Security flaw in API

  • Resolved gregdcbe

    (@gregdcbe)


    5 years, 2 months ago

    Hi,

    After website was hacked. We write protected all files on webserver and activated deeper logging.
    We detected an attack using a flaw in your plugin.
    Hacker is using “quadmenu_compiler_save” API over admin-ajax.php POST request with php code in [css] paramater.

    I can provide full POST parameters content if needed. Will not share here to avoid giving ideas to bad intentioned people…

    I think following line should be fixed in compiler.php to not only strip slashes but also avoid PHP injection.

    $this->save_file(str_replace('.less', '.css', basename($_POST['output']['imports'][0])), QUADMENU_PATH_CSS, stripslashes($_POST['output']['css']));

    R

    Gregory

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author quadlayers

    (@quadlayers)

    5 years, 2 months ago

    Hello @gregdcbe

    Thanks for sharing

    Please contact us at http://www.quadmenu.com/account/support

    Create a ticket and ask for Juan Francisco from dev team

    Plugin Author quadlayers

    (@quadlayers)

    5 years, 2 months ago

    what is your current quadmenu version?

    these lines were introduced in 2.0.6 to fix this security issues

        $file_ext = pathinfo($_REQUEST['output']['imports'][0], PATHINFO_EXTENSION);

    if (!in_array($file_ext, array('less', 'css'))) {
      wp_die('Cheating?');
    }
    Thread Starter gregdcbe

    (@gregdcbe)

    5 years, 2 months ago

    Hi,

    Version was 1.1.7.
    I’m managing server at lower level, not WP itself.
    From WP dashboard, no update is visible for that plugin.

    If this is fixed, will request upgrade.
    any way to auto update it ?

    Thanks for your quick answer.

    R

    Gregory

    • This reply was modified 5 years, 2 months ago by gregdcbe.
    Plugin Author quadlayers

    (@quadlayers)

    5 years, 2 months ago

    hello

    auto-updates is a WordPress feature

    kind regards

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Security flaw in API’ is closed to new replies.