please give me some specific points where did you find the issue with code.
simply take one of the scanners from here: http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html and scan your source folder, there are so many buffer overflow and wrong escaping issues that you will busy for quite a while to fix them all; and again, please read at least some PHP security books and go through your code line by line
This is the worst :
$download_template_header = trim($_POST[‘download_template_header’]);
$download_template_footer = trim($_POST[‘download_template_footer’]);
$download_template_pagingheader = trim($_POST[‘download_template_pagingheader’]);
$download_template_pagingfooter = trim($_POST[‘download_template_pagingfooter’]);
$download_template_none = trim($_POST[‘download_template_none’]);
$download_template_category_header = trim($_POST[‘download_template_category_header’]);
$download_template_category_footer = trim($_POST[‘download_template_category_footer’]);
$download_template_listing[] = trim($_POST[‘download_template_listing’]);
$download_template_listing[] = trim($_POST[‘download_template_listing_2’]);
$download_template_embedded[] = trim($_POST[‘download_template_embedded’]);
$download_template_embedded[] = trim($_POST[‘download_template_embedded_2’]);
$download_template_download_page_link = trim($_POST[‘download_template_download_page_link’]);
$download_template_most[] = trim($_POST[‘download_template_most’]);
$download_template_most[] = trim($_POST[‘download_template_most_2’]);
$update_download_queries = array();
this against all good practices, filling templates with unfiltered post variables; Seriously, if you have any locality toward your users, you must take this component down and warn your user about possible CSR and XSS attacks. In the mean time verify https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet with your code. its like your users sites to all sort of attacks…jeez
how funny, none of those codes are from download-manager plugin, where did you get those codes? Also download manager is not a template or theme, it is a plugin.
yup, that was another component, but yet, run some security checks on your code. none of our GET inputs are filtered and checked against CSR/XSS, this is like opening your user’s sites to everybody. when running ‘RIPS’ over your folder you will see how dangerous your code is. this is simply irresponsible what you’re doing to your users but apparently you dont seem to care at all, just picking up money for your trash.
codes are completely secure as per our test, but you bad rated the plugin just for no reason. You even don’t know where is the problem or if there is any problem at all. You suggested me to read PHP security related books. But it looks like, first you need to learn basic PHP. Anyhow my advise is, don’t waste your time on something which is out of your skill.
