Sakthivel

Hi @wfpeter ,
Am using this plugin for more than one month, but recent zap tool reports show path traversal attack is possible.
I have already enabled the necessary options to prevent path traversal in the plugin.
Can you please tell me how to fix this issue by custom code or using your plugin?

https://ibb.co/whScYpy

Regards,
Saravanan

Hi @gilt ,

Any update on the above request?

Regards,
Saravanan

Hi @wfpeter ,

I had tried the above method. woodfence learning mode is not working to fix my problem. Still am getting the same error while updating the PHP file. when I comment the session code, PHP file updating works fine. Is there any other way to fix it?

Regards,
Saravanan

• This reply was modified 3 years, 1 month ago by Sakthivel.

Hi @wfpeter ,

I have sent the diagnostics reports to the above-mentioned email.
Please check and share your thoughts about the performance issue & data consumption.

Regards,
Saravanan

Hi @wfpeter ,

Thanks for the reply.
Can you please share more technical details. how it prevents path traversal attack?
Also, please tell me what is the use of below code in htaccess file.

# Wordfence WAF
<IfModule mod_php5.c>
	php_value auto_prepend_file '/var/www/html/example/wordfence-waf.php'
</IfModule>
<IfModule mod_php7.c>
	php_value auto_prepend_file '/var/www/html/example/wordfence-waf.php'
</IfModule>
<IfModule mod_php.c>
	php_value auto_prepend_file '/var/www/html/example/wordfence-waf.php'
</IfModule>
<Files ".user.ini">
<IfModule mod_authz_core.c>
	Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
	Order deny,allow
	Deny from all
</IfModule>
</Files>

Thanks,
Sakthivel

• This reply was modified 3 years, 3 months ago by Sakthivel.

Hi @sasiddiqui ,
I have updated the plugin, now there is no such issue and you have provided great features. thank you, we expect more security features on this plugin.

Regards,
Saravanan

Hi @gilt ,

Can you please delete this support ticket? I have wrongly shared the staging link with the public forum.

Please let me know how to delete it?

Thanks in advance
Regards,
Saravanan

• This reply was modified 3 years, 4 months ago by Sakthivel.

Hi @bcrodua ,

Thanks for the details,
What about the differential backup?

Regards,
Saravanan

Hi @sasiddiqui ,

Thanks for the update. When can I expect the next release?

Regards,
Saravanan

Hi @mbis ,

Thanks for the idea.

Thanks,
Saravanan

Hi @mbis ,

Thanks for your reply,

While add my code in funtion.php am facing an issue on the admin window while previewing the report. but on the client-side, everything works well.

Thanks,
Saravanan

In my WordPress site, we have a remote os command injection issue reported by the zap tool. to fix the issue i have wrote the code above. i guess you may have idea to fix the issue. i just want to confirm while removing the ‘p’ parameter from the URL is cause any issue?
https://ibb.co/gVCTzYg

Regards,
Saravanan

Hi @sasiddiqui ,

Thanks for your support.

Regards,
Saravanan

HI @sasiddiqui ,

Thanks for your suggestion I used the below directives in htaccess file. It’s worked for me. I have ensured on my side. Can you please confirm while removing these parameters from the URL is cause any problem?

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} ^ver=[^&]+&?(.*) [NC,OR]
RewriteCond %{QUERY_STRING} ^p=[^&]+&?(.*) [NC]
RewriteRule ^ %{REQUEST_URI}?%1 [R=302,L]
</IfModule>

Regards,
Saravanan

• This reply was modified 3 years, 5 months ago by Sakthivel.
• This reply was modified 3 years, 5 months ago by Sakthivel.

Hi All,

We need to implement the CSRF Tokens for contact forms to fix the zap tool issue.
Zap tool reports this issue on more than 527 pages. Please share the idea to fix it. or alternate solutions are welcome.

Regards,
Saravanan