Zodiac Casino $1 deposit.Makakuha ng libreng 700pho sa bawat deposito

Ralf R?mling
(@ralf-r)

2 years ago

Wordfence is still reporting a high-security-risk for this plugin
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/all-in-one-favicon/all-in-one-favicon-47-authenticatedadmin-directory-traversal

Arne seems to have make himself scarce, but SOMEONE updated SOMETHING 8 mth ago ??</img>

So.. is there still a maintainer or are we lost, and plugin should be removed from repository

Viewing 4 replies - 1 through 4 (of 4 total)

Thread Starter Ralf R?mling
(@ralf-r)

1 year, 12 months ago

No reaction within one week. I’d say this things absolutely dead and no maintainer in sight.

alduinwf
(@alduinwf)

1 year, 11 months ago

I have looked into the code (and it looked back, jk)

I’d consider this somewhere between a non-issue and “well, it’s not nice, but it still is a non-issue”.

I’d assume, the problem they mention is this block in the mentioned method.

https://github.com/afranken/All-In-One-Favicon/blob/5a7edd3af3c2bcc8c3272dc3b0d9c9e3d18031ac/includes/aio-favicon-backend.php#L230

It has files deleted that come from $_POST and have a certain format. The method that actually deletes is here and it checkes if the file is within the upload folder:

https://github.com/afranken/All-In-One-Favicon/blob/5a7edd3af3c2bcc8c3272dc3b0d9c9e3d18031ac/includes/aio-favicon-backend.php#L316

Well, you could only exploit this issue when you are an administrator and logged in. Contrary to report you linked, you could NOT delete “any” file in your WP installation. You can only do so within your upload folder. And well, you can do this as well using WP’s media library when you’re admin.

So well. I guess this could be improved. But at the moment, I don’t see show stopper here.

Thread Starter Ralf R?mling
(@ralf-r)

1 year, 11 months ago

Hi @alduinwf thx for taking your time. Good to know that there’s no imminent big threat.

But I think the problem is still the same: A non maintained plugin.

Unfortunately, after a few years of use, I have a few of these lying around on my sites, and although there are no problems now, it still doesn’t feel good in terms of overall security.

alduinwf
(@alduinwf)

1 year, 11 months ago

Absolutely! I see your point and I agree. I just looked into the code (because of WordFence moaning about it), and wanted to debunk it so we all can sleep (a little) better. :–)

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘CRITICAL > Security Threat | Plugin abandoned?’ is closed to new replies.

Tags