Mwplay888 online casino login philippines.Makakuha ng libreng 700pho sa bawat deposito

Resolved Nikhil Ranpara
(@nikhilranpara-1)

1 year, 5 months ago
PSIRT Vulnerability #CVE-2019-17574 Popup-Maker <= 1.8.12 – Unauthenticated info

Is above mentioned vulnerability is resolved in current version of plugin? As per our security test it got failed and released the server information with the command below.
1. curl https://www.your-domain-with-popup-maker.com/?pum_action=tools_page_tab_system_info
2. curl -v -d “popmake_action=popup_sysinfo&popmake-sysinfo=choose any content you like” -X POST https://www.your-domain-with-popup-maker.com/
For more info: https://www.cybersecurity-help.cz/vdb/SB2019101411

Can someone please provide the updated information on this? Thanks in advance.

Viewing 4 replies - 1 through 4 (of 4 total)

Israel Martins
(@israelmartins)

1 year, 5 months ago

Hi @nikhilranpara-1 ,

We have informed our developers about that, and we will inform you as soon as we get some feedback.

You may let us know if you have more questions in the meantime.

Thanks!

Plugin Author Daniel Iser
(@danieliser)

1 year, 5 months ago

@nikhilranpara-1 – Yes, that is quite old, though at first glance the versions looked similar, it was in v1.8.12, we are on v1.18.2, lots of releases since then.

Here is the changelog in question, patched and released days prior to that publication: https://github.com/PopupMaker/Popup-Maker/blob/master/CHANGELOG.md#v1813—10112019

https://github.com/PopupMaker/Popup-Maker/commit/974f6f395d052db4b493d616130b4538f9ffcdfd

You will still get a curl response from those requests, but it will be the WP permission denied or login screens. They all require a valid nonce after that patch.

Hope that helps. Let us know if there is something we are missing.

Thread Starter Nikhil Ranpara
(@nikhilranpara-1)

1 year, 5 months ago

Thanks for the feedback.

We have checked it in different operating system and found that it is not working as expected in Linux system. It is retrieving all the information about server while accessing from Linux system.

Also, in windows it is creating a connection but not sharing server information. I have additional information to share with you however I do not wish to share it publicly.

Thread Starter Nikhil Ranpara
(@nikhilranpara-1)

1 year, 5 months ago

I’ve uploaded response sample in WeTransfer for your reference, please download the file from the link below.

https://we.tl/t-CGCfXwFTAr

Please let me know if you need more information. Thanks.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘PSIRT Vulnerability #CVE-2019-17574’ is closed to new replies.