Vulnerable Codes

Every time, I purchase file. I have to do full source code Auditing before i can use the file and every time , i find one or many vulnerable points. SQL injection even in 2017.
Team at Envato , I am happy to volunteer as Security Auditor of app here. For more detail on me, i am happy to provide more professional detail about me.

But please stop accepting files which are hackable. I bought today [name removed] and this script has so much of SQL injection point. Leaving 900+ Buyer under attack.

Hello!

You should always check if the plugin/script you are searching to purchase was updated within the last weeks/months/years…If not, then it’s possible to have SQL Injections, as you said.

Regards!

Yes. The reviewer checks SQL during initial upload, but does not check SQL during updates.

Easy way to check if it’s secure is to ask the author if they use prepared statements before buying.

Please check the script name, i have referred, it was updated 31 days back and still has more than 10 SQL injection point.

One could understand, missing of one or two but 10 and everywhere, well that’s bad check.

Nobody can check anything here, as it’s a community forum. :slight_smile:

You can let Envato Support know about the vulnerability here: https://help.market.envato.com/hc/en-us/requests/new

I have created support ticket, Waiting for Envato response. But the author is not at all in a situation to accept the vulnerability. This is horrific. I have updated the comment where there is SQL injection point :-

[link removed]

This developer is absolutely at another level . Anyways, I am waiting for support team to intervene now.

And even sadly said, not everyone is a professional developer and will need some time to understand how to protect his scripts from SQLi, XSS, CSRF,…

We appreciate that you’ve found some vulnerabilities but nowadays people are finding them too in WordPress, Joomla… and even Chrome or Facebook.

So, the finest would be to notice the authors about the found vulnerabilities and to tell them where they’ve been and how they could get workaround.

What about holding courses about security improvements in PHP for the Envato Authors exclusively? I’m pretty sure a lot of guys would join this course and learn a lot about object orientated development using somehow PDO (prepared statements), how to set and generate CSRF tokens and even validate them at each request, escape output going on the frontend, file upload abuse while setting sizes, allowed extensions and even maximum allowed files count, and a lot more…

Our authors would be thankful if they learn something that’s really important nowadays. Attacking them how it’s possible to have security vulnerabilities - because you know how to write safe - is the wrong way in my opinion. Just help each other and you’ll earn a lot back.

Cheers, eliteCode :blush:

Damn. Somehow I haven’t noticed that the thread is already 7 months old. Sorry.