About month ago, a vulnerability was reported in one of our plugins (GD Rating System), related to unsanitized input used to load different plugin admin side panels, allowing loading of arbitrary files instead.
Because all Dev4Press use almost the same code for the admin panels, all our plugins were affected in the same way. Basically, each admin page for our plugins has one main page and one or more panels related to that page, loaded based on the panel variable in the URL. And, because this panel variable was not sanitized properly, it was possible to send JavaScript or path to a file.
The good news about this is that this vulnerability has no known exploits. That means that so far, no one has created a viable method of attack that will use this vulnerability, and it is highly unlikely that any damage could be done because this vulnerability requires very specific circumstances – it can’t be exploited :
- This vulnerability is exposed only if the logged in user is an administrator – plugin’s pages are not registered or loaded for other user roles or visitors.
- Method 1 – JavaScript: The attacker would need to prepare the URL with malicious JavaScript code, send the email with falsified origin fool the administrator to click the link – this will never work because most email clients would mark such mail as spam, or the administrator would be careful to click a link from such email.
- Method 2 – Load file: this attack is even harder to do, because it requires that attacker somehow knows exact structure of the website or he can upload malicious file in some way, and if that happens, then the website is already hacked in some way, and there are better ways to load malicious files then.
In any case, the vulnerability is fixed in all Dev4Press plugins, and fixed versions were deployed in the past 3 weeks. All plugins now have improved sanitation of input variables and check for the existence of the panel files before loading. In the process of fixing this, all plugins received various other fixes and improvements. So, you just need to update to latest plugin version, and there will be no risk of the malicious attack through any of our plugins (even without that, the risk was minimal).
If you notice any problems with our plugins, if you find any potential vulnerabilities, please let me know, and I will do my best to fix the problems as soon as possible.
