Since installing a site running DMS guestbook on a VPS, several times a day mod_security blocks exploit attempts. Several websites document the possible exploits associated with this plugin. Here is one synopsis:
Cross-Site Scripting vulnerabilities allow a third party to manipulate the content or behaviour of a web application in a user’s browser, without compromising the underlying system.
Different Cross-Site Scripting related vulnerabilities are also classified under this category, including “script insertion” and “cross-site request forgery”.
Cross-Site Scripting vulnerabilities are often used against specific users of a website to steal their credentials or to conduct spoofing attacks.
Exposure of sensitive information
Vulnerabilities where documents or credentials are leaked or can be revealed either locally or from remote.
Exposure of system information
Vulnerabilities where excessive information about the system (e.g. version numbers, running services, installation paths, and similar) are exposed and can be revealed from remote and in some cases locally.
Manipulation of data
This includes vulnerabilities where a user or a remote attacker can manipulate local data on a system, but not necessarily be able to gain escalated privileges or system access.
The most frequent type of vulnerabilities with this impact are SQL-injection vulnerabilities, where a malicious user or person can manipulate SQL queries.
Can the code be sanitized in such a way that it’s no longer vulnerable to these threats? I like the plugin but it seems very risky to use.
Thank you for any assistance!
- The topic ‘[Plugin: DMSGuestbook] DMS Guestbook vulnerable to exploits’ is closed to new replies.