Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Great Plugin! Please issue a security fix! #315

Closed
JLoRenderer opened this issue Jan 9, 2024 · 4 comments
Closed

Great Plugin! Please issue a security fix! #315

JLoRenderer opened this issue Jan 9, 2024 · 4 comments

Comments

@JLoRenderer
Copy link

JLoRenderer commented Jan 9, 2024
edited

https://patchstack.com/database/vulnerability/nginx-helper/wordpress-nginx-helper-plugin-2-2-3-sensitive-data-exposure-vulnerability
@jordantrizz
Copy link

Here to also say the same, hopefully this issue gets traction.

@gagan0123
Copy link
Member

gagan0123 commented Jan 12, 2024
edited

@JLoRenderer @jordantrizz

We have confirmed that the concern raised was not a security issue, and at no point was there any compromise to the sites using Nginx Helper plugin.

Following our detailed communication, Patchstack has re-evaluated the situation and has accordingly removed the entry from their database.

Therefore, we are closing this issue. Thank you for your attention to this matter.

@jordantrizz
Copy link

Thanks, can you please elaborate on what was reported and why it's not a security issue. Just for transparency sake?

@gagan0123 gagan0123 mentioned this issue Jan 18, 2024
Closed
@gagan0123
Copy link
Member

@jordantrizz

To shed more light on the issue, a concern was initially reported to Patchstack about our plugin's logging functionality. After investigation, we clarified to Patchstack that the logging feature of our plugin, when enabled, does not record sensitive information. Instead, it only logs routine activities like the purging of specific URLs from the cache. This information is standard for operational logs when debugging and does not pose a security risk or contain any sensitive information.

Also, our plugin requires explicit action from administrator account to activate logging, and by default, it does not generate or expose any data. Furthermore, in our extensive testing with various respected hosting providers, we found that they already have measures in place to block public access to all log files, adding an additional layer of security.

Based on the detailed information and analysis we provided, Patchstack reassessed the report and concluded that it was not a security issue. Consequently, they have removed the entry from their database.

We understand the importance of security to our users and assure you that we uphold the highest standards in safeguarding our plugin. Your trust in our commitment to security is invaluable, and we remain dedicated to transparent communication about any such concerns.

If you have further questions or need more information, please feel free to reach out to us.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jordantrizz @gagan0123 @JLoRenderer