WordPress.org

Plugin Directory

Changeset 1759697


Ignore:
Timestamp:
11/06/17 21:10:12 (3 months ago)
Author:
glen_scott
Message:

Added option to ignore WordPress 2.3-4.8.3 - Host Header Injection in Password Reset

Location:
plugin-security-scanner/trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • plugin-security-scanner/trunk/plugin-security-scanner.php

    r1729523 r1759697  
    55 * Plugin URI: http://www.glenscott.co.uk/plugin-security-scanner/ 
    66 * Description: This plugin determines whether any of your plugins have security vulnerabilities.  It does this by looking up details in the WPScan Vulnerability Database. 
    7  * Version: 1.5.0 
     7 * Version: 1.5.1 
    88 * Author: Glen Scott 
    99 * Author URI: http://www.glenscott.co.uk 
     
    5555    add_settings_field( 'plugin-security-scanner-webhook-notification', __( 'Webhook Notification', 'plugin-security-scanner' ), 
    5656    'plugin_security_scanner_webhook_notification_field', 'general', 'plugin-security-scanner-section' ); 
     57    add_settings_field( 'plugin-security-scanner-ignore-8807', __( 'Ignore', 'plugin-security-scanner' ), 
     58    'plugin_security_scanner_ignore_8807_field', 'general', 'plugin-security-scanner-section' ); 
    5759 
    5860    if ( false === get_option( 'plugin-security-scanner' ) ) { 
     
    6062             'email_notification' => '1', 
    6163             'webhook_notification' => '0', 
    62              'webhook_notification_url' => '') ); 
     64             'webhook_notification_url' => '', 
     65             'ignore_8807' => '0') ); 
    6366    } else { 
    6467        $options = get_option( 'plugin-security-scanner' ); 
     
    7679        if (false == array_key_exists('webhook_notification_url', $options)){ 
    7780            $options['webhook_notification_url'] = ''; 
     81            update_option( 'plugin-security-scanner', $options ); 
     82        } 
     83 
     84        if (false == array_key_exists('ignore_8807', $options)){ 
     85            $options['ignore_8807'] = '0'; 
    7886            update_option( 'plugin-security-scanner', $options ); 
    7987        } 
     
    124132} 
    125133 
     134function plugin_security_scanner_ignore_8807_field() { 
     135    $options = get_option( 'plugin-security-scanner' ); 
     136 
     137    echo '<input type="checkbox" id="plugin-security-scanner-ignore-8807" name="plugin-security-scanner[ignore_8807]" value="1"' . checked( 1, $options['ignore_8807'], false ) . '/>'; 
     138    echo '<label for="plugin-security-scanner-ignore-8807">Ignore <em>WordPress 2.3-4.8.3 - Host Header Injection in Password Reset</em> -- <strong>Warning:  please make sure you server is not vulnerable before ticking this box (<a href="https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html">see solution section</a>)</strong></label>'; 
     139} 
     140 
    126141function get_vulnerable_plugins() { 
     142    $options = get_option( 'plugin-security-scanner' ); 
     143 
    127144    $vulnerabilities = array(); 
    128145 
     
    145162            if ( isset( $version->$version_raw->vulnerabilities ) ) { 
    146163                foreach ( $version->$version_raw->vulnerabilities as $vuln ) { 
     164                    if ('1' == $options['ignore_8807'] && $vuln->id == 8807) { 
     165                        continue; 
     166                    } 
    147167                    $vulnerabilities[$version_raw][] = $vuln; 
    148168                } 
  • plugin-security-scanner/trunk/readme.txt

    r1729526 r1759697  
    33Tags: plugins,security,scanner,vulnerabilities,secure 
    44Tested up to: 4.8 
    5 Stable tag: 1.5.0 
     5Stable tag: 1.5.1 
    66License: GPLv2 or later 
    77 
     
    3030 
    3131== Changelog == 
     32 
     33= 1.5.1 = 
     34* Added option to ignore 'WordPress 2.3-4.8.3 - Host Header Injection in Password Reset' vulnerability 
    3235 
    3336= 1.5.0 = 
Note: See TracChangeset for help on using the changeset viewer.