To whom it may concern:
1) I use SUCURI.NET for firewall
2) Sucuri.net is detecting SQL injection as a false positive from wpForo Add Topic and from wpForo Reply
To repeat:
a) setup sucuri.net for a site with wpForo
b) create new topic in wpForo
c) type in the "body of the topic" the following text: What you want is insert into as a command.
d) click add-topic
Result: SUCURI finds "insert into" language, and scores it as a false positive SQL injection attack.
Suggested fix:
1) adjust wpForo core - when JavaScript is "posting" the text to:
1.a) encrypt the text
1.b) pass the encryption key with the headers / parameters of the XHR call
1.c) decrypt the text when the PHP core receives the post request.
The issue is: on my forums, we do have people "putting code and SQL" in to the post topics and replies. We can't afford the SUCURI.net firewall triggering a SQL injection because wpForo currently submits the text from the topic as PLAIN text in the XHR javascript callback.
Let me know if you have more questions, or need more details. I will be happy to find the actual offending code, and offer a specific coded solution to solving this problem.
Thanks,
Dan
Hi @dlinstedt,
The issue is: on my forums, we do have people "putting code and SQL" in to the post topics and replies. We can't afford the SUCURI.net firewall triggering a SQL injection because wpForo currently submits the text from the topic as PLAIN text in the XHR javascript callback.
This is a false info by SUCURI.NET. You can ignore it for sure. wpForo doesn't submit topics and posts in the XHR javascript callback. wpForo is based on a regular refresh. So this is just incorrect information. We don't use AJAX and XHR topic/post submitting function.