Support » Requests and Feedback » [Plugin: myEASYbackup] Plugin has a critical vulnerability. Must fix ASAP.

Viewing 3 replies - 1 through 3 (of 3 total)
  • camaleo

    (@camaleo)

    Hi,

    going to release version 0.0.3 in the next 15 minutes. Added the following code at the beginning of meb_download.php

    <br />
    $tmp = explode('://', $_SERVER['HTTP_REFERER']);<br />
    $path = explode('/', $tmp[1]);<br />
    $referer = $path[0];<br />
    if(	($_SERVER['HTTP_HOST'] != $_SERVER['SERVER_NAME'])<br />
    		||<br />
    	($_SERVER['HTTP_HOST'] != $referer)<br />
    		||<br />
    	($_SERVER['SERVER_NAME'] != $referer) )<br />
    {<br />
    	return;<br />
    }<br />

    that should fix the issue, can you please confirm?

    Thanks

    Hi,

    I use more simple decision – check if some of WordPress functions or constants is defined, if it doesn’t, then stop execution, e.g.

    if (! defined("WPLANG")) {
      die;  // Silence is golden, direct call is prohibited
    }

    camaleo

    (@camaleo)

    your are right, but I needed to avoid the ‘headers already sent’ issue, so had to directly load the page 😉

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘[Plugin: myEASYbackup] Plugin has a critical vulnerability. Must fix ASAP.’ is closed to new replies.