#1 WordPress forum plugin created by gVectors Team

wpForo – WordPress Forum Plugin
  • Home
  • Forum
  • Migrate to wpForo
  • Addons
  • Addons Demo
  • Documentation

Forum

Home | Forum

wpDiscuz - WordPress Comment Plugin
  • Forums
  • Members
  • Recent Posts
Forums
Main Support Forums
General Discussions
False Positive:SQL ...
 
Share:
Share
Tweet
Share
Notifications
Clear all

False Positive:SQL injection

    Last Post
RSS

dlinstedt
Posts: 47
 dlinstedt
Topic starter
October 9, 2020 2:16 pm
(@dlinstedt)
Eminent Member
Joined: 4 years ago

To whom it may concern:

1) I use SUCURI.NET for firewall

2) Sucuri.net is detecting SQL injection as a false positive from wpForo Add Topic and from wpForo Reply

 

To repeat:

a) setup sucuri.net for a site with wpForo

b) create new topic in wpForo

c) type in the "body of the topic" the following text: What you want is insert into as a command.

d) click add-topic

Result: SUCURI finds "insert into" language, and scores it as a false positive SQL injection attack.

 

Suggested fix:

1) adjust wpForo core - when JavaScript is "posting" the text to:

1.a) encrypt the text

1.b) pass the encryption key with the headers / parameters of the XHR call

1.c) decrypt the text when the PHP core receives the post request.

 

The issue is: on my forums, we do have people "putting code and SQL" in to the post topics and replies.  We can't afford the SUCURI.net firewall triggering a SQL injection because wpForo currently submits the text from the topic as PLAIN text in the XHR javascript callback.

Let me know if you have more questions, or need more details.  I will be happy to find the actual offending code, and offer a specific coded solution to solving this problem.

 

Thanks,

Dan

Topic Tags
sql injection false positive add topic
2 Replies
Robert
Posts: 9090
Robert - Twitter
 Robert
Admin
October 12, 2020 11:25 am
(@robert)
Support Team
Joined: 6 years ago

Hi @dlinstedt,

Posted by: @dlinstedt

The issue is: on my forums, we do have people "putting code and SQL" in to the post topics and replies.  We can't afford the SUCURI.net firewall triggering a SQL injection because wpForo currently submits the text from the topic as PLAIN text in the XHR javascript callback.

This is a false info by SUCURI.NET. You can ignore it for sure. wpForo doesn't submit topics and posts in the XHR javascript callback. wpForo is based on a regular refresh. So this is just incorrect information. We don't use AJAX and XHR topic/post submitting function.

In case you want to say thank you !)
We'd really appreciate and be thankful if you leave a good review on plugin page. This is the best way to say thank you to this project and support team.

Reply
1 Reply
dlinstedt
 dlinstedt
(@dlinstedt)
Joined: 4 years ago

Eminent Member
Posts: 47
October 12, 2020 1:26 pm
Reply toRobertRobert

@robert

I am sorry for logging this one, I mis-spoke.  I am picking this up with SUCURI.net - to see what (if anything) they can do about this.  Apparently many different website owners receive false-positives by pasting "code" in to the reply / topic text.

I'll let everyone know what I find out.   What's weird is: the DRAFT save / automatic - has no problems, just the REPLY / POST new topic button.

Thanks,

Dan

Reply
Robert liked
  All forum topics
  Previous Topic
Next Topic  
Related Topics
  • Trigger new posting
    7 months ago
  • plugin WPforo
    2 years ago
  • Cannot Add Topic
    3 years ago
Topic Tags:  sql injection (1), false positive (1), add topic (24),

Forum Search

Join Us!

Download wpForo plugin
on WordPress.org

wpForo Addons

wpforo-private-messages wpforo-advanced-attachments-128x128 wpforo-embeds-128x128 wpForo User Custom Fields addon wpForo – Blog Cross Posting addon wpForo Ads Manager wpForo – WooCommerce Memberships Integration wpForo Emoticons wpForo – Tenor GIFs Integration
View all Addons »

Recent Topics

  • Attachments not showing on forums posts after migration

    By Formicid, 2 days ago

  • New Feature About Plugin Customization and Integration

    By z14165899, 2 days ago

  • WordPress Email sending function wp_mail() doesn't work!

    By feassistant, 3 days ago

  • Import users from IPBoard

    By jesusdlg, 3 days ago

  • Intruder signing in to wpforo without approval

    By plaurits, 3 days ago

  • How to make new user to get approve manually before creating post and profile.

    By Adhyansh21, 4 days ago

Topic Tags

  • css52
  • translation50
  • plugin conflict48
  • seo47
  • new features45
  • buddypress43
  • avatar41
  • moderation40
  • ultimate member40
  • login40
  • forum40
  • registration37
  • threaded layout35
  • cache34
  • spam33
  • editor33
  • menu33
  • shortcode32
  • forum accesses30
  • widget29
View all tags (2195)

Recent Posts

  • RE: Member Reputation with Likes?

    @mpanichi, in wpForo 2.0 you can set Points for One T...

    By Chris, 17 hours ago

  • RE: Hide user roles from Members list

    Hi @mpanichi Edit the needed usergroup and disable/un...

    By Chris, 17 hours ago

  • RE: Description for each topic?

    @chris That's really too bad. I was ready to send you ...

    By Christine, 1 day ago

  • RE: There are versions of wpforo functions that return string?

    Amazing 👍

    By Marco Panichi, 1 day ago

  • RE: About Plugin Customization and Integration

    Hi @z14165899, Please send your request to sales[at]g...

    By Chris, 2 days ago

  • Attachments not showing on forums posts after migration

    Hello I just did a manual migration and the older forum...

    By Formicid, 2 days ago

  • RE: WordPress Email sending function wp_mail() doesn't work!

    @dimalifragis thanks for the enlightenment there. It...

    By feassistant, 2 days ago

Share:
Share
Tweet
Share
  Forum Statistics
21 Forums
9,941 Topics
50.3 K Posts
9 Online
48.6 K Members

Latest Post: Member Reputation with Likes? Our newest member: NobarTV Nobar Tv Online Live S... Recent Posts Unread Posts Tags

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed

Powered by wpForo | Copyright © 2016-2022 gVectors Team
Copyright Registration Service - Click here for more information or to register work
wpForo is Registered with the IP Rights Office
Copyright Registration Service

Ref: 4477265538
  • Home
  • Forum
  • Migrate to wpForo
  • Addons
  • Addons Demo
  • Documentation