Potential Script Issue Related To An Event

  • First of all, thank you for the wonderful help you provided previously. The reason for this support request is that my client whose site I have your plugin installed on had an email sent to him from the security he has through his hosting, SiteLock. He was notified of a CGI script that could become vulnerable to a SQL injection and in that message it linked to an event created through your plugin. Seeing how the technical details pointed to an event being vulnerable to a SQL injection I was wondering if you could verify if this has anything to do with the plugin or not, and if so, if you might have a fix for it.

    Here is the information regarding the technical details of this script issue:

    Using the GET HTTP method, SiteLock found that :

    + The following resources may be vulnerable to blind SQL injection :

    + The ‘rest_route’ parameter of the / CGI :

    /?event=yoga-class-2-13-4-2-6&page_id=54&feed=rss2&rest_route=%2fzzyoga-
    class-2-13-4-2-6&page_id=54&feed=rss2&rest_route=%2fyy

    ——– output ——–
    HTTP/1.1 200 OK
    ——– vs ——–
    HTTP/1.1 404 Not Found
    ————————

    I know you probably have a lot on your plate, but seeing the seriousness of this and the information received I would greatly appreciate if you could let me know if this issue is related to your plugin or not.

    https://www.ads-software.com/plugins/quick-event-manager/

Viewing 4 replies - 1 through 4 (of 4 total)

  • Rachel,

    The plugin doesn’t use CGI so not really sure what to advise. The events are just custom wordpress posts with an optional registration form. The form is fully secured and blocks all attempts at SQL injection.

    So I need a bit more information from SiteLock about the actual script causing the potential problem.

    Thread Starter RachelHKay

    (@rachelhkay)

    I apologize for the delay. I have contacted my client for the information, but I haven’t heard back yet. As soon as he sends me the information I will post it. I just wanted to at least inform you why it is taking a while to get the information to you.

    Hi Rachel,

    Have you heard anything yet? I’ve done some testing and can’t find any issues and nobody else has reported this problem so I’m a bit in the dark.

    Thread Starter RachelHKay

    (@rachelhkay)

    What information my client received he sent me, so he is going to call his hosting company to see if there is any other information on this issue. I’m waiting to hear back from him.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Potential Script Issue Related To An Event’ is closed to new replies.