WordPress.org

Forums

DMSGuestbook
DMS Guestbook vulnerable to exploits (5 posts)

  1. ANA Designs
    Member
    Posted 3 years ago #

    Since installing a site running DMS guestbook on a VPS, several times a day mod_security blocks exploit attempts. Several websites document the possible exploits associated with this plugin. Here is one synopsis:

    Cross-Site Scripting

    Cross-Site Scripting vulnerabilities allow a third party to manipulate the content or behaviour of a web application in a user's browser, without compromising the underlying system.
    Different Cross-Site Scripting related vulnerabilities are also classified under this category, including "script insertion" and "cross-site request forgery".
    Cross-Site Scripting vulnerabilities are often used against specific users of a website to steal their credentials or to conduct spoofing attacks.
    Exposure of sensitive information

    Vulnerabilities where documents or credentials are leaked or can be revealed either locally or from remote.
    Exposure of system information

    Vulnerabilities where excessive information about the system (e.g. version numbers, running services, installation paths, and similar) are exposed and can be revealed from remote and in some cases locally.
    Manipulation of data

    This includes vulnerabilities where a user or a remote attacker can manipulate local data on a system, but not necessarily be able to gain escalated privileges or system access.
    The most frequent type of vulnerabilities with this impact are SQL-injection vulnerabilities, where a malicious user or person can manipulate SQL queries.
    ____________________

    Can the code be sanitized in such a way that it's no longer vulnerable to these threats? I like the plugin but it seems very risky to use.

    Thank you for any assistance!

    http://wordpress.org/extend/plugins/dmsguestbook/

  2. DanielSchurter
    Member
    Plugin Author

    Posted 3 years ago #

    Hi ANA Design

    How old are these information?

    The last known issues are from the year 2008 and affected DMSGuestbook 1.7.0. After that XSS and SQL injections vulnerable are fixed and I've never heard from a new issue.

    I suggest you to use DMSGuestbook 1.17.1. This is the newest version.

    Greetings,
    Dani

  3. ANA Designs
    Member
    Posted 3 years ago #

    Dani, version 1.17.1 is installed on the site and it is continually assaulted by exploit attempts.

    I assume that if my mod_security rules weren't stopping these attempts, the improvements to the script would catch and prevent them.

    I also assume the people or bots who are attacking this particular guestbook are finding the same information I did (which was from 2008) and are looking for old, vulnerable copies of the plugin so they can do their dirty work. Another reason to always keep everything updated.

    What surprises me is the volume of these exploit attempts that I see in my mod_security logs. Obviously you've taken care of fixing any issues yet still this plugin remains a target.

    I won't advise my client to abandon your plugin. Thanks for your work!

  4. DanielSchurter
    Member
    Plugin Author

    Posted 3 years ago #

    I need more information which kind of exploit on which code line is found by mod_security.

    You can send me your mod_security logs to DMSGuestbook [at] DanielSchurter [dot] Net and I will check that.

    Greetings,
    Dani

  5. ANA Designs
    Member
    Posted 3 years ago #

    Thanks Dani. Email sent.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • DMSGuestbook
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic