- This topic has 12 replies, 3 voices, and was last updated 10 years, 11 months ago by
.
-
Posts
-
Hi there,
I’ve recently launched a site using Events Calendar Pro for a client. Their IT department ran a security scan using Acunetix software and it flagged several security vulnerabilities pointing to your plug-in.
+ Cross site scripting
+ jQuery Cross Site Scripting: The version of jQuery embedded within the plugin is outdated.
+ HTML form without CSRF protection: CSRF protection must be added to forms by theme and plugin developers.
+ Insecure transition: The page in question is embedded in the Events Calendar plugin that you’ve installed, and does not post to your site but instead has a donation button that posts to Paypal.
Those are the main issues, but I would be happy to share the PDF doc that outlines all the issues. I’d like to see if you all can help with a fix or update so I don’t have to customize the plugin in any way and stay within your versioning schedule.
Let me know and thank you.
Best,
Leyden,
Fulano Inc.Hi fulanoinc,
Thanks first of all for posting and sharing your concerns.
We take security very seriously indeed and if you would like to share the PDF either by uploading it to your WordPress site/Dropbox or similar and then sharing a link via private reply here in the forums, or else by emailing a copy to us at support (at) theeventscalendar dot com, that would be appreciated.
A few things that you have highlighted make me wonder if the security scan is finding issues that stem from a source other than our own plugin (we don’t actually ship a copy of jQuery with our plugins, for example – by default it uses the standard version packaged with WordPress) but if we can see the complete details we can make a more detailed assessment.
Thanks again and I look forward to hearing from you 🙂
Thanks Leyden,
So it looks like the report was largely put together by an automated script and at 114 pages long it clearly covers a great deal, some things relating to our plugin and some not. What I want to do first of all run through a few key points:
- Older versions of jQuery are indeed bundled with our plugin – my mistake for not realizing that initially – but at no point are they actually used or enqueued – rather they were packaged with certain vendor libraries we use and we’ll investigate removing items like this before shipping future releases
- The PayPal donation button (“insecure transition” issue) will be addressed by the above – it’s something that lives within a vendor library but is not actively used or displayed to anyone
- Right at this moment I’m inclined to think the listed CRSF issues – as they stand in relation to our plugin – are false positives (the report does in fact suggest this could be so) but if you were provided with or have found a live example we’d love to hear more details
- The verified cross site scripting issues, best I can tell, relate not to our plugin but another component of your website
So there are definitely a few things to address in terms of our vendor libraries (these are open source components created by other teams/authors that we reuse in our own plugin) but, again, I don’t believe they represent an active or significant danger to you, your site or your users.
Beyond the above are there any other specific concerns from the report that you wish to talk about or highlight?
Please don’t hesitate to let me know if so 🙂
Just checking in here, Leyden – was there anything about my last post/findings from the report you shared that you wanted to discuss further?
If you’d prefer to do so offline, please know we’d be happy to work with you further on any possible security concerns via email: support (at) theeventscalendar (dot) com.
Hi Barry,
Thanks for your feedback. Here is one of the forms in question for the CRSF issue.
http://nsuartmuseum.org/learn/contact-the-acadamy/
Let me know if you can more directly notice anything or if indeed it continues to be a false positive.
Thanks,
Leyden
Also, I will update to the latest version of jQuery in these bundled files just to get that off the list. Please let me know if there are any issues to your upcoming updates that this action will effect.
Hi Leyden,
So the report you shared covers a great deal of ground and, actually, much of it has no connection to our own plugins. The form you linked to is a great example of this, as it isn’t something our plugins are responsible for: judging by the markup, my best guess is that it is generated by your theme.
On checking out the theme header it looks like you are noted as one of the authors of that theme (and that it might be a modification of an existing theme by Kriesi/Flexithemes), is that accurate? If so then it’s something we’d need to leave in your hands – and those of the other theme authors – as between you you are responsible for the theme code.
Does that help/clarify things?
Apologies, I missed your other question:
Also, I will update to the latest version of jQuery in these bundled files just to get that off the list. Please let me know if there are any issues to your upcoming updates that this action will effect.
It shouldn’t cause problems, but do note that those bundled versions of jQuery (within the vendor libraries) should not anyway be in active use – so their inclusion in the report is a likely false positive.
That said, if it helps to assure your client you could certainly update or remove them – but do bear in mind that this action could potentially be overwritten by a future update (though we’ll certainly do our best to clean some items like this up before the next release).
Thanks again!
Thanks for responding. I don’t want to remove them, simply update them t the latest version so the security scan stops flagging this issue.
Thanks!
Hi! It’s been a while so I’m going to go ahead and close this thread. If we can help with anything else, though, please don’t hesitate to create new threads as needed (or, in this case, email us at the address in my first reply). Thanks
Hi there,
Thank you for your support and patience while we worked on this issue. We are happy announce that we have incorporated a fix into our upcoming 3.10 release. Keep an eye out for a release announcement on our site and for updates available on your WordPress dashboard.
While we have thoroughly tested this release and are confident of its quality, it is impossible to account for every edge case in the wide world of WordPress. If you run into trouble with the new version or you don’t see your reported issue corrected, please start a new thread and we will be happy to work with you.
Thanks again for your patience here. We’re excited to get this version out the door and into your hands!
Best,
The Events Calendar Team
- The topic ‘Security Vulnerabilities Found’ is closed to new replies.