SiteLock Security Alert

  • Resolved MHJP

    (@mhjp)


    8 years, 6 months ago

    Hi,

    Our daily Sielock security scans are generating these alerts. Advice on any required action appreciated. thanks. mike

    Download Monitor 1.9.9
    Severity: Critical
    Category: xss
    Summary: Download Monitor 3.3.5.7 – index.php dlsearch Parameter XSS (Note: This plugin changed its version numbering, this may produce false positive)

    Description: Authenticated Cross-Site Scripting (XSS) in Download Monitor before version 3.3.5.9 can be used by authenticated attackers to place arbitrary JavaScript in to a URL or link through the index.php file. The attack is executed through the ‘dlsearch’ parameter. Note: The versioning of this plugin was changed, so this detection may produce false positives.

    Severity: Critical
    Category: xss
    Summary: Download Monitor 3.3.5.4 – Authenticated Cross-Site Scripting (XSS)
    Description: Authenticated Cross-Site Scripting (XSS) in Download Monitor, before at least version 3.3.5.4, can be used by attackers to place arbitrary JavaScript in to a URL or link through the download-monitor/uploader.php file. Note: This plugin has changed its version numbering, this may produce false positives.

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Contributor Barry Kooij

    (@barrykooij)

    8 years, 6 months ago

    Hey,

    Are you still using our 3.3.5.7 version? If so, this version has been deprecated for years. Please upgrade to the latest version using our (free) upgrade extension: https://www.download-monitor.com/extensions/dlm-legacy-importer/

    Kind Regards,

    Barry Kooij

    Thread Starter MHJP

    (@mhjp)

    8 years, 6 months ago

    Thanks for responding Barry. It’s confusing. In WordPress it shows version 1.9.9. But the Sitelock scans are generating the 3.3.5.7 messages. So not quite sure what’s what. Mike

    Plugin Contributor Barry Kooij

    (@barrykooij)

    8 years, 6 months ago

    Hey Mike,

    Thanks for clarifying. These are false positives which will be resolved with the upcoming version. If you’re using version 1.9.9, you are good. There are no known security issues for this version.

    Kind Regards,

    Barry Kooij

    Logan Kipp

    (@logankipp)

    8 years, 6 months ago

    @barrykooij,

    Did the version format change at some point? For example, go from a higher version number to a lower number? That could explain why it’s being flagged.

    Plugin Contributor Barry Kooij

    (@barrykooij)

    8 years, 6 months ago

    @logankipp Yeah it did. The previous owner restarted the plugin from 3.3.x to a new 1.0. Coming version will be 4.0 and will move everyone back to a correct latest version.

    hobbystash

    (@hobbystash)

    8 years, 4 months ago

    As of today, I am getting this same alert from Sitelock. I am using 1.9.9 as well.

    Logan Kipp

    (@logankipp)

    8 years, 3 months ago

    @hobbystash,

    Per our combined investigation, this can be regarded as a false positive.

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘SiteLock Security Alert’ is closed to new replies.