Warning: old version
This recommendation applies to version 2.5 of this plugin, but the most recent version is 2.10. These findings may no longer be correct.
- Trusts the value of
]as a source for the user’s IP address. This means that if the server does not strip or replace that value before passing it to PHP, unauthenticated users can insert arbitrary strings into the IP address field of the logs
- Note that the IP address field is created as
varchar(17)so most unauthenticated users connecting to the site via IPv6 will not have their IP addresses recorded in the database
- The above two issues are probably not security issues so long as the logs generated by this plugin are not used for security purposes
- Contains a “pass through” mode where the plugin makes an HTTP request to a target URL and then displays the returned content as HTML. It is unclear what utility this feature serves, and it allows admins to seriously compromise the security of the site by including arbitrary HTML from potentially untrusted third parties
Reason for the 'Use with caution' result
The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:
Allows admin users to embed arbitrary HTML from any third party with a website, without providing any warning about how dangerous this feature is.
Read more about our failure criteria.
|Lack of proper output escaping|
We conduct these inspections for our own use, and publish them in the hope that they may be useful to others. We don't guarantee that these findings are correct.
Please read this site's terms of service before taking any action based on information published here.
- Tom Adams
- Last revised
- June 16, 2017
- Versions tested
- Plugin homepage
- Other versions