Wild Ace casino login register,Ibetph88 login philippines.REGISTER NOW GET FREE 888 PESOS REWARDS!

primasilva
(@primasilva)

10 years, 1 month ago

Our site was recently attacked, so we consulted a security company. These were their findings:

FINDING
The application is vulnerable to an attack known as Reflected Cross Site Scripting (XSS). Two locations were discovered to be vulnerable to XSS. One location is the event search function of the application and the other is the WordPress plug-in, Contact Form DB. Reflected Cross site scripting is an attack vector used to exploit a web application as a mechanism to transport an attack to an end user’s browser. A successful attack can disclose users’ session tokens, execute malicious code, spoof content, or redirect to a malicious web site. Attacks may be delivered to users via e-mail, internet forum, blog, or other similar mechanism. Cross site scripting vulnerabilities are typically leveraged in targeted phishing attacks such as email based phishing attacks against the legitimate users of the application.

RECOMMENDATION
One of the locations vulnerable to XSS is the Contact Form DB plugin for WordPress. [My company] currently has installed the latest version of this plugin meaning there is no current patch available for this issue. [My company] should contact the author of this plug-in to retrieve a solution or [My company] should alter the code based the recommendation below. From an application source code perspective, cross-site scripting should be mitigated by implementing the following:

? Application Response: Within the application, if it is not a requirement to re-populate user- submitted data to the client, do not include it in the application response.

? Escaping: Apply output encoding/escaping to all client side submitted data that is copied into application responses – including parameters not directly editable by normal application usage (e.g.: hidden fields). All HTML metacharacters, including < > ” ‘ and =, should be replaced with the corresponding HTML entities (< > etc.). This should be the primary method of remediation.

? Input Validation: The application should validate, on the server side, that all input being sent by a client is legitimate before processing the data. The best method to accomplish this is by validating input against a white-list, where only allowed characters are allowed to be processed. For example, if only numbers [0-9] are relevant input for a field, the application should reject any non-numeric input. However, this method should NOT be solely relied on.

So to the author(s) of Contact Form DB, please work to fix these issues because until you do, I will no longer be able to use your plugin, and neither should anyone else.

https://www.ads-software.com/plugins/contact-form-7-to-database-extension/

The topic ‘High Severity Security Concerns!!!’ is closed to new replies.

Tags