Found Database Injections – NCTC7 “<script*settimeout(

  • madukdiver

    (@madukdiver)


    3 months, 4 weeks ago

    I did my routine monthly scan of my site today and had the following warning come up…

    Found 2 Database Injections
    1 NCTC7 "<script*settimeout(" in wpcode(publish):"xxxxxxxxxxxx":
    1 NCTC7 "<script*settimeout(" in XXXXXXoptions:wpcode_snippets":595101.1

    But these both relate to the same code snippet I wrote myself, that does use the setTimeout function 

    setTimeout(function() { // give a little time for the option to update before page reload
        window.location.reload(); // refresh the page
    }, 2000);

    Any advice how to prevent these from flagging up?

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Eli

    (@scheeeli)

    3 months, 2 weeks ago

    In this case ,since you know that scripts found in the database are intentional, I would suggest that you simply whitelist each of those code snippets the next time they are found in the DB scan. Then they should not come up again unless they are altered, in which case you can review the code again to make sure the the change was intentional and then whitelist the new code changes again.

    Thread Starter madukdiver

    (@madukdiver)

    3 months, 1 week ago

    Thanks Eli,

    I’d be happy with the whitelist approach but I don’t see that option when I re-run the scan. It shows the two known injections but I do not see a button or other option to white list. How do I do that?

    Plugin Author Eli

    (@scheeeli)

    3 months, 1 week ago

    Sorry for not specifying how to do that in my last reply… If I had then I might have realized that this option is not available in your case because these are listed as database injections and only files can be whitelisted, not DB records.

    Not the best solution but you could just uncheck “database injections” under What to look for, but then the scan might miss some real DB injection if there ever are any.

    Can I ask why you are putting this script timeout to refresh the page in a database record in the first place and not putting more securely into a script file that is included in the code?

    Maybe there is a better way to code this so that it does not appear as a threat.

    Thread Starter madukdiver

    (@madukdiver)

    3 months, 1 week ago

    Thanks for confirming. I’ve sent you an email with a copy of the script so you can see why I’m using the setTimeout call.

    Plugin Author Eli

    (@scheeeli)

    3 months, 1 week ago

    Thanks for sending me this code. I see where you are call in this JS timeout in the admin_footer hooked function, but I guess my real questions was: why are you putting all this code into the DB?

    It is not uncommon for DB entries that contain code to be manipulated by hacker to execute malicious code snippets, that is why WPCode Snippets can be so dangerous. While there is no direct exploit that I am aware of within WPCode itself, I have know many instances of hacks utilize WPCode Snippets to execute they malicious payload. Maybe they used other vulnerabilities to get their bad code into the DB (which is sometimes easier than injecting executable code into php files) but any code recorded in the database would not be executable or dangerous with a plugin like WPCode to eval and run those code snippets.

    So, getting back to my original line of questioning: Would you be able to put all this PHP code into a file, like in mu-plugins or something like that so that it’s not executed from within your DB? I feel like that would be more secure overall anyway.

Viewing 5 replies - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.