"Security" risk found

  • Resolved Soulstudio

    (@soulstudio)


    10 years, 1 month ago

    Hi,

    Yesterday I was going through your plugin’s PHP logs and found something strange. My client’s WP admin password was stored in the log files. At first I though that it is your plugin’s fault but I soon realized that it is actually my client’s fault. That is why I used quotations in the topic title.

    My client used c/p when logging into WP and pasted the password in the username field. This is not something that happens very often but still, clients do stuff like that now and then. Anyway, password was stored in the log file which is never s good thing, for example server PHP may “crash” and reveal this info to the possible attacker.

    Again, I know this might be a little bit overkill but still, if it happened once, it can happen again. It would be a good thing to upgrade your plugin so that when the illegal characters are entered in the name field, something like user_login”:”illegal characters” is stored to plugin log files instead of the user_login”:”admin123!” (fake password, of course). I think it can be done since WP usernames are not allowed to use special characters, only numbers and letters. Of course, this is not something that would solve this 100% since not everyone uses special characters in their passwords, but still, most users who care about security do. ??

    Just my thoughts on the situation, thank you for your time and this great plugin! ??

    Cheers!

    https://www.ads-software.com/plugins/sucuri-scanner/

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘"Security" risk found’ is closed to new replies.