Support

Home Forums Event Espresso Premium Security Scanner fails & sayin website is vulnerable to SQL injection attacks.

Security Scanner fails & sayin website is vulnerable to SQL injection attacks.

Posted: September 17, 2012 at 11:43 am

Viewing 6 reply threads


Khalifa Alshammiry

September 17, 2012 at 11:43 am

Our Site is hosted in Godaddy.com and it inform that our site is failed form the security scan and vulnerable to SQL injections. I have installed the wordpress firewall as well still same result. here is the error message. Please advise on this. Thank you.

Using the POST HTTP method, Site Scanner found that : + The following resources may be vulnerable to SQL injection : + The ‘regevent_action’ parameter of the / CGI : /?page_id=164 [regevent_action=post_attendee] -–|-–|– output -–|-–|– Warning: Invalid argument supplied for foreach() in /ho […]

**WordPress database error: [You hav e an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘) ORDER BY q.id ASC’ at line 7] SELECT q.*, qg.group_name
FROM wp_events_question q

  • This topic was modified 12 years, 3 months ago by Seth Shoultes. Reason: Moving to premium forums


Chris

September 17, 2012 at 2:59 pm

6 Scan Pro didn’t find anything like this. I’m linking it here but I don’t recommend getting it.
http://6scan.com/features

I’m thinking you have some mal-formed code in there. Also try this scanner;
http://sitecheck.sucuri.net/scanner/

It could be in a external file, Sucuri lists the links.


Seth Shoultes

  • Support Staff

September 17, 2012 at 5:02 pm

@Khalifa Alshammiry Looks like the security scan is failing because of the SQL error that is being displayed on your site. Most like the error is being displayed because the scanner is not passing the required post vars to register an attendee or you are running an outdated version of Event Espresso and it cannot retrieve the question groups from the database.


Khalifa Alshammiry

September 17, 2012 at 9:33 pm

@ Chris:Thank you for your support. I’ll try that scanner too

@Seth: It’ cant be a outdated version as we purchased and installed the pro version about 2 weeks back (version 3.1.26.p). According to you there is Sql error. As we didn’t handle any sql statement it should be due to error from the plugin.. is that right? can you tell me how to fix this.
Thank you


Seth Shoultes

  • Support Staff

September 17, 2012 at 10:14 pm

Not sure. Since you are using a new version, you shouldn’t be getting that error, unless maybe something is not set up correctly in your event. If that was the case, you would see it on the front-end of the website. Honestly, I think that the scanner may not be passing the required information to whatever files it is scanning, therefore it is showing an SQL error. In that case the SQL error that is displayed is not a bug and is there by design (using the WordPress $wpdb->show_errors() class) to show what is wrong so that a developer can fix it. It is not showing any secure data or database access information.


Khalifa Alshammiry

October 24, 2012 at 10:31 am

Hi,
I’m still having the same issue about failure in the security scanner. Issue is not solved yet. Can somebody from plugin development team help me on this
Thank you,


Chris Reynolds

  • Support Staff

November 4, 2012 at 10:13 am

@Khalifa Seth is the original author of Event Espresso and one of the lead project managers and developers on the project. It sounds like you have a couple different issues that are fighting with each other. The first seems to be that the database tables were not created successfully. We have seen countless database issues in the past on GoDaddy shared servers so, honestly, this doesn’t surprise me at all. It is for this reason that we have a note on our requirements page that Event Espresso may not work properly on GoDaddy serves.

The second issue is the security issue. This is also fairly common as GoDaddy is often targeted and made vulnerable to malicious scripts. These scripts can inject code into your wp-config.php file, plugin files, theme files, as well as creating new files throughout your installation. Some of these files could be picked up by automated scanners, but — having worked through many of these in the past personally — that’s not always the case. The best solution is to wipe all the WordPress files and do a completely fresh install and reupload/install all your plugins or manually go through every directory to see if there is anything out of place. In the second option, you’ll want to manually check your wp-config.php file and your theme’s functions.php file to see if there is any bas64-encoded or other unrecognized code in there. I would also recommend moving away from GoDaddy to one of our recommended providers due to these (and other) issues.

Viewing 6 reply threads

The support post ‘Security Scanner fails & sayin website is vulnerable to SQL injection attacks.’ is closed to new replies.

Have a question about this support post? Create a new support post in our support forums and include a link to this existing support post so we can help you.

Event Espresso