Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. WordPress (Developer)
  3. Wordpress apps: authLdap plugin Cross-Site Request Forgery

Wordpress apps: authLdap plugin Cross-Site Request Forgery

Scheduled Pinned Locked Moved WordPress (Developer)
4 Posts 3 Posters 662 Views 3 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • imc67I Offline
    imc67I Offline
    imc67
    translator
    wrote on last edited by
    #1

    https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/authldap/authldap-258-cross-site-request-forgery

    There is no patch available can @girish or @nebulon advise on this?

    1 Reply Last reply
    1
    • girishG Offline
      girishG Offline
      girish
      Staff
      wrote on last edited by
      #2

      @imc67 Upstream author is aware but has no details to work with - https://github.com/heiglandreas/authLdap/issues/237 . I have posted your link in the issue.

      1 Reply Last reply
      0
      • imc67I Offline
        imc67I Offline
        imc67
        translator
        wrote on last edited by
        #3

        There is a new version with one of two issues patched

        jdaviescoatesJ 1 Reply Last reply
        4
        • imc67I imc67

          There is a new version with one of two issues patched

          jdaviescoatesJ Offline
          jdaviescoatesJ Offline
          jdaviescoates
          wrote on last edited by
          #4

          @imc67 said in Wordpress apps: authLdap plugin Cross-Site Request Forgery:

          There is a new version with one of two issues patched

          And I note that the other issue "only impacts multi-site installations and installations where unfiltered_html has been disabled."

          As per https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/authldap/authldap-258-authenticated-administrator-stored-cross-site-scripting

          Also from that page, it sounds like it is only people who are already logged in Admins and above could take advantage of it:

          makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

          So if you trust your Admins it doesn't really seem to be an issue (in my case this is normally only me and I both trust myself and don't have the tech skills to take advantage of this potential exploit), hence why the author of the authLDAP plugin doesn't seem to bothered by it.

          I use Cloudron with Gandi & Hetzner

          1 Reply Last reply
          0
          Reply
          • Reply as topic
          Log in to reply
          • Oldest to Newest
          • Newest to Oldest
          • Most Votes


          • Login

          • Don't have an account? Register

          • Login or register to search.
          • First post
            Last post
          0
          • Categories
          • Recent
          • Tags
          • Popular
          • Bookmarks
          • Search