WordPress.org

Support

Support » Plugins and Hacks » Slim Stat Analytics » [Resolved] I hope Slimstat can't execute base-64 encoded PHP provided in a GET request?

[Resolved] I hope Slimstat can't execute base-64 encoded PHP provided in a GET request?

  • Got multiple GET requests with one element of the usual information (e.g. the User Agent string) containing a base-64 encoded PHP script e.g. to put a PHP script into my server’s root directory that is supposed to return passwords used on my site. The only thing that I can imagine being targetted by such an attack is PHP-based traffic analysis software. Fortunately all these attempts got blocked by Bad Behavior. However, I hope Slimstat is immune to such attacks, just in case one of these eventually gets past the blocker?

    http://wordpress.org/extend/plugins/wp-slimstat/

Viewing 2 replies - 1 through 2 (of 2 total)
  • FWIW, the GET request I was referring to looked like this:

    93.115.*.* - - [14/Feb/2013:19:12:50 +0000] "GET / HTTP/1.0" 400 904 "" "<?php eval(base64_decode(\" ... \")); ?>"

    Plugin Author Jason Crouse

    @coolmann

    Carbeck,

    thank you for your question. We know that our users care about how their information is used, and we are very serious when it comes to making sure our software if free from vulnerabilities and robust. A warning came out last year about a very rare exploit that could be done by leveraging a bug in WP SlimStat, and we released a hotfix within 24 hours.

    About your specific scenario, WP SlimStat doesn’t “execute” any of the information stored in the database, so this kind of attack would not work with our software. However, in the remote case you find a vulnerability, please don’t hesitate to contact us so that we can fix it right away.

    Best,
    Camu

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘[Resolved] I hope Slimstat can't execute base-64 encoded PHP provided in a GET request?’ is closed to new replies.
Skip to toolbar