Plugin Author
Eli
(@scheeeli)
An image file should never be rendered using the include function because it can result in executing PHP code hidden inside the image file. I just checked that plugin and they have rem’d out the include function and replaced that code with the file_get_contents function, which would be a better way to handle the image file.
The second file mentioned has not been fixed. It too should be changed to use the file_get_contents function or passthru to render this image without interpreting PHP code.
That’s tru e- but the search still showed the rem’d out code as a problem
Plugin Author
Eli
(@scheeeli)
My plugin finds threat in the code even if it is rem’d out. That old code can be removed from the file without effecting the functionality of the plugin.
The other usage that is not rem’d out should be changed. I have notified the plugin developers of this security vulnerability.
Aloha, Eli
Thanks Eli – I guess they’ll fix it ITNR
Plugin Author
Eli
(@scheeeli)
Yeah, they took out that second file in the release they just rolled out. Since the code in that first file was already rem’d out it doesn’t matter if you leave it or remove it.
Aloha, Eli
