WP Slimstat Analytics
[resolved] I hope Slimstat can't execute base-64 encoded PHP provided in a GET request? (3 posts)

  1. carbeck
    Posted 3 years ago #

    Got multiple GET requests with one element of the usual information (e.g. the User Agent string) containing a base-64 encoded PHP script e.g. to put a PHP script into my server's root directory that is supposed to return passwords used on my site. The only thing that I can imagine being targetted by such an attack is PHP-based traffic analysis software. Fortunately all these attempts got blocked by Bad Behavior. However, I hope Slimstat is immune to such attacks, just in case one of these eventually gets past the blocker?


  2. carbeck
    Posted 3 years ago #

    FWIW, the GET request I was referring to looked like this:

    93.115.*.* - - [14/Feb/2013:19:12:50 +0000] "GET / HTTP/1.0" 400 904 "" "<?php eval(base64_decode(\" ... \")); ?>"

  3. Jason Crouse
    Plugin Author

    Posted 3 years ago #


    thank you for your question. We know that our users care about how their information is used, and we are very serious when it comes to making sure our software if free from vulnerabilities and robust. A warning came out last year about a very rare exploit that could be done by leveraging a bug in WP SlimStat, and we released a hotfix within 24 hours.

    About your specific scenario, WP SlimStat doesn't "execute" any of the information stored in the database, so this kind of attack would not work with our software. However, in the remote case you find a vulnerability, please don't hesitate to contact us so that we can fix it right away.


Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic