Forum

Please consider registering
guest

Log In Register

Register | Lost password?
Search
Advanced Search
Advanced Search:

— Forum Scope —



— Match —



— Forum Options —




Wildcard usage:
*  matches any number of characters    %  matches exactly one character

Minimum search word length is 3 characters - maximum search word length is 84 characters

Topic RSS
SQL injection vulnerability reported at http://blog.spiderlabs.com/modsecurity/
10 December, 2011
4:56 pm
sean
Boulder Creek, California, USA
Member
Forum Posts: 5
Member Since:
10 December, 2011
Offline
1

Hi, there is a SQL injection vulnerability reported here:

http://blog.spiderlabs.com/modsecurity/

specifically: 

# (2072045) ModSecurity Rules from Trustwave SpiderLabs: Sermon Browser Plugin for WordPress index.php sermon_id Parameter SQL Injection
 
Do you have plans to address this? I can't use the plugin until it's resolved :(
 
There is also an XSS vulnerability mentioned:
# (2072044) ModSecurity Rules from Trustwave SpiderLabs: Sermon Browser Plugin for WordPress index.php file_name Parameter XSS
 
I'm a bit less concerned about the XSS at this time.
10 December, 2011
7:32 pm
Rich Brown
Parkville, MD
Guru
Forum Posts: 306
Member Since:
13 July, 2009
Offline
2

sean said

Hi, there is a SQL injection vulnerability reported here:

http://blog.spiderlabs.com/modsecurity/

specifically: 

# (2072045) ModSecurity Rules from Trustwave SpiderLabs: Sermon Browser Plugin for WordPress index.php sermon_id Parameter SQL Injection
 
Do you have plans to address this? I can't use the plugin until it's resolved :(
 
There is also an XSS vulnerability mentioned:
# (2072044) ModSecurity Rules from Trustwave SpiderLabs: Sermon Browser Plugin for WordPress index.php file_name Parameter XSS
 
I'm a bit less concerned about the XSS at this time.

Is this something we should all worry about?  I just took our archive offline just in case until I see a patch or some kind of response.

Rich Brown
Aisquith Presbyterian Church
Parkville, Maryland, USA
sermons.aisquith.org
12 December, 2011
3:06 pm
Ben Miller
Appleton, WI, USA
Moderator
Forum Posts: 387
Member Since:
18 June, 2009
Offline
3

These vulnerabilities were fixed by Mark Barnes in version 0.43.6.

You can read more about the vulnerabilities here:

http://osvdb.org/search/search…..thx=search

The vulnerabilities affected 0.43.5 and were disclosed on 4/26/2011, which was the same date that Mark released version 0.43.6, which you can read about here:

http://www.sermonbrowser.com/whats-new/

As far as I know, these vulnerabilities are not currently a concern if you are using the latest version of Sermon Browser.

Ben Miller
Pathways Church, Appleton, WI, USA
2 January, 2012
6:04 pm
sean
Boulder Creek, California, USA
Member
Forum Posts: 5
Member Since:
10 December, 2011
Offline
4

Hi!  Thanks for the info. I read the release notes and they said little more than (paraphrasing here) 'security update'. In the future do you think the release notes can be more specific?  I had to review the code myself and perform similar attacks to be sure they were addressed.

2 January, 2012
6:05 pm
sean
Boulder Creek, California, USA
Member
Forum Posts: 5
Member Since:
10 December, 2011
Offline
5

Ah and I should follow up: I have verified that SQL injection issue has been fixed. I haven't messed with the XSS scripting issue. He's added code to strip slashes which usually gets it. 

All RSS
Forum Timezone: Europe/London

Most Users Ever Online: 40

Currently Online:
12 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

malpan: 2453

jogen: 2440

VanWatterson: 652

GeraldSebring: 364

LucasWoltman: 362

RandellFeenstra: 362

Member Stats:

Guest Posters: 7

Members: 2066

Moderators: 1

Admins: 1

Forum Stats:

Groups: 1

Forums: 2

Topics: 1071

Posts: 4045

Newest Members: Nixon Designs, zolaperry, tanec69, lbakyl, richdorm, Aaron Velasquez

Moderators: Ben Miller (387)

Administrators: Mark Barnes (425)

Comments are closed.