Plugin inspection:

Redirection

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.

Warnings

This recommendation applies to version 2.5 of this plugin, but the most recent version is 5.5.0. These findings may no longer be correct.

Findings

  • Trusts the value of $_SERVER['HTTP_X_FORWARDED_FOR'] as a source for the user’s IP address. This means that if the server does not strip or replace that value before passing it to PHP, unauthenticated users can insert arbitrary strings into the IP address field of the logs
  • Note that the IP address field is created as varchar(17) so most unauthenticated users connecting to the site via IPv6 will not have their IP addresses recorded in the database
  • The above two issues are probably not security issues so long as the logs generated by this plugin are not used for security purposes
  • Contains a “pass through” mode where the plugin makes an HTTP request to a target URL and then displays the returned content as HTML. It is unclear what utility this feature serves, and it allows admins to seriously compromise the security of the site by including arbitrary HTML from potentially untrusted third parties

Reason for the 'Use with caution' result

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

Allows admin users to embed arbitrary HTML from any third party with a website, without providing any warning about how dangerous this feature is.

Failure criteria

  • Lack of proper output escaping

Read more about our failure criteria.