[Plugin: myEASYbackup] Plugin has a critical vulnerability. Must fix ASAP.

Viewing 3 replies - 1 through 3 (of 3 total)

  • Hi,

    going to release version 0.0.3 in the next 15 minutes. Added the following code at the beginning of meb_download.php

    <br />
$tmp = explode('://', $_SERVER['HTTP_REFERER']);<br />
$path = explode('/', $tmp[1]);<br />
$referer = $path[0];<br />
if(	($_SERVER['HTTP_HOST'] != $_SERVER['SERVER_NAME'])<br />
		||<br />
	($_SERVER['HTTP_HOST'] != $referer)<br />
		||<br />
	($_SERVER['SERVER_NAME'] != $referer) )<br />
{<br />
	return;<br />
}<br />

    that should fix the issue, can you please confirm?

    Thanks

    Thread Starter Vladimir Garagulya

    (@shinephp)

    Hi,

    I use more simple decision – check if some of WordPress functions or constants is defined, if it doesn’t, then stop execution, e.g.

    if (! defined("WPLANG")) {
  die;  // Silence is golden, direct call is prohibited
}

    your are right, but I needed to avoid the ‘headers already sent’ issue, so had to directly load the page ??

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘[Plugin: myEASYbackup] Plugin has a critical vulnerability. Must fix ASAP.’ is closed to new replies.

Tags