How to remove linked bank account in gcash.Makakuha ng libreng 700pho sa bawat deposito

Mikko Saari
(@msaari)

4 years, 12 months ago

The Coderisk analysis gives this plugin 100 points for maximum risk. A false alert or something to worry about?

Viewing 5 replies - 1 through 5 (of 5 total)

Plugin Author Marcus
(@msykes)

4 years, 12 months ago

Hello,

Firstly, thanks for pointing this out, although I’d have appreciated you contact us directly about a potential security risk, even though you haven’t identified a vulnerability.

Secondly, I’ll get in touch with the team about this. They have an outdated version of their RIPS running and on another plugin there were some false positives, but that doesn’t mean it’s not worth double-checking or dismissing in any way.

Plugin Author Marcus (aka @msykes)
(@netweblogic)

4 years, 12 months ago

I’m not sure why but my comments are getting put into the moderator queue.

I checked the RIPS report (plugin owners have more info about the scan) and the scans are false positives. They report XSS 7 medium (3/5 severity) vulnerabilities which are not exploitable since they require administrator access and only when a server-generated nonce is provided when submitting a form.

That said, we’ll probably fix some lines of code to prevent these from potentially becoming false positives in other scanners just to avoid potential confusion.

Thread Starter Mikko Saari
(@msaari)

4 years, 12 months ago

Well, since this was already public information (though super vague), I didn’t see any problem posting about this on the forums. Especially as I first heard about Coderisk because somebody asked about Relevanssi’s Coderisk score on the Relevanssi support forums…

I’m still waiting for the verification to pass through so I can see Relevanssi’s reports, but I thought it might be about false alerts or admin-only problems (Relevanssi has some of those as well, but well, if you have a malicious admin in your system, that’s the least of your worries). Good to hear it’s nothing more than that, and quite annoying that a false positive leads to such an ugly score.

Thanks!

(Something about RIPS or Coderisk invokes forum moderation, same thing happened to me as well.)

Moderator Ipstenu (Mika Epstein)
(@ipstenu)

?????? Advisor and Activist

4 years, 12 months ago

Any post that MIGHT reveal a security issue to the general public is moderated because we don’t want to put more people at risk. There are a couple people who think the BEST way to get a security hole fixed is to make it public without talking to the developers first. We ask that if you DO find a security issue with a plugin, tell the developer privately. If you can’t figure out how to do that, email [email protected] and we will for you ??

Plugin Author Marcus (aka @msykes)
(@netweblogic)

4 years, 10 months ago

This, along with other precautionary measures have been taken in 3.1.9.

I must stress that nothing we’ve ‘fixed’ has a known vulnerability (if there even is one), they’re just abundance of caution.

In the case of the aforementioned security scanner, it should help with avoiding the false positive. Having spoken with their team, it turns out they don’t check if nonces are used which is a recommended way to prevent unauthorized actions.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘RIPS Coderisk score 100’ is closed to new replies.