WordPress.org

Ready to get started?Download WordPress

Forums

WP Slimstat
[resolved] I hope Slimstat can't execute base-64 encoded PHP provided in a GET request? (3 posts)

  1. carbeck
    Member
    Posted 1 year ago #

    Got multiple GET requests with one element of the usual information (e.g. the User Agent string) containing a base-64 encoded PHP script e.g. to put a PHP script into my server's root directory that is supposed to return passwords used on my site. The only thing that I can imagine being targetted by such an attack is PHP-based traffic analysis software. Fortunately all these attempts got blocked by Bad Behavior. However, I hope Slimstat is immune to such attacks, just in case one of these eventually gets past the blocker?

    http://wordpress.org/extend/plugins/wp-slimstat/

  2. carbeck
    Member
    Posted 1 year ago #

    FWIW, the GET request I was referring to looked like this:

    93.115.*.* - - [14/Feb/2013:19:12:50 +0000] "GET / HTTP/1.0" 400 904 "" "<?php eval(base64_decode(\" ... \")); ?>"

  3. camu
    Member
    Plugin Author

    Posted 1 year ago #

    Carbeck,

    thank you for your question. We know that our users care about how their information is used, and we are very serious when it comes to making sure our software if free from vulnerabilities and robust. A warning came out last year about a very rare exploit that could be done by leveraging a bug in WP SlimStat, and we released a hotfix within 24 hours.

    About your specific scenario, WP SlimStat doesn't "execute" any of the information stored in the database, so this kind of attack would not work with our software. However, in the remote case you find a vulnerability, please don't hesitate to contact us so that we can fix it right away.

    Best,
    Camu

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic