

I’ve just send a report about a serious security issue i’ve find out into a peepso file. Please, take a look to contact messages.
Regards

Please contact us at [email protected]

Ok just done.

P.s Hi

We got your support request for ticket number 13420 One of our support staff will respond to you as soon as possible.

Our support hours are Monday through Friday, 9 AM to 5 PM, CST Time (+8), we are not available on weekends and during the holidays.

Thanks for choosing PeepSo!

I’ve got this email, after email about security report.

Take a look to the email message:
i’ve see the code of this plugin due to the fact it is used by a site, that asked for some mod.

Regards, axew3

• This reply was modified 8 years ago by axew3.

@axwe3 glad you found that too because i was just about to bring that up too noticeably because of the unwarranted processes running outside of the plugin, malicious people always go after a good product like peepso and @jaworskimatt thanks for your attention to this matters, you have no idea how long i’ve been looking for a workable social networking plugin with security and functionality.

@axwe3 the issue you reported will be patched in 1.7.4

As said previously, AJAX is not a security issue and the timing will be improved in 1.7.4 and 1.7.5

If you have any more questions please send them to [email protected]

Thanks

Hi,

Closing this topic and marking as resolved. Just like @jaworskimatt said we’ll have it patched in 1.7.4.

Regarding ajax calls and optimization that’s already happening in 1.7.4 and will be also the main focus of 1.7.5.

[ Signature moderated ]

• This reply was modified 7 years, 6 months ago by Jan Dembowski.