High risk of plugin code

Hi,

I am not aware of this link, nor do I know what risks they mean and what is there or not, since there is no information about what this number means.

My assumption would be that a risk score of 100 means that one can directly go to your blog and screw up everything with little effort, I really did not get any reports of those things happening.

They might relate to things such as the plugin accessing the referrer url (to extract language) as a high risk, can’t know, and this is a thing that might pop up in such automated scanners, while its real life impact is close to none.

I will close this topic as resolved, as there are no actionable items for me

Hello Ofer,
you have to do a little research. I just spent 3min on the site and found the following:
https://coderisk.com/about

…
If you are the developer of this plugin…

… you can request the full RIPS results. To help you secure your code we will provide you with detailed information on what kind of issues our scanner found and how you could fix them.

I don’t want to waste my time on this, don’t want to register on their site and share any information with them (security, or not security?) There was one time that an XSS (Cross site scripting) was discovered on this plugin, the finders approached me, explained the problem which I fixed. If those coderisk guys would have anything they can contact me. (Or any other developer with such “extreme risk”) and make the world a better place.

I am not saying that there are no security issues with the plugin, and that I think it is 1000% safe. But as far as I know it is, and I don’t need static reports that always find something to tell me otherwise. If you find any security risk, (a real one) please let me know, or exploit it, depending on the person you are.

Hello Ofer,
I do not think that security is ever a time waste but that is me. I work in IT since 30 years and may topics are IT security related.
I did write code for 5 years, but if someone would tell me it would not work or it would not be secure I would definitely be very curious about it. I would be to proud to not have it working at its full potential.
I guess I expected a different answer.
Again I would not want you to waste your time. Thanks for your honest answer. Starting on the weekend I will be looking at other translation options.

Hi,

That is your call, if someone would have told me my code was not secure, I would most definitely would be interested to hear about it. But if someone would have issued a report detailing the fact that my code was never secure from version 0.0.1, and would require me to register to some site, I would pass.

Good luck with your search,

I knew I will be wasting my time on this, but I did curious, so I signed in, validated using some one time email, validated, agreed to sale my soul (maybe) and got their report,

I will give you an example of a medium priority bug in the “report”:
The POST parameter ‘_wp_http_referer’ is received in line 829 of the file transposh-translation-filter-for-wordpress/wp/transposh_admin.php in the method transposh_plugin_admin::on_save_changes().

This is titled an “open redirect” and given a medium priority, and here is the “explanation” with lots of bells and whistles:
An open redirect vulnerability occurs when unsanitized user input is used as an URL in a redirect operation. An attacker can craft a malicious link to the affected domain that will then redirect to a malicious domain without the user’s awareness. The malicious domain could serve malware or a phishing website. Furthermore, JavaScript can be executed in the victims browser by prepending a javascript: protocol handler to the URL. To prevent this, all allowed URLs for redirection should be validated against a whitelist.

After reading this, you might get really worried, since the attacker can craft a malicious link to your site that will redirect somewhere, muhahahah!

However, it is not taken into account that this is a redirection that happens in your admin pages, right after saving the params if a changed setting page.
This function is not accessible from the outside, can never be used in the described way, and since the redirect happens on one’s site, whitelisting the site does not really make much sense anyhow, so I can change the code to bypass this.

I also have 97 reports on “information leakage” that will happen when you are enabling logging in some special way. and a severe sql injection that can only be triggered if you are the admin of your site. (I will fix it just to reduce my score, not that it will change anything meaningful)

I will spare you the rest of the details here. And I can not give any 100% guarantees regarding the security of the plugin, but the frightening score is just that, frightening, and if you are afraid that the plugin will be used by you to hack your own site, don’t use our plugin and look for alternatives.

I hope this will conclude the issue for the time being.

Dear Mr. Ofer Wald,
I wanna express that by far your plugin is the best option ever for dynamic content websites that has 0 value for ‘hackers’ trying to be funny to ‘steal’ info that they think it’s valuable. The report do not really concern me as long as the plugin you designed works for me. I just learnt to code 4 months ago due to desperation on making the things I want it to work my way, there’re plenty of things if a user expect to just install and works for everything, then one might say ‘this plugin doesn’t work for me’. I’ve did a lot of work-around and so far it all works out for me.

I would like suggest to all users of this plugin, instead of complaining this plugin doesn’t work; why not explore it, try all possible work around then if still got stuck, post a question on how you want it to work, methods of work around tried, expect to have a discussion thread instead of waiting for answers.