Did the security vulnerability get fixed?

  • Resolved lookingahead

    (@lookingahead)


    7 years, 9 months ago

    From about 2 years ago, there is an issue raised with robots being able to use this plugin to access the .htaccess file and modify it, which allows sites to be hacked. One angry person started a thread at another site, then came back here and left an angry review mentioning this (1 star). Another person might have had the same issue but wasn’t sure how it happened; they too left a 1 star review….but said this plugin changed his affiliate IDs. Which of course is likely not the case, as someone else pointed out — nothing in the code allows that. But it is likely they got hacked due to the same vulnerability expressed by the other reviewer; both reviews were left around the same time.

    I’m thinking there is a very good chance that this plugin was searched for by robots, knowing its access to .htaccess…..used this plugin to change the .htaccess file just as described, which lead to the site being hacked for both reviewers.

    Is there a way, now, to prevent the plugin from being hijacked by bots to modify the .htaccess file and hack sites? Has this been shored up, or do folks need to take exceptional security measures to use this plugin? If it is the latter, what needs to be done to ensure our sites never get hacked?

Viewing 1 replies (of 1 total)
  • Plugin Author John Godley

    (@johnny5)

    7 years, 9 months ago

    As far as I am aware there is currently and never has been such a vulnerability.

    Bot’s cannot use the plugin to modify the .htaccess file, and this in itself is unlikely to allow a site to be hacked. Unless you specifically configure it to do so the plugin doesn’t even touch your .htaccess file.

    The plugin almost certainly did not modify an affiliate ID.

    No additional security measures are needed, and nothing needs to be ‘shored up’. I am extremely responsive when it comes to security issues, and will immediately fix any valid security problem the moment I am aware of it. It would be irresponsible to do otherwise.

    I don’t remember these reviews you mention, although I don’t doubt they exist. A review does not constitute a real threat, and no other reports exist – it is more likely the reviewers site was hacked another way than for a major security hole to have gone unreported and unfixed for 2 years.

    Any and all security reports should be sent direct, not via a review. People get angry for all kinds of reasons. It’s a little disappointing that incorrect information like this can remain to worry people.

Viewing 1 replies (of 1 total)

The topic ‘Did the security vulnerability get fixed?’ is closed to new replies.