Greetings FoxyPress Users,
We had some security vulnerabilities brought to our attention. We would strongly encourage that you email us directly at firstname.lastname@example.org if you find a security vulnerability. We are going to create a form specific to these inquiries, but in the mean time, we would like to stress that we are extremely concerned for our user’s security and overall site health. If you find something that would create a vulnerability for these users, do not spread word of it. Talk to us and we will resolve it and keep the community safe.
We are working through this list provided by Waraxe. Unfortunately these issues were not brought to our attention in private, but instead spread across the internet, so now we are fighting them in real time. Regardless of the fact that we do not approve of how the issues were brought to us, we are thankful that these were found out and we can address them. We are working as quickly as possible to patch these.
- #1 – Addressed file extension issue. Upload cannot occur unless it is a valid extention (.jpg,.jpeg,.gif,.png,.zip)
- #2 – The table name is now a part of the documenthandler.php instead of being passed by POST variables
- #3 – Row is queried before assigning variables to the page. ID is checked for numeric as well. User is redirected if invalid.
- #4 – ID is checked for is_numeric before querying.
- #5 –
- case 1: checked for valid ORDER inputs.
- case 2: checked for valid banner ID, redirect with warning message if not found.
- case 3: checked for valid affiliate ID, redirect with warning message if not found.
- #19 – protected the ajax.php file with a check for if the ABSPATH is defined.
With all of this said, we appreciate your patience in us fixing these issues and we should have another update out shortly that will address the rest of the issues. Please upgrade to the latest version of FoxyPress: 0.4.2.6 from the WordPress repo or from the upgrade in WordPress.