Possible security issue

#8659
  • I use a product called Defender Pro from WPMUDEV. It does a regular file scan looking for potential security weaknesses. Today, it identified two issues in DataBuilder.php. Specifically, it states:

    “The function extract line 692 column 13 execute using unsanitize user inputs.” Here are the lines in question:

    691 if (!empty($_SERVER[‘HTTP_FORWARDED’])) {
    692 extract($this->parseForwardedString($_SERVER[‘HTTP_FORWARDED’]));
    693 }

    “The function extract line 717 column 13 execute using unsanitize user inputs.” Here are the lines in question:

    716 if (!empty($_SERVER[‘HTTP_FORWARDED’])) {
    717 extract($this->parseForwardedString($_SERVER[‘HTTP_FORWARDED’]));
    718 }

    Thoughts?

    Jack

Viewing 6 replies - 1 through 6 (of 6 total)
  • Hello,

    Thank you for contacting Rank Math and sorry for any inconvenience that might have been caused due to that.

    I have just raised this issue with our dev team and we will be getting back to you in a short while to help further.

    Looking forward to helping you. Thank you.

    ​​​​​​​

    Hi, I’m having the exact same issue so I’m subscribing to this post.

    The file is: public_html/wp-content/plugins/seo-by-rank-math/vendor/rollbar/rollbar/src/DataBuilder.php

    Thanks

    • This reply was modified 3 years, 3 months ago by Ghislain Malardier. Reason: add file path

    Hi there,

    Thanks for the follow up.

    We fixed the data sanitization issues in version 1.0.27.2.
    Please help us check whether the same warning will be reported after purging your site cache and scanning your site once again.

    We are looking forward to helping you. Thank you.

    I’m running 1.0.27.4 and I still see the error.

    Hi, same here, latest version installed, but still the warning.

    If the warning is a false positive, then I will disregard it, but as it is on a client website, I just need to be sure.

    Thank you.

    Hi Jack,

    We might need to take a closer look at the settings. Please edit the first post on this ticket and include your WP logins in the designated Sensitive Data section.
    Sensitive Data Section

    It is completely secure and only our support staff has access to that section. If you want, you can use the below plugin to generate a temporary login URL to your website and share that with us instead:

    https://wordpress.org/plugins/temporary-login-without-password/

    You can use the above plugin in conjunction with the WP Security Audit Log to monitor what changes our staff might make on your website (if any):

    https://wordpress.org/plugins/wp-security-audit-log/

    We really look forward to helping you.

    Hello,

    Since we did not hear back from you for 15 days, we are assuming that you found the solution. We are closing this support ticket.

    If you still need assistance or any other help, please feel free to open a new support ticket, and we will be more than happy to assist.

    Thank you.

Viewing 6 replies - 1 through 6 (of 6 total)

The ticket ‘Possible security issue’ is closed to new replies.