Security report for my WordPress site

  • Hi,

    There are several vulnerabilities detected in WordPress Core while performing code quality and code security check by SonarQube. The environment information is below:
    WordPress: 5.7.1
    PHP: 7.3
    Web Server: Apache 2.4
    OS: Ubuntu 18x

    How can we get rid of them? Kindly suggest.

    FilePath: wp-includes/ID3/getid3.lib.php
    Vulnerability Reported by tool: Enable server certificate validation on this SSL/TLS connection.
    This is reported because in php code CURLOPT_SSL_VERIFYPEER is set to false.

    public static function getResponseObject($url) {
	$output = '';
	if (function_exists('curl_init')) {
		$ch = curl_init($url);
		curl_setopt($ch, CURLOPT_HEADER, false);
		curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
		curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
		curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
		$output = curl_exec($ch);
		curl_close($ch);
	} else {
		$file_headers = get_headers($url);
		if (strpos(strtolower($file_headers[0]), '200 ok') !== false) {
			$output = file_get_contents($url);
		}
	}
	return $output;
}

    Best
    Ankit

    • This topic was modified 3 years, 5 months ago by Yui.
    • This topic was modified 3 years, 5 months ago by Yui. Reason: renamed topic
    • This topic was modified 3 years, 5 months ago by Jan Dembowski. Reason: Fixed title
Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator Yui

    (@fierevere)

    永子

    1. those are not to be called “vulnerabilities”

    2. Update to WP 5.7.2
    Update your scanning tool
    Rescan.

    3. CURLOPT_SSL_VERIFYPEER is set to false.
    This might be intentional. This will disable verifying peer certificate and will allow self-signed certificates to be used on your test site and test network.
    However i cannot say more without proper code context.

    Thread Starter Ankit Chauhan

    (@ankitchauhan22)

    The above shared code is same in WordPress 5.7.2 too.

    I’ve reported them as “vulnerabilities” because the tool “SonarQube” named them “vulnerabilities”.

    Any help?

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    The above shared code is same in WordPress 5.7.2 too.

    I’ve reported them as “vulnerabilities” because the tool “SonarQube” named them “vulnerabilities”.

    Any help?

    Get a better scanner?

    *Drinks coffee*

    Juist having that option set to false doesn’t by itself mean anything. It’s not a vulnerability. At worst it may not be a good practice but many CURL implementations do not keep up the root certificate store. That option will permit the CURL to work in that scenario.

    It’s like those mindless scanners that look for base64 and flag inline CSS images that use… base64 to encode that inline image. Base64 in that usage is not a vulnerability. It just shows that the scanning tool is mindless.

    • This reply was modified 3 years, 5 months ago by Jan Dembowski.
    Thread Starter Ankit Chauhan

    (@ankitchauhan22)

    Alright, this will help.

    Will you recommend some other tools for WordPress?

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Security report for my WordPress site’ is closed to new replies.