search

rtCamp / nginx-helper

Nginx Helper for WordPress caching, permalinks & efficient file handling in multisite
https://wordpress.org/plugins/nginx-helper/
224 stars 117 forks source link

Great Plugin! Please issue a security fix! #315

Closed JLoRenderer closed 5 months ago

JLoRenderer commented 5 months ago

https://patchstack.com/database/vulnerability/nginx-helper/wordpress-nginx-helper-plugin-2-2-3-sensitive-data-exposure-vulnerability

jordantrizz commented 5 months ago

Here to also say the same, hopefully this issue gets traction.

gagan0123 commented 5 months ago

@JLoRenderer @jordantrizz

We have confirmed that the concern raised was not a security issue, and at no point was there any compromise to the sites using Nginx Helper plugin.

Following our detailed communication, Patchstack has re-evaluated the situation and has accordingly removed the entry from their database.

Therefore, we are closing this issue. Thank you for your attention to this matter.

jordantrizz commented 5 months ago

Thanks, can you please elaborate on what was reported and why it's not a security issue. Just for transparency sake?

gagan0123 commented 5 months ago

@jordantrizz

To shed more light on the issue, a concern was initially reported to Patchstack about our plugin's logging functionality. After investigation, we clarified to Patchstack that the logging feature of our plugin, when enabled, does not record sensitive information. Instead, it only logs routine activities like the purging of specific URLs from the cache. This information is standard for operational logs when debugging and does not pose a security risk or contain any sensitive information.

Also, our plugin requires explicit action from administrator account to activate logging, and by default, it does not generate or expose any data. Furthermore, in our extensive testing with various respected hosting providers, we found that they already have measures in place to block public access to all log files, adding an additional layer of security.

Based on the detailed information and analysis we provided, Patchstack reassessed the report and concluded that it was not a security issue. Consequently, they have removed the entry from their database.

We understand the importance of security to our users and assure you that we uphold the highest standards in safeguarding our plugin. Your trust in our commitment to security is invaluable, and we remain dedicated to transparent communication about any such concerns.

If you have further questions or need more information, please feel free to reach out to us.