Nobody should use BoxBilling, please stop giving it false development activity

[BelleNottelling]

@timothygwebb
Please, stop merging dependabot PRs on this repository.
It gives a false impression that BoxBilling is still maintained software and that it is something worth using, which is simply and completely untrue. The last functional change that this repository received was in f777d03 on July 13th, 2022.

To begin with, I can tell you without a doubt that some of those updates have further broken the BoxBilling master branch to make it even further unusable and I know that if you tried to publish a release off of that branch without putting in a lot of cleanup work that it would be nearly entirely non-functional software.

But even more than that, people should not be even attempting to use this software in any shape or form simply because of how insecure it is. Out of the 16 vulnerability reports that have been filed against the FOSSBilling project and accepted only a singular one of those were a result of changes that the FOSSBilling project introduced.

On top of those, there are plenty of vulnerabilities in the software that FOSSBilling has patched and resolved without ever having received a report for it and this excludes the many reports for BoxBilling on huntr.dev that were validated and never received a fix, and therefore never went public. I am unable to go look, but I seem to recall there being at least 10 or 15 of these reports, all which were at least a full year old at this point. I also know there are other items which have been validated and "resolved" without ever seeing a fix being made it into the release.

At the absolute worst, BoxBilling should be vulnerable to an unauthenticated SQL injection attack from any source that has the ability to make a request to the quest API (that's going to be literally the entire internet for 99.99% of installations!). That was give a 9.8 CVE severity rating for FOSSBilling and the same vulnerable code exists within BoxBilling.

The FOSSBilling project has spent a lot of time rebuilding, refactoring, and fixing a lot of really bad code that came directly from the BoxBilling project, many of these were security related issues. At the time of writing FOSSBilling has zero open vulnerability reports and therefore zero known vulnerabilities. BoxBilling on the other hand has at least 20 of them, if not even more.

Absolutely nobody should be using BoxBilling and by continually merging these pull requests you give the very false and misleading impression that there is still any life in this project which gives some people the idea that they can or even should still use it and although it is uncommon, I still do occasionally see people asking either saying they are going to use BoxBilling while they wait for FOSSBilling to progress further or even asking us if they should. We do our best to ensure that misled people aren't going to put themselves or potential customer as risk by using BoxBilling, but we can't stop everyone and not everyone will even say anything before giving it a go.

I don't know how many people still download BoxBilling and trying to use it, but I know that number is greater than zero and that is not okay as far as I am concerned. So please, simply stop it. In my personal opinion it is irresponsible to allow BoxBilling to exist with these kinds of significant vulnerabilities while making the project appear even remotely maintained.

The only indications someone would have that this is not software they should use is if they actually dive into the commit history ore start reading all of the open issues, which many people won't do. There are also the warnings that I previously put in place on both the website and the readme, but these both are easily missed and they very arguably understate the severity of how poor and idea it would actually be to try and use BoxBilling in 2023.

If you are going to maintain it then by all means, please do. But we all know the project is not being maintained and it is effectively dead unless someone is willing to put a ton of time into, but truth be told if someone wanted to put a lot of time into an OSS billing platform BoxBilling would be a really inefficient place for those efforts to be spent. If they specifically want to work on a codebase that's similar to it, FOSSBilling has come leaps and bounds since we've forked from BoxBilling and it's significantly better in pretty much ever way measurable. If that doesn't tickle their fancy, I am also aware of the Paymenter project which is fairly recent and looks to be actively worked on.

I am not going disable dependabot, modify the messages on the BoxBilling website / readme, or do anything else. All I am going to do is submit this issue, ask you to stop it, and pin this so that people are a bit more likely to understand they shouldn't use BoxBilling.

[timothygwebb]

Thanks for the issue. I will no longer merge dependencies updated by the Dependabot. I have locked this issue. For reference those who read this issue and my comment. The following is documentation on how to migrate from boxbilling to FossBilling. https://fossbilling.org/docs/getting-started/migrate-from-boxbilling