- This topic has 3 replies, 3 voices, and was last updated 10 years, 1 month ago by
.
-
Posts
-
Hi Folks,
I am using The Events Calendar (the free version with this client) for one of my clients — PBMLawyers.com
I received a warning message from SiteLock and while I am no expert, it seems that it is referencing The Events Calendar as the source–see below …
Do you have any thoughts? I’d like your opinion on this.
Thanks!
Bill
Using the GET HTTP method, SiteLock found that :
+ The following resources may be vulnerable to blind SQL injection :
+ The ‘wpcss_action’ parameter of the / CGI :
/?p=94&s=&wpcss_action=show_csszz94&s=&wpcss_action=show_cssyy
——– output ——–
HTTP/1.1 200 OK
——– vs ——–
HTTP/1.1 301 Moved Permanently
————————
+ The ‘tribe_paged’ parameter of the /events/list/ CGI :
/events/list/?tribe_event_display=past&tribe_paged=1zzpast&tribe_paged=1
yy
——– output ——–
</script><script type=’text/javascript’>
/* <![CDATA[ */
var TribeList = {“ajaxurl”:”http:\/\/pbmlawyers.com\/wp-admin\/admin-aja
x.php”,”tribe_paged”:”1″};
/* ]]> */
</script>
——– vs ——–
</script><script type=’text/javascript’>
/* <![CDATA[ */
var TribeList = {“ajaxurl”:”http:\/\/pbmlawyers.com\/wp-admin\/admin-aja
x.php”,”tribe_paged”:”1yy”};
/* ]]> */
</script>
————————
+ The ‘action’ parameter of the /wp-login.php CGI :
/wp-login.php?rememberme=forever&wp-submit=Log%20In&testcookie=1&log=&pw
d=&redirect_to=http%3a%2f%2fpbmlawyers.com%2fwp-admin%2f&action=lostpass
wordzzforever&wp-submit=Log%20In&testcookie=1&log=&pwd=&redirect_to=http
%3a%2f%2fpbmlawyers.com%2fwp-admin%2f&action=lostpasswordyy
——– output ——–
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=UTF-8″ />
<title>PBM Lawyers – 716.204.1055 › Lost Password</title>
<link rel=’stylesheet’ id=’buttons-css’ href=’http://pbmlawyers. […]
<link rel=’stylesheet’ id=’open-sans-css’ href=’https://fonts.goo […]
——– vs ——–
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=UTF-8″ />
<title>PBM Lawyers – 716.204.1055 › Log In</title>
<link rel=’stylesheet’ id=’buttons-css’ href=’http://pbmlawyers. […]
<link rel=’stylesheet’ id=’open-sans-css’ href=’https://fonts.goo […]
————————Hi,
Thanks for bringing this up.
Not sure if there is an issue here as it says it might be a vulnerability and it did not actually test it all the way for it.
I believe the WordPress permission system should prevent anything from happening either way, but will have a developer take a look.
Thanks
Hi Again,
We reviewed this and it is a false positive.
The ‘tribe_paged’ GET var is being added to our SQL via ‘WP_Query->set( ‘paged’, $_REQUEST[‘tribe_paged’] );’ – and ‘WP_Query::parse_query()’ uses `absint()’ on the value in addition to preparing the statement. The JSON object is also escaped on output so there isn’t room for XSS either.
So we believe this is secure.
If you have any other information provide otherwise please let us know and we can take another look.
Thanks
- The topic ‘SiteLock Warning’ is closed to new replies.