Hi ZabboME Team,
During a thorough security audit of this API, I identified several critical vulnerabilities that put server owners at risk:
RCON Command Injection: Lack of input validation and direct command concatenation allows arbitrary RCON command execution.
SQL Injection: Multiple endpoints interact with the database without using prepared statements.
Cross-Site Scripting (XSS): Alert messages were not properly sanitized.
I have created a Hardened Core version of this API that resolves all these issues, implements strict regex validation, uses PDO prepared statements everywhere, and cleans up the codebase for production.
Fixed Version: groundmanage2022/ZabboAPI-Hardened-Core
I strongly recommend merging these fixes or recommending users switch to the hardened version to protect their servers.
Hi ZabboME Team,
During a thorough security audit of this API, I identified several critical vulnerabilities that put server owners at risk:
RCON Command Injection: Lack of input validation and direct command concatenation allows arbitrary RCON command execution.
SQL Injection: Multiple endpoints interact with the database without using prepared statements.
Cross-Site Scripting (XSS): Alert messages were not properly sanitized.
I have created a Hardened Core version of this API that resolves all these issues, implements strict regex validation, uses PDO prepared statements everywhere, and cleans up the codebase for production.
Fixed Version: groundmanage2022/ZabboAPI-Hardened-Core
I strongly recommend merging these fixes or recommending users switch to the hardened version to protect their servers.