Serious Security Exploit – Disable this plugin now!

rjpearce2
(@rjpearce2)

11 years, 2 months ago

If you use this plugin disable it now!

Your Pingdom username & password are shown in plain text in every page of your website. And thanks to Google it’s probably been cached like that for months.

See below for the error the plugin throws:

b>Warning: SoapClient::SoapClient(http://wsbusiness2.pingdom.com/Business.asmx?WSDL) [soapclient.soapclient]: failed to open stream: No route to host in /home/anagalia/webapps/www/wp-content/plugins/pingdom-status/php/wsproxy/PingdomStatus_business.php on line 
67

Warning: SoapClient::SoapClient() [soapclient.soapclient]: I/O warning : failed to load external entity "http://wsbusiness2.pingdom.com/Business.asmx?WSDL" in /home/anagalia/webapps/www/wp-content/plugins/pingdom-status/php/wsproxy/PingdomStatus_business.php on line 67

Tuesday 05th of February 2013 11:21:05 PM -> Error refreshing sensors: SOAP-ERROR: Parsing WSDL: Couldn’t load from ‘http://wsbusiness2.pingdom.com/Business.asmx?WSDL’ : failed to load external entity “http://wsbusiness2.pingdom.com/Business.asmx?WSDL”

Warning: SoapClient::SoapClient(http://wssecurity2.pingdom.com/Security.asmx?WSDL) [soapclient.soapclient]: failed to open stream: No route to host in /home/anagalia/webapps/www/wp-content/plugins/pingdom-status/php/wsproxy/PingdomStatus_wsmain.php on line 46

Warning: SoapClient::SoapClient() [soapclient.soapclient]: I/O warning : failed to load external entity "http://wssecurity2.pingdom.com/Security.asmx?WSDL" in /home/anagalia/webapps/www/wp-content/plugins/pingdom-status/php/wsproxy/PingdomStatus_wsmain.php on line 46
Error in Pingdom web service call from function authenticate. Request:
Login::__set_state(array(
‘apiKey’ => ‘1a6af666cb1bb5611ea7b06c325fc931’,
‘username’ => ‘****************’,
‘password’ => ‘****************’,
))

Response:
LoginResponse::__set_state(array(
‘LoginResult’ => NULL,
))

http://wordpress.org/extend/plugins/pingdom-status/

Viewing 2 replies - 1 through 2 (of 2 total)

yoav.aner
(@yoavaner)

11 years, 2 months ago
Thanks for the heads-up!

Looks like this plugin is no longer maintained on wordpress.org, which is a shame. Or maybe I just couldn’t find it?

To apply a quickfix for this. in wp-content/plugins/pingdom-status/php/wsproxy/PingdomStatus_wsmain.php you can comment out the line that echos the request
```
// Somehow write to wordpress error log.
        if($doEcho){
            echo $toWrite;
        }
```
… and change your username/password on pingdom of course.
Plugin Author Pingdom
(@pingdom)

11 years, 2 months ago

Thank you for reporting the issue with the plugin. It is recommended to turn of the PHP debugging information for production environments to avoid exposing sensitive information.

However, we’re afraid that the plugin is deprecated and no longer functional with our service, thus removed from the WordPress site. The SOAP API backend have been deprecated for a long time and were shut down some time ago.

Later on we might develop a new version of the plugin that utilize our REST API, although the future of the plugin hasn’t been decided yet.

Regards,
The Pingdom team.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Serious Security Exploit – Disable this plugin now!’ is closed to new replies.