Download wpForo 3.0

AI Search
Classic Search
 Search Phrase:
 Search Type:
Advanced search options
 Search in Forums:
 Search in date period:

 Sort Search Results by:

AI Assistant
Forums
wpForo Support Foru...
General Discussions
False Positive:SQL ...
 
Notifications
Clear all

[Closed] False Positive:SQL injection

    Summarize Topic
General Discussions
Last Post by dlinstedt 6 years ago
3 Posts
2 Users
1 Reactions
2,004 Views
RSS
Posts: 47
 dlinstedt
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
Oct 09, 2020 6:16 pm
(@dlinstedt)
Trusted Member
Joined: 7 years ago
[#14841]

To whom it may concern:

1) I use SUCURI.NET for firewall

2) Sucuri.net is detecting SQL injection as a false positive from wpForo Add Topic and from wpForo Reply

 

To repeat:

a) setup sucuri.net for a site with wpForo

b) create new topic in wpForo

c) type in the "body of the topic" the following text: What you want is insert into as a command.

d) click add-topic

Result: SUCURI finds "insert into" language, and scores it as a false positive SQL injection attack.

 

Suggested fix:

1) adjust wpForo core - when JavaScript is "posting" the text to:

1.a) encrypt the text

1.b) pass the encryption key with the headers / parameters of the XHR call

1.c) decrypt the text when the PHP core receives the post request.

 

The issue is: on my forums, we do have people "putting code and SQL" in to the post topics and replies.  We can't afford the SUCURI.net firewall triggering a SQL injection because wpForo currently submits the text from the topic as PLAIN text in the XHR javascript callback.

Let me know if you have more questions, or need more details.  I will be happy to find the actual offending code, and offer a specific coded solution to solving this problem.

 

Thanks,

Dan


Topic Tags
sql injection false positive add topic
2 Replies
Robert
Posts: 10736
 Robert
Admin
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
Oct 12, 2020 3:25 pm
(@robert)
Support Team
Joined: 2 months ago

Hi @dlinstedt,

Posted by: @dlinstedt

The issue is: on my forums, we do have people "putting code and SQL" in to the post topics and replies.  We can't afford the SUCURI.net firewall triggering a SQL injection because wpForo currently submits the text from the topic as PLAIN text in the XHR javascript callback.

This is a false info by SUCURI.NET. You can ignore it for sure. wpForo doesn't submit topics and posts in the XHR javascript callback. wpForo is based on a regular refresh. So this is just incorrect information. We don't use AJAX and XHR topic/post submitting function.


In case you want to say thank you !)
We'd really appreciate and be thankful if you leave a good review on plugin page. This is the best way to say thank you to this project and support team.

1 Reply
 dlinstedt
(@dlinstedt)
Joined: 7 years ago

Trusted Member
Posts: 47
Oct 12, 2020 5:26 pm
Reply toRobertRobert
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian

@robert

I am sorry for logging this one, I mis-spoke.  I am picking this up with SUCURI.net - to see what (if anything) they can do about this.  Apparently many different website owners receive false-positives by pasting "code" in to the reply / topic text.

I'll let everyone know what I find out.   What's weird is: the DRAFT save / automatic - has no problems, just the REPLY / POST new topic button.

Thanks,

Dan


Robert reacted
Forum Jump:
  Previous Topic
Next Topic  
Related Topics
Topic Tags:  sql injection (1) , false positive (1) , add topic (37) ,
Share: