WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] [Plugin: Business Directory] Don't use business directory xss and injection problems (12 posts)

  1. reconbot
    Member
    Posted 4 years ago #

    I've contacted the authors with no response. Running this plug in is dangerous and could lead to your site getting hacked.

    http://wordpress.org/extend/plugins/business-directory/

  2. csnowden
    Member
    Posted 4 years ago #

    Reconbot, Sorry we missed you. We have your email and are taking a look at your concern.

  3. reconbot
    Member
    Posted 4 years ago #

    Just to note, you still have a bunch of problems with your new version.

  4. lathaela
    Member
    Posted 4 years ago #

    reconbot makes a statement not to use the plugin, Business Directory; but does not appear to qualify his statement.
    Perhaps he will enlighten us!

  5. adamsmark
    Member
    Posted 4 years ago #

    Yeah, what are the issues specifically?

  6. csnowden
    Member
    Posted 4 years ago #

    We have implemented all security recommendations from the WordPress team into our latest version 0.8.2 Beta. It is available now.

    Though we have been in contact, and despite asking for input, we have not received any specifics back from reconbot. In good faith, we have been in contact with the guys at WordPress who did give us some specific items to include to solve any potential issues with code insertion. We implemented all WordPress Team recommendations in our new code.

    We appreciate and thank Michael from The WordPress Team for his recommendations, advice, and code samples.

    We remain unsure of reconbot's motivations.

  7. reconbot
    Member
    Posted 4 years ago #

    Hey, I did reply to your email and your old version of your plugin was riddled with security holes. So don't question my motives beyond wanting to run a secure server.

    I haven't yet tested your new one. If you've removed where you used pregreplace to escape 's with \' in javascript strings and if you properly escaped your sql inputs then I'm sure your plugin is much much safer. I'll confirm that wordpress security team contacted you. I'll look at it closer and then give my opinion.

  8. adamsmark
    Member
    Posted 4 years ago #

    reconbot, your motives are not in question, rather your way of going about things. As a visitor to this site, I would like to know if your comments are legitimate. You've already given your opinion -- "Just to note, you still have a bunch of problems with your new version." What do you mean by this?

  9. reconbot
    Member
    Posted 4 years ago #

    The latest version fixes the javascript xss bugs, and no longer suffers from any sql injection attacks. I'm running it right now. They use php short tags, fixing that is my last quip, but it's not a security risk in the slightest.

  10. iogd
    Member
    Posted 4 years ago #

    Cant install this plugin, screen goes blank unless plugin is deleted.

  11. reconbot
    Member
    Posted 4 years ago #

    Make sure open short tags is enabled with your php - it's currently a requirement

  12. jpatterson
    Member
    Posted 4 years ago #

    Actually, just upgrade. We took the php short tags out in our latest version.

Topic Closed

This topic has been closed to new replies.

About this Topic