Notifications

Clear all

False Positive:SQL injection

General Discussions

Last Post by dlinstedt 3 years ago

3 Posts

2 Users

1 Likes

959 Views

RSS

Posts: 47

dlinstedt

Topic starter

Oct 09, 2020 2:16 pm

(@dlinstedt)

Trusted Member

Joined: 5 years ago

To whom it may concern:

1) I use SUCURI.NET for firewall

2) Sucuri.net is detecting SQL injection as a false positive from wpForo Add Topic and from wpForo Reply

To repeat:

a) setup sucuri.net for a site with wpForo

b) create new topic in wpForo

c) type in the "body of the topic" the following text: What you want is insert into as a command.

d) click add-topic

Result: SUCURI finds "insert into" language, and scores it as a false positive SQL injection attack.

Suggested fix:

1) adjust wpForo core - when JavaScript is "posting" the text to:

1.a) encrypt the text

1.b) pass the encryption key with the headers / parameters of the XHR call

1.c) decrypt the text when the PHP core receives the post request.

The issue is: on my forums, we do have people "putting code and SQL" in to the post topics and replies. We can't afford the SUCURI.net firewall triggering a SQL injection because wpForo currently submits the text from the topic as PLAIN text in the XHR javascript callback.

Let me know if you have more questions, or need more details. I will be happy to find the actual offending code, and offer a specific coded solution to solving this problem.

Thanks,

Dan

Topic Tags

2 Replies

Posts: 10312

Robert

Admin

Oct 12, 2020 11:25 am

(@robert)

Support Team

Joined: 8 years ago

Hi @dlinstedt,

Posted by: @dlinstedt

The issue is: on my forums, we do have people "putting code and SQL" in to the post topics and replies. We can't afford the SUCURI.net firewall triggering a SQL injection because wpForo currently submits the text from the topic as PLAIN text in the XHR javascript callback.

This is a false info by SUCURI.NET. You can ignore it for sure. wpForo doesn't submit topics and posts in the XHR javascript callback. wpForo is based on a regular refresh. So this is just incorrect information. We don't use AJAX and XHR topic/post submitting function.

In case you want to say thank you !)
We'd really appreciate and be thankful if you leave a good review on plugin page. This is the best way to say thank you to this project and support team.

1 Reply

dlinstedt

(@dlinstedt)

Joined: 5 years ago

Trusted Member

Posts: 47

Oct 12, 2020 1:26 pm

Reply to

Robert

@robert

I am sorry for logging this one, I mis-spoke. I am picking this up with SUCURI.net - to see what (if anything) they can do about this. Apparently many different website owners receive false-positives by pasting "code" in to the reply / topic text.

I'll let everyone know what I find out. What's weird is: the DRAFT save / automatic - has no problems, just the REPLY / POST new topic button.

Thanks,

Dan

Redirect after login when clicking on link

Hi! Is there a way to have my site auto-direct people...

By LDPconnect , 8 hours ago
RE: How to rewrite the topic slug

No there is not a way within the plugin. You need to do...

By dimalifragis , 17 hours ago
Sidebar

Hello,can you collapse the right sidebar? So that each ...

By sassie , 1 day ago
How to distinguish favored tabs in CLASSIC layout

Hi, Does anyone know a CSS code to distinguish betwee...

By JorgeW , 1 day ago
RE: Wpforo 2.2.7

@robert This is all I could find from the debug. No ...

By Blade , 1 day ago
RE: latest post (footer)

It seems that the footer issue is updated when someone ...

By dimalifragis , 1 day ago
RE: Likes behaving weird again

@dimalifragis Actually, in "Threaded" layout, likes wo...

By danniee , 2 days ago

15 Forums
12.5 K Topics
63.9 K Posts
2 Online
7,548 Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed