Discussion:
CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)
Harry Metcalfe
2014-03-28 12:39:23 UTC
Permalink
Details
================
Software: WP HTML Sitemap
Version: 1.2
Homepage: http://wordpress.org/plugins/wp-html-sitemap/
CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)

Description
================
CSRF vulnerability in WP HTML Sitemap 1.2

Vulnerability
================
A CSRF vulnerability exists which allows an attacker to delete the
sitemap if a logged-in admin user visits a link of the attacker’s choosing.
Line 202 of inc/AdminPage.php says “// check whether form was just
submitted” but the following if/elseif statements only check whether a
particular button was pressed without checking nonce values. The form in
question is printed in wp_html_sitemap_AdminPage::createSitemapForm()
around line 146 of the same file.

Proof of concept
================
This form deletes the sitemap without requiring a nonce value:
<form
action="http://not-a-real-site.local/wp-admin/options-general.php?page=wp-html-sitemap&tab=general"
method="POST">
<input type="text" name="deleteSitemap" value="Delete Sitemap">
<input type="submit">
</form>

Mitigations
================
Disable the plugin until a fix is available.

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our
disclosure policy: https://security.dxw.com/disclosure/

Please contact us on ***@dxw.com to acknowledge this report if you
received it via a third party (for example, ***@wordpress.org) as
they generally cannot communicate with us on your behalf.

Please note that this vulnerability will be published if we do not
receive a response to this report with 14 days.

Timeline
================

2014-02-21: Discovered
2014-02-26: Reported
2014-03-28: No response received. Published


Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.
Daniel Bachhuber
2014-03-28 14:41:11 UTC
Permalink
Hi Harry,

Please refrain from advertising on this list. Plugin security issues should
be reported to ***@wordpress.org

Thanks.
Post by Harry Metcalfe
Details
================
Software: WP HTML Sitemap
Version: 1.2
Homepage: http://wordpress.org/plugins/wp-html-sitemap/
CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)
Description
================
CSRF vulnerability in WP HTML Sitemap 1.2
Vulnerability
================
A CSRF vulnerability exists which allows an attacker to delete the sitemap
if a logged-in admin user visits a link of the attacker's choosing.
Line 202 of inc/AdminPage.php says "// check whether form was just
submitted" but the following if/elseif statements only check whether a
particular button was pressed without checking nonce values. The form in
question is printed in wp_html_sitemap_AdminPage::createSitemapForm()
around line 146 of the same file.
Proof of concept
================
<form action="http://not-a-real-site.local/wp-admin/options-
general.php?page=wp-html-sitemap&tab=general" method="POST">
<input type="text" name="deleteSitemap" value="Delete Sitemap">
<input type="submit">
</form>
Mitigations
================
Disable the plugin until a fix is available.
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our
disclosure policy: https://security.dxw.com/disclosure/
they generally cannot communicate with us on your behalf.
Please note that this vulnerability will be published if we do not receive
a response to this report with 14 days.
Timeline
================
2014-02-21: Discovered
2014-02-26: Reported
2014-03-28: No response received. Published
================
Tom Adams
Please visit security.dxw.com for more information.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Harry Metcalfe
2014-03-28 14:46:00 UTC
Permalink
Hi Daniel,

This vulnerability was reported to ***@wordpress.org on 2nd
February. The author has not responded, so we are disclosing the
vulnerability in order that anyone using this plugin can take steps to
protect themselves.

This is certainly not an advertisement.

Administrivia: It was my assumption that this list would be interested
to know about vulnerable plugins. If anyone has strong feelings for or
against that assumption, please let me know off-list. If there is a
consensus we will honour it.

Cheers,

Harry
Post by Daniel Bachhuber
Hi Harry,
Please refrain from advertising on this list. Plugin security issues should
Thanks.
Post by Harry Metcalfe
Details
================
Software: WP HTML Sitemap
Version: 1.2
Homepage: http://wordpress.org/plugins/wp-html-sitemap/
CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)
Description
================
CSRF vulnerability in WP HTML Sitemap 1.2
Vulnerability
================
A CSRF vulnerability exists which allows an attacker to delete the sitemap
if a logged-in admin user visits a link of the attacker's choosing.
Line 202 of inc/AdminPage.php says "// check whether form was just
submitted" but the following if/elseif statements only check whether a
particular button was pressed without checking nonce values. The form in
question is printed in wp_html_sitemap_AdminPage::createSitemapForm()
around line 146 of the same file.
Proof of concept
================
<form action="http://not-a-real-site.local/wp-admin/options-
general.php?page=wp-html-sitemap&tab=general" method="POST">
<input type="text" name="deleteSitemap" value="Delete Sitemap">
<input type="submit">
</form>
Mitigations
================
Disable the plugin until a fix is available.
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our
disclosure policy: https://security.dxw.com/disclosure/
they generally cannot communicate with us on your behalf.
Please note that this vulnerability will be published if we do not receive
a response to this report with 14 days.
Timeline
================
2014-02-21: Discovered
2014-02-26: Reported
2014-03-28: No response received. Published
================
Tom Adams
Please visit security.dxw.com for more information.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Harry Metcalfe
07790 559 876
@harrym
Chris McCoy
2014-03-28 15:29:06 UTC
Permalink
I think Daniel was refering to posting to a public list, some malicious
people could take advantage of this, and cause some havoc.
Post by Harry Metcalfe
Hi Daniel,
February. The author has not responded, so we are disclosing the
vulnerability in order that anyone using this plugin can take steps to
protect themselves.
This is certainly not an advertisement.
Administrivia: It was my assumption that this list would be interested
to know about vulnerable plugins. If anyone has strong feelings for or
against that assumption, please let me know off-list. If there is a
consensus we will honour it.
Cheers,
Harry
Post by Daniel Bachhuber
Hi Harry,
Please refrain from advertising on this list. Plugin security issues should
Thanks.
Post by Harry Metcalfe
Details
================
Software: WP HTML Sitemap
Version: 1.2
Homepage: http://wordpress.org/plugins/wp-html-sitemap/
CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)
Description
================
CSRF vulnerability in WP HTML Sitemap 1.2
Vulnerability
================
A CSRF vulnerability exists which allows an attacker to delete the sitemap
if a logged-in admin user visits a link of the attacker's choosing.
Line 202 of inc/AdminPage.php says "// check whether form was just
submitted" but the following if/elseif statements only check whether a
particular button was pressed without checking nonce values. The form in
question is printed in wp_html_sitemap_AdminPage::createSitemapForm()
around line 146 of the same file.
Proof of concept
================
<form action="http://not-a-real-site.local/wp-admin/options-
general.php?page=wp-html-sitemap&tab=general" method="POST">
<input type="text" name="deleteSitemap" value="Delete Sitemap">
<input type="submit">
</form>
Mitigations
================
Disable the plugin until a fix is available.
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our
disclosure policy: https://security.dxw.com/disclosure/
they generally cannot communicate with us on your behalf.
Please note that this vulnerability will be published if we do not receive
a response to this report with 14 days.
Timeline
================
2014-02-21: Discovered
2014-02-26: Reported
2014-03-28: No response received. Published
================
Tom Adams
Please visit security.dxw.com for more information.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Harry Metcalfe
07790 559 876
@harrym
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Harry Metcalfe
2014-03-28 15:52:06 UTC
Permalink
Hi Chris,

We're aware of that, but not sure what alternative there is if the
people who write plugins don't contact us when we report issues to them.
We try to give people enough time to fix things, but if it doesn't look
like they're going to, we believe it is the responsible thing to do to
publish vulnerabilities so that people affected by them can take steps
to protect themselves.

Our disclosure policy is here <https://security.dxw.com/disclosure/>,
and we always draw people's attention to it (see below). All that said,
it is a difficult area and I'm certainly open to suggestions about how
to do it better.

Harry
Post by Chris McCoy
I think Daniel was refering to posting to a public list, some malicious
people could take advantage of this, and cause some havoc.
Post by Harry Metcalfe
Hi Daniel,
February. The author has not responded, so we are disclosing the
vulnerability in order that anyone using this plugin can take steps to
protect themselves.
This is certainly not an advertisement.
Administrivia: It was my assumption that this list would be interested
to know about vulnerable plugins. If anyone has strong feelings for or
against that assumption, please let me know off-list. If there is a
consensus we will honour it.
Cheers,
Harry
Post by Daniel Bachhuber
Hi Harry,
Please refrain from advertising on this list. Plugin security issues should
Thanks.
Post by Harry Metcalfe
Details
================
Software: WP HTML Sitemap
Version: 1.2
Homepage: http://wordpress.org/plugins/wp-html-sitemap/
CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)
Description
================
CSRF vulnerability in WP HTML Sitemap 1.2
Vulnerability
================
A CSRF vulnerability exists which allows an attacker to delete the sitemap
if a logged-in admin user visits a link of the attacker's choosing.
Line 202 of inc/AdminPage.php says "// check whether form was just
submitted" but the following if/elseif statements only check whether a
particular button was pressed without checking nonce values. The form in
question is printed in wp_html_sitemap_AdminPage::createSitemapForm()
around line 146 of the same file.
Proof of concept
================
<form action="http://not-a-real-site.local/wp-admin/options-
general.php?page=wp-html-sitemap&tab=general" method="POST">
<input type="text" name="deleteSitemap" value="Delete Sitemap">
<input type="submit">
</form>
Mitigations
================
Disable the plugin until a fix is available.
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our
disclosure policy: https://security.dxw.com/disclosure/
they generally cannot communicate with us on your behalf.
Please note that this vulnerability will be published if we do not receive
a response to this report with 14 days.
Timeline
================
2014-02-21: Discovered
2014-02-26: Reported
2014-03-28: No response received. Published
================
Tom Adams
Please visit security.dxw.com for more information.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Harry Metcalfe
07790 559 876
@harrym
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Harry Metcalfe
07790 559 876
@harrym
Varun Agrawal
2014-03-28 16:06:22 UTC
Permalink
Hi Harry,
It was my assumption that this list would be interested to know about vulnerable plugins.
There must be hundreds or thousands of plugin with security issues. I
don't think everybody will be interested to know vulnerabilities in
them.
we are disclosing the vulnerability in order that anyone using this plugin can take steps to protect themselves.
I guess most of the user of the plugin are not going to read this.


-Varun
Chris Christoff
2014-03-28 16:20:47 UTC
Permalink
-- Please reply above this line --

-----------------------------------------------------------
## Chris replied, on Mar 28 @ 12:20pm (AMT):

I also disagree with how the issues are being disclosed.
First off 14 days really isn't a long enough time. Imagine this
scenario:
Day 1: Friday: Reported to WP Security team
Day 1: Security team sends email to plugin author
Day 4: Monday: Plugin author begins reading his emails about his
plugins that came in over the weekend and notices security email.
Day 7: Thursday: Assuming the bug is easy to fix, an update is patch
is submitted as an update to WordPress.org
Day 8: Update notifications begin to appear in WordPress backend,
given its now Friday, most users (if they even log into their site on
Fridays, will put off updating it till Monday mostly so they can read
through the changelog.
Day 11: Users read through changelog and *hopefully* begin updating.

The problem is, this made 2 assumptions. First, you assume all
security vulnerabilities are both easy to fix, and the plugin can be
re-audited quickly. While most are likely easy to fix (ala the ones
reported thus far), most authors would also want to re-audit their
plugins codebase, and for anything over 100k LOC that's going to take
a lot of time. Second, you've only given users 3 days to update in
this scenario. Some users will not update the first week after an
update has been patched. Some not even the first 2 weeks. Maybe they
are enterprise or large business sites where they have to get approval
and independent testing must be done prior to accepting the patch.
Maybe, they are scared of updates for whatever reason and they want to
read reports the update hasn't broken someone's site first.

In any event, the "14 days" should be upped to the industry standard
30 days. Currently, in a good case scenario (like the one above)
you've given users 3 days to update before you reveal a direct proof
of concept of how to exploit the vulnerability.

Even after 30 days, publishing a complete example of how to use the
vulnerability is still not all too responsible. I would move to a
system where you say what you can do to mitigate the issue after 30,
and then hold off on proof of concept for 60-90 days post report.

Finally, I'd have to agree with the others. Posting vulnerability
reports here isn't going to alert the majority of the affected users,
and it has that spammy feel (even though its not spam).
--
Chris Christoff
***@chriscct7.com
http://www.chriscct7.com [1]
@chriscct7
If you feel the need to donate, as a college student, I appreciate
donations of any amount. The easiest way to donate to my college fund
is via the donation button at the bottom of my
homepage: http://chriscct7.com/ [2]

Links:
------
[1] http://www.chriscct7.com
[2] http://chriscct7.com/


-----------------------------------------------------------
## wp-***@lists.automattic.com replied, on Mar 28 @ 12:06pm (AMT):

Hi Harry,
It was my assumption that this list would be interested to know
about vulnerable plugins.

There must be hundreds or thousands of plugin with security issues. I
don't think everybody will be interested to know vulnerabilities in
them.
we are disclosing the vulnerability in order that anyone using
this plugin can take steps to protect themselves.

I guess most of the user of the plugin are not going to read this.

-Varun
_______________________________________________
wp-hackers mailing list
wp-***@lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers

-----------------------------------------------------------
## wp-***@lists.automattic.com replied, on Mar 28 @ 11:52am (AMT):

Hi Chris,

We're aware of that, but not sure what alternative there is if the
people who write plugins don't contact us when we report issues to
them.
We try to give people enough time to fix things, but if it doesn't
look
like they're going to, we believe it is the responsible thing to do
to
publish vulnerabilities so that people affected by them can take
steps
to protect themselves.

Our disclosure policy is here
<https://security.dxw.com/disclosure/>,
and we always draw people's attention to it (see below). All that
said,
it is a difficult area and I'm certainly open to suggestions about
how
to do it better.

Harry

-----------------------------------------------------------
## wp-***@lists.automattic.com replied, on Mar 28 @ 11:29am (AMT):

I think Daniel was refering to posting to a public list, some
malicious
people could take advantage of this, and cause some havoc.

_______________________________________________
wp-hackers mailing list
wp-***@lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers

-----------------------------------------------------------
## wp-***@lists.automattic.com replied, on Mar 28 @ 10:46am (AMT):

Hi Daniel,

This vulnerability was reported to ***@wordpress.org on 2nd
February. The author has not responded, so we are disclosing the
vulnerability in order that anyone using this plugin can take steps
to
protect themselves.

This is certainly not an advertisement.

Administrivia: It was my assumption that this list would be
interested
to know about vulnerable plugins. If anyone has strong feelings for
or
against that assumption, please let me know off-list. If there is a
consensus we will honour it.

Cheers,

Harry

-----------------------------------------------------------
## wp-***@lists.automattic.com replied, on Mar 28 @ 10:41am (AMT):

Hi Harry,

Please refrain from advertising on this list. Plugin security issues
should
be reported to ***@wordpress.org

Thanks.

_______________________________________________
wp-hackers mailing list
wp-***@lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers

-----------------------------------------------------------
Harry Metcalfe
2014-03-28 16:30:50 UTC
Permalink
Hi Chris,

The 14 days is just to acknowledge the report, not to release a fix. The
policy does not prescribe a time for fixes for exactly the reasons
you've outlined. We'll always work with people to agree a reasonable
time for fixing and publication, unless they don't reply to us. In which
case, we can't do much other than publish. We also generally do wait
longer than 14 days, as you can see from these reports.
Posting vulnerability reports here isn't going to alert the majority of the affected users, and it has that spammy feel (even though its not spam).
I'll add you to the list! So far, we're 1 for and 1 against.

Harry
-- Please reply above this line --
-----------------------------------------------------------
I also disagree with how the issues are being disclosed.
First off 14 days really isn't a long enough time. Imagine this
Day 1: Friday: Reported to WP Security team
Day 1: Security team sends email to plugin author
Day 4: Monday: Plugin author begins reading his emails about his
plugins that came in over the weekend and notices security email.
Day 7: Thursday: Assuming the bug is easy to fix, an update is patch
is submitted as an update to WordPress.org
Day 8: Update notifications begin to appear in WordPress backend,
given its now Friday, most users (if they even log into their site on
Fridays, will put off updating it till Monday mostly so they can read
through the changelog.
Day 11: Users read through changelog and *hopefully* begin updating.
The problem is, this made 2 assumptions. First, you assume all
security vulnerabilities are both easy to fix, and the plugin can be
re-audited quickly. While most are likely easy to fix (ala the ones
reported thus far), most authors would also want to re-audit their
plugins codebase, and for anything over 100k LOC that's going to take
a lot of time. Second, you've only given users 3 days to update in
this scenario. Some users will not update the first week after an
update has been patched. Some not even the first 2 weeks. Maybe they
are enterprise or large business sites where they have to get approval
and independent testing must be done prior to accepting the patch.
Maybe, they are scared of updates for whatever reason and they want to
read reports the update hasn't broken someone's site first.
In any event, the "14 days" should be upped to the industry standard
30 days. Currently, in a good case scenario (like the one above)
you've given users 3 days to update before you reveal a direct proof
of concept of how to exploit the vulnerability.
Even after 30 days, publishing a complete example of how to use the
vulnerability is still not all too responsible. I would move to a
system where you say what you can do to mitigate the issue after 30,
and then hold off on proof of concept for 60-90 days post report.
Finally, I'd have to agree with the others. Posting vulnerability
reports here isn't going to alert the majority of the affected users,
and it has that spammy feel (even though its not spam).
--
Chris Christoff
http://www.chriscct7.com [1]
@chriscct7
If you feel the need to donate, as a college student, I appreciate
donations of any amount. The easiest way to donate to my college fund
is via the donation button at the bottom of my
homepage: http://chriscct7.com/ [2]
------
[1] http://www.chriscct7.com
[2] http://chriscct7.com/
-----------------------------------------------------------
Hi Harry,
It was my assumption that this list would be interested to know
about vulnerable plugins.
There must be hundreds or thousands of plugin with security issues. I
don't think everybody will be interested to know vulnerabilities in
them.
we are disclosing the vulnerability in order that anyone using
this plugin can take steps to protect themselves.
I guess most of the user of the plugin are not going to read this.
-Varun
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
-----------------------------------------------------------
Hi Chris,
We're aware of that, but not sure what alternative there is if the
people who write plugins don't contact us when we report issues to
them.
We try to give people enough time to fix things, but if it doesn't
look
like they're going to, we believe it is the responsible thing to do
to
publish vulnerabilities so that people affected by them can take
steps
to protect themselves.
Our disclosure policy is here
<https://security.dxw.com/disclosure/>,
and we always draw people's attention to it (see below). All that
said,
it is a difficult area and I'm certainly open to suggestions about
how
to do it better.
Harry
-----------------------------------------------------------
I think Daniel was refering to posting to a public list, some
malicious
people could take advantage of this, and cause some havoc.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
-----------------------------------------------------------
Hi Daniel,
February. The author has not responded, so we are disclosing the
vulnerability in order that anyone using this plugin can take steps
to
protect themselves.
This is certainly not an advertisement.
Administrivia: It was my assumption that this list would be
interested
to know about vulnerable plugins. If anyone has strong feelings for
or
against that assumption, please let me know off-list. If there is a
consensus we will honour it.
Cheers,
Harry
-----------------------------------------------------------
Hi Harry,
Please refrain from advertising on this list. Plugin security issues
should
Thanks.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
-----------------------------------------------------------
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Harry Metcalfe
07790 559 876
@harrym
Scott Herbert (via Phone)
2014-03-28 16:37:37 UTC
Permalink
Just by way of comparison Google give you 7 days, I think 14 days is fine. I tend to give companies 30days to have the patch out, unless they give me a good reason to delay.
Post by Harry Metcalfe
Hi Chris,
The 14 days is just to acknowledge the report, not to release a fix. The
policy does not prescribe a time for fixes for exactly the reasons
you've outlined. We'll always work with people to agree a reasonable
time for fixing and publication, unless they don't reply to us. In which
case, we can't do much other than publish. We also generally do wait
longer than 14 days, as you can see from these reports.
Posting vulnerability reports here isn't going to alert the majority
of the affected users, and it has that spammy feel (even though its not
spam).
I'll add you to the list! So far, we're 1 for and 1 against.
Harry
-- Please reply above this line --
-----------------------------------------------------------
I also disagree with how the issues are being disclosed.
First off 14 days really isn't a long enough time. Imagine this
Day 1: Friday: Reported to WP Security team
Day 1: Security team sends email to plugin author
Day 4: Monday: Plugin author begins reading his emails about his
plugins that came in over the weekend and notices security email.
Day 7: Thursday: Assuming the bug is easy to fix, an update is
patch
is submitted as an update to WordPress.org
Day 8: Update notifications begin to appear in WordPress backend,
given its now Friday, most users (if they even log into their site on
Fridays, will put off updating it till Monday mostly so they can read
through the changelog.
Day 11: Users read through changelog and *hopefully* begin
updating.
The problem is, this made 2 assumptions. First, you assume all
security vulnerabilities are both easy to fix, and the plugin can be
re-audited quickly. While most are likely easy to fix (ala the ones
reported thus far), most authors would also want to re-audit their
plugins codebase, and for anything over 100k LOC that's going to take
a lot of time. Second, you've only given users 3 days to update in
this scenario. Some users will not update the first week after an
update has been patched. Some not even the first 2 weeks. Maybe they
are enterprise or large business sites where they have to get
approval
and independent testing must be done prior to accepting the patch.
Maybe, they are scared of updates for whatever reason and they want
to
read reports the update hasn't broken someone's site first.
In any event, the "14 days" should be upped to the industry
standard
30 days. Currently, in a good case scenario (like the one above)
you've given users 3 days to update before you reveal a direct proof
of concept of how to exploit the vulnerability.
Even after 30 days, publishing a complete example of how to use the
vulnerability is still not all too responsible. I would move to a
system where you say what you can do to mitigate the issue after 30,
and then hold off on proof of concept for 60-90 days post report.
Finally, I'd have to agree with the others. Posting vulnerability
reports here isn't going to alert the majority of the affected users,
and it has that spammy feel (even though its not spam).
--
Chris Christoff
http://www.chriscct7.com [1]
@chriscct7
If you feel the need to donate, as a college student, I appreciate
donations of any amount. The easiest way to donate to my college fund
is via the donation button at the bottom of my
homepage: http://chriscct7.com/ [2]
------
[1] http://www.chriscct7.com
[2] http://chriscct7.com/
-----------------------------------------------------------
Hi Harry,
It was my assumption that this list would be interested to know
about vulnerable plugins.
There must be hundreds or thousands of plugin with security issues.
I
don't think everybody will be interested to know vulnerabilities in
them.
we are disclosing the vulnerability in order that anyone using
this plugin can take steps to protect themselves.
I guess most of the user of the plugin are not going to read this.
-Varun
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
-----------------------------------------------------------
Hi Chris,
We're aware of that, but not sure what alternative there is if the
people who write plugins don't contact us when we report issues to
them.
We try to give people enough time to fix things, but if it doesn't
look
like they're going to, we believe it is the responsible thing to do
to
publish vulnerabilities so that people affected by them can take
steps
to protect themselves.
Our disclosure policy is here
<https://security.dxw.com/disclosure/>,
and we always draw people's attention to it (see below). All that
said,
it is a difficult area and I'm certainly open to suggestions about
how
to do it better.
Harry
-----------------------------------------------------------
I think Daniel was refering to posting to a public list, some
malicious
people could take advantage of this, and cause some havoc.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
-----------------------------------------------------------
Hi Daniel,
February. The author has not responded, so we are disclosing the
vulnerability in order that anyone using this plugin can take steps
to
protect themselves.
This is certainly not an advertisement.
Administrivia: It was my assumption that this list would be
interested
to know about vulnerable plugins. If anyone has strong feelings for
or
against that assumption, please let me know off-list. If there is a
consensus we will honour it.
Cheers,
Harry
-----------------------------------------------------------
Hi Harry,
Please refrain from advertising on this list. Plugin security
issues
should
Thanks.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
-----------------------------------------------------------
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Harry Metcalfe
07790 559 876
@harrym
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Nikola Nikolov
2014-03-28 16:31:37 UTC
Permalink
@Chris - they are actually giving plugin authors 14 days to acknowledge the
report - which I assume means to just send an email along the lines of
"Okay, I'll take care of that ASAP". And again - 14 days is not a long time
- sometimes I'd away(and without internet access) for more than that.

I do agree that posting a proof of concept is not a good idea so soon. For
instance Wordfence sends out emails to their subscribers when plugin
vulnerabilities have been found(and usually when their users have suffered
from those vulnerabilities) and suggest what action users should take. For
instance "Plugin author has responded and patch is available in the next
release, available now", or "disable and delete plugin until a patch is
released or "contact plugin author".
Post by Chris Christoff
-- Please reply above this line --
-----------------------------------------------------------
I also disagree with how the issues are being disclosed.
First off 14 days really isn't a long enough time. Imagine this
Day 1: Friday: Reported to WP Security team
Day 1: Security team sends email to plugin author
Day 4: Monday: Plugin author begins reading his emails about his
plugins that came in over the weekend and notices security email.
Day 7: Thursday: Assuming the bug is easy to fix, an update is patch
is submitted as an update to WordPress.org
Day 8: Update notifications begin to appear in WordPress backend,
given its now Friday, most users (if they even log into their site on
Fridays, will put off updating it till Monday mostly so they can read
through the changelog.
Day 11: Users read through changelog and *hopefully* begin updating.
The problem is, this made 2 assumptions. First, you assume all
security vulnerabilities are both easy to fix, and the plugin can be
re-audited quickly. While most are likely easy to fix (ala the ones
reported thus far), most authors would also want to re-audit their
plugins codebase, and for anything over 100k LOC that's going to take
a lot of time. Second, you've only given users 3 days to update in
this scenario. Some users will not update the first week after an
update has been patched. Some not even the first 2 weeks. Maybe they
are enterprise or large business sites where they have to get approval
and independent testing must be done prior to accepting the patch.
Maybe, they are scared of updates for whatever reason and they want to
read reports the update hasn't broken someone's site first.
In any event, the "14 days" should be upped to the industry standard
30 days. Currently, in a good case scenario (like the one above)
you've given users 3 days to update before you reveal a direct proof
of concept of how to exploit the vulnerability.
Even after 30 days, publishing a complete example of how to use the
vulnerability is still not all too responsible. I would move to a
system where you say what you can do to mitigate the issue after 30,
and then hold off on proof of concept for 60-90 days post report.
Finally, I'd have to agree with the others. Posting vulnerability
reports here isn't going to alert the majority of the affected users,
and it has that spammy feel (even though its not spam).
--
Chris Christoff
http://www.chriscct7.com [1]
@chriscct7
If you feel the need to donate, as a college student, I appreciate
donations of any amount. The easiest way to donate to my college fund
is via the donation button at the bottom of my
homepage: http://chriscct7.com/ [2]
------
[1] http://www.chriscct7.com
[2] http://chriscct7.com/
-----------------------------------------------------------
Hi Harry,
It was my assumption that this list would be interested to know
about vulnerable plugins.
There must be hundreds or thousands of plugin with security issues. I
don't think everybody will be interested to know vulnerabilities in
them.
we are disclosing the vulnerability in order that anyone using
this plugin can take steps to protect themselves.
I guess most of the user of the plugin are not going to read this.
-Varun
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
-----------------------------------------------------------
Hi Chris,
We're aware of that, but not sure what alternative there is if the
people who write plugins don't contact us when we report issues to
them.
We try to give people enough time to fix things, but if it doesn't
look
like they're going to, we believe it is the responsible thing to do
to
publish vulnerabilities so that people affected by them can take
steps
to protect themselves.
Our disclosure policy is here
<https://security.dxw.com/disclosure/>,
and we always draw people's attention to it (see below). All that
said,
it is a difficult area and I'm certainly open to suggestions about
how
to do it better.
Harry
-----------------------------------------------------------
I think Daniel was refering to posting to a public list, some
malicious
people could take advantage of this, and cause some havoc.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
-----------------------------------------------------------
Hi Daniel,
February. The author has not responded, so we are disclosing the
vulnerability in order that anyone using this plugin can take steps
to
protect themselves.
This is certainly not an advertisement.
Administrivia: It was my assumption that this list would be
interested
to know about vulnerable plugins. If anyone has strong feelings for
or
against that assumption, please let me know off-list. If there is a
consensus we will honour it.
Cheers,
Harry
-----------------------------------------------------------
Hi Harry,
Please refrain from advertising on this list. Plugin security issues
should
Thanks.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
-----------------------------------------------------------
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Harry Metcalfe
2014-03-28 16:36:57 UTC
Permalink
If reports are acknowledged, and plugin authors keep us in the loop,
we've so far always published on the same day as an update is released,
with advice to update to the new version as soon as possible. I think
the only circumstances under which we might publish sooner than that
would be for a very serious vulnerability that the plugin author was not
taking seriously.

Harry
Post by Nikola Nikolov
@Chris - they are actually giving plugin authors 14 days to acknowledge the
report - which I assume means to just send an email along the lines of
"Okay, I'll take care of that ASAP". And again - 14 days is not a long time
- sometimes I'd away(and without internet access) for more than that.
I do agree that posting a proof of concept is not a good idea so soon. For
instance Wordfence sends out emails to their subscribers when plugin
vulnerabilities have been found(and usually when their users have suffered
from those vulnerabilities) and suggest what action users should take. For
instance "Plugin author has responded and patch is available in the next
release, available now", or "disable and delete plugin until a patch is
released or "contact plugin author".
Post by Chris Christoff
-- Please reply above this line --
-----------------------------------------------------------
I also disagree with how the issues are being disclosed.
First off 14 days really isn't a long enough time. Imagine this
Day 1: Friday: Reported to WP Security team
Day 1: Security team sends email to plugin author
Day 4: Monday: Plugin author begins reading his emails about his
plugins that came in over the weekend and notices security email.
Day 7: Thursday: Assuming the bug is easy to fix, an update is patch
is submitted as an update to WordPress.org
Day 8: Update notifications begin to appear in WordPress backend,
given its now Friday, most users (if they even log into their site on
Fridays, will put off updating it till Monday mostly so they can read
through the changelog.
Day 11: Users read through changelog and *hopefully* begin updating.
The problem is, this made 2 assumptions. First, you assume all
security vulnerabilities are both easy to fix, and the plugin can be
re-audited quickly. While most are likely easy to fix (ala the ones
reported thus far), most authors would also want to re-audit their
plugins codebase, and for anything over 100k LOC that's going to take
a lot of time. Second, you've only given users 3 days to update in
this scenario. Some users will not update the first week after an
update has been patched. Some not even the first 2 weeks. Maybe they
are enterprise or large business sites where they have to get approval
and independent testing must be done prior to accepting the patch.
Maybe, they are scared of updates for whatever reason and they want to
read reports the update hasn't broken someone's site first.
In any event, the "14 days" should be upped to the industry standard
30 days. Currently, in a good case scenario (like the one above)
you've given users 3 days to update before you reveal a direct proof
of concept of how to exploit the vulnerability.
Even after 30 days, publishing a complete example of how to use the
vulnerability is still not all too responsible. I would move to a
system where you say what you can do to mitigate the issue after 30,
and then hold off on proof of concept for 60-90 days post report.
Finally, I'd have to agree with the others. Posting vulnerability
reports here isn't going to alert the majority of the affected users,
and it has that spammy feel (even though its not spam).
--
Chris Christoff
http://www.chriscct7.com [1]
@chriscct7
If you feel the need to donate, as a college student, I appreciate
donations of any amount. The easiest way to donate to my college fund
is via the donation button at the bottom of my
homepage: http://chriscct7.com/ [2]
------
[1] http://www.chriscct7.com
[2] http://chriscct7.com/
-----------------------------------------------------------
Hi Harry,
It was my assumption that this list would be interested to know
about vulnerable plugins.
There must be hundreds or thousands of plugin with security issues. I
don't think everybody will be interested to know vulnerabilities in
them.
we are disclosing the vulnerability in order that anyone using
this plugin can take steps to protect themselves.
I guess most of the user of the plugin are not going to read this.
-Varun
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
-----------------------------------------------------------
Hi Chris,
We're aware of that, but not sure what alternative there is if the
people who write plugins don't contact us when we report issues to
them.
We try to give people enough time to fix things, but if it doesn't
look
like they're going to, we believe it is the responsible thing to do
to
publish vulnerabilities so that people affected by them can take
steps
to protect themselves.
Our disclosure policy is here
<https://security.dxw.com/disclosure/>,
and we always draw people's attention to it (see below). All that
said,
it is a difficult area and I'm certainly open to suggestions about
how
to do it better.
Harry
-----------------------------------------------------------
I think Daniel was refering to posting to a public list, some
malicious
people could take advantage of this, and cause some havoc.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
-----------------------------------------------------------
Hi Daniel,
February. The author has not responded, so we are disclosing the
vulnerability in order that anyone using this plugin can take steps
to
protect themselves.
This is certainly not an advertisement.
Administrivia: It was my assumption that this list would be
interested
to know about vulnerable plugins. If anyone has strong feelings for
or
against that assumption, please let me know off-list. If there is a
consensus we will honour it.
Cheers,
Harry
-----------------------------------------------------------
Hi Harry,
Please refrain from advertising on this list. Plugin security issues
should
Thanks.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
-----------------------------------------------------------
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Harry Metcalfe
07790 559 876
@harrym
Harry Metcalfe
2014-03-28 16:34:03 UTC
Permalink
Post by Varun Agrawal
There must be hundreds or thousands of plugin with security issues. I
don't think everybody will be interested to know vulnerabilities in
them.
I'm honestly not sure how to respond to that. I don't think I know
anyone who doesn't care about having an exploitable website. I agree
that there are hundreds of vulnerable plugins. That's what we're trying
to help fix, because it's unacceptable!
Post by Varun Agrawal
I guess most of the user of the plugin are not going to read this.
We'll do the best we can to make sure everyone who is interested will
find out. We currently:

* Publish to our website
* Tweet from @dxwsecurity
* Post to wp-hackers and Full Disclosure
* Request a CVE

If you have any ideas about how we can spread the word more, I'm all ears.

Harry
Post by Varun Agrawal
Hi Harry,
It was my assumption that this list would be interested to know about vulnerable plugins.
There must be hundreds or thousands of plugin with security issues. I
don't think everybody will be interested to know vulnerabilities in
them.
we are disclosing the vulnerability in order that anyone using this plugin can take steps to protect themselves.
I guess most of the user of the plugin are not going to read this.
-Varun
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Harry Metcalfe
07790 559 876
@harrym
Nikola Nikolov
2014-03-28 16:37:16 UTC
Permalink
I'd suggest creating a mailing list - this way people can actually opt-in
to those emails(so people here that don't want to receive that kind of
information will not and those who want can sign-up for it).
Post by Varun Agrawal
There must be hundreds or thousands of plugin with security issues. I
Post by Varun Agrawal
don't think everybody will be interested to know vulnerabilities in
them.
I'm honestly not sure how to respond to that. I don't think I know anyone
who doesn't care about having an exploitable website. I agree that there
are hundreds of vulnerable plugins. That's what we're trying to help fix,
because it's unacceptable!
I guess most of the user of the plugin are not going to read this.
We'll do the best we can to make sure everyone who is interested will find
* Publish to our website
* Post to wp-hackers and Full Disclosure
* Request a CVE
If you have any ideas about how we can spread the word more, I'm all ears.
Harry
Post by Varun Agrawal
Hi Harry,
It was my assumption that this list would be interested to know about
Post by Harry Metcalfe
vulnerable plugins.
There must be hundreds or thousands of plugin with security issues. I
don't think everybody will be interested to know vulnerabilities in
them.
we are disclosing the vulnerability in order that anyone using this
Post by Harry Metcalfe
plugin can take steps to protect themselves.
I guess most of the user of the plugin are not going to read this.
-Varun
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Harry Metcalfe
07790 559 876
@harrym
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Harry Metcalfe
2014-03-28 16:38:26 UTC
Permalink
Anyone else agree? Who'd join such a list?

I'll keep a tally on that too.

Though I am a bit surprised at the respondents here who *don't* want to
know about vulnerable plugins they may be running...

Harry
Post by Nikola Nikolov
I'd suggest creating a mailing list - this way people can actually opt-in
to those emails(so people here that don't want to receive that kind of
information will not and those who want can sign-up for it).
Post by Varun Agrawal
There must be hundreds or thousands of plugin with security issues. I
Post by Varun Agrawal
don't think everybody will be interested to know vulnerabilities in
them.
I'm honestly not sure how to respond to that. I don't think I know anyone
who doesn't care about having an exploitable website. I agree that there
are hundreds of vulnerable plugins. That's what we're trying to help fix,
because it's unacceptable!
I guess most of the user of the plugin are not going to read this.
We'll do the best we can to make sure everyone who is interested will find
* Publish to our website
* Post to wp-hackers and Full Disclosure
* Request a CVE
If you have any ideas about how we can spread the word more, I'm all ears.
Harry
Post by Varun Agrawal
Hi Harry,
It was my assumption that this list would be interested to know about
Post by Harry Metcalfe
vulnerable plugins.
There must be hundreds or thousands of plugin with security issues. I
don't think everybody will be interested to know vulnerabilities in
them.
we are disclosing the vulnerability in order that anyone using this
Post by Harry Metcalfe
plugin can take steps to protect themselves.
I guess most of the user of the plugin are not going to read this.
-Varun
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Harry Metcalfe
07790 559 876
@harrym
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Harry Metcalfe
07790 559 876
@harrym
John Blackbourn
2014-03-28 16:41:27 UTC
Permalink
Post by Harry Metcalfe
Anyone else agree? Who'd join such a list?
I'll keep a tally on that too.
Though I am a bit surprised at the respondents here who *don't* want to
know about vulnerable plugins they may be running...
I think a separate mailing list would be a better idea than posting to
wp-hackers, for the same reason there are separate mailing lists and
separate IRC channels and separate development blogs for all the various
aspects of WordPress.

John
Dre Armeda
2014-03-28 16:43:22 UTC
Permalink
On Fri, Mar 28, 2014 at 9:41 AM, John Blackbourn
Post by John Blackbourn
Post by Harry Metcalfe
Anyone else agree? Who'd join such a list?
I'll keep a tally on that too.
Though I am a bit surprised at the respondents here who *don't* want to
know about vulnerable plugins they may be running...
I think a separate mailing list would be a better idea than posting to
wp-hackers, for the same reason there are separate mailing lists and
separate IRC channels and separate development blogs for all the various
aspects of WordPress.
John
I concur!

I would certainly be open to joining that, and agree it should be separate
from wp-hackers.


Dre Armeda
Chris Christoff
2014-03-28 16:45:52 UTC
Permalink
-- Please reply above this line --

-----------------------------------------------------------
## Chris replied, on Mar 28 @ 12:45pm (AMT):

I agree. Make a seperate mailing list so those interested can optin.
Not force existing maillist subscribers to have to setup GMail filters
to delete these posts.
--
Chris Christoff
***@chriscct7.com
http://www.chriscct7.com [1]
@chriscct7
If you feel the need to donate, as a college student, I appreciate
donations of any amount. The easiest way to donate to my college fund
is via the donation button at the bottom of my
homepage: http://chriscct7.com/ [2]

Links:
------
[1] http://www.chriscct7.com
[2] http://chriscct7.com/


-----------------------------------------------------------
Post by John Blackbourn
Post by Harry Metcalfe
Anyone else agree? Who'd join such a list?
I'll keep a tally on that too.
Though I am a bit surprised at the respondents here who
*don't* want to
Post by John Blackbourn
Post by Harry Metcalfe
know about vulnerable plugins they may be running...
I think a separate mailing list would be a better idea than
posting to
Post by John Blackbourn
wp-hackers, for the same reason there are separate mailing
lists and
Post by John Blackbourn
separate IRC channels and separate development blogs for all
the various
Post by John Blackbourn
aspects of WordPress.
John
I concur!

I would certainly be open to joining that, and agree it should be
separate
from wp-hackers.

Dre Armeda
_______________________________________________
wp-hackers mailing list
wp-***@lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers

-----------------------------------------------------------
## wp-***@lists.automattic.com replied, on Mar 28 @ 12:42pm (AMT):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I'd sign up to it. their was someone called "mustlive" who used to
post lots of wp stuff on full-disclosure I'm sure I can send find a
contact if you want.

- --
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-----BEGIN PGP SIGNATURE-----
Version: APG v1.0.9

iQFMBAEBCAA2BQJTNaZqLxxTY290dCBIZXJiZXJ0IDxzY290dC5hLmhlcmJlcnRA
Z29vZ2xlbWFpbC5jb20+AAoJEJHf3PUjVwdR2QYH/3Rg431s2zEPvYrLZRFIwCRC
UtNvuVTAd180qV6MhHUtOJNV727ph4k4ZlzFz81DX4z0OBhvnlGUQ3M6CfHGMPZL
ey+s2mbOhNudslwkSE7Ei1QFa3o9L3jXokyABNVbGRswoZcFCirVimeEZxscMYmC
+uLe50gSTxVHHr+m/81eXOc24gD/nz122M1CMX/q29SJ9A8v/PpPGlFKBGOIRGJl
LohhAzhbhKOQcNV5uBxrrfp2Z/CPCbXPUF3qAVFurjIIxnKuX7NOXNOmt3zB/XBN
NepxnXRIlI/VWNvPi3j/RWErscJ84iASpUhT/ZAA3FvFkSYuZ6MVJPRYF6m4Vc4=
=Tdhu
-----END PGP SIGNATURE-----

_______________________________________________
wp-hackers mailing list
wp-***@lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers

-----------------------------------------------------------
## wp-***@lists.automattic.com replied, on Mar 28 @ 12:41pm (AMT):

Anyone else agree? Who'd join such a list?
Post by John Blackbourn
I'll keep a tally on that too.
Though I am a bit surprised at the respondents here who *don't* want to
know about vulnerable plugins they may be running...
I think a separate mailing list would be a better idea than posting
to
wp-hackers, for the same reason there are separate mailing lists and
separate IRC channels and separate development blogs for all the
various
aspects of WordPress.

John
_______________________________________________
wp-hackers mailing list
wp-***@lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers

-----------------------------------------------------------
## wp-***@lists.automattic.com replied, on Mar 28 @ 12:38pm (AMT):

Anyone else agree? Who'd join such a list?

I'll keep a tally on that too.

Though I am a bit surprised at the respondents here who *don't* want
to
know about vulnerable plugins they may be running...

Harry

-----------------------------------------------------------
## wp-***@lists.automattic.com replied, on Mar 28 @ 12:37pm (AMT):

Just by way of comparison Google give you 7 days, I think 14 days is
fine. I tend to give companies 30days to have the patch out, unless
they give me a good reason to delay.

-----------------------------------------------------------
Nikola Nikolov
2014-03-28 16:46:57 UTC
Permalink
A separate list with more obvious way of joining would benefit regular
users - they can just fill-out a form and get updates. And when they do get
updates, they will be specifically targeted at security.

I'm pretty happy with the mailing list of Wordfence - they have a huge user
base with all kinds of different setups that they can monitor and find
exploits.

PS: I'm not saying that your reports are worthless - the idea is a very
good one and I'm happy that you are donating some of your time towards the
community.


On Fri, Mar 28, 2014 at 6:41 PM, John Blackbourn
Post by John Blackbourn
Post by Harry Metcalfe
Anyone else agree? Who'd join such a list?
I'll keep a tally on that too.
Though I am a bit surprised at the respondents here who *don't* want to
know about vulnerable plugins they may be running...
I think a separate mailing list would be a better idea than posting to
wp-hackers, for the same reason there are separate mailing lists and
separate IRC channels and separate development blogs for all the various
aspects of WordPress.
John
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Daniel Bachhuber
2014-03-28 16:58:05 UTC
Permalink
I'd recommend a separate mailing list as well.


On Fri, Mar 28, 2014 at 9:41 AM, John Blackbourn
Post by John Blackbourn
Post by Harry Metcalfe
Anyone else agree? Who'd join such a list?
I'll keep a tally on that too.
Though I am a bit surprised at the respondents here who *don't* want to
know about vulnerable plugins they may be running...
I think a separate mailing list would be a better idea than posting to
wp-hackers, for the same reason there are separate mailing lists and
separate IRC channels and separate development blogs for all the various
aspects of WordPress.
John
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Madalin Ignisca
2014-03-28 16:59:46 UTC
Permalink
I'm in for this list.


On Fri, Mar 28, 2014 at 6:58 PM, Daniel Bachhuber <
Post by Daniel Bachhuber
I'd recommend a separate mailing list as well.
On Fri, Mar 28, 2014 at 9:41 AM, John Blackbourn
Post by John Blackbourn
Post by Harry Metcalfe
Anyone else agree? Who'd join such a list?
I'll keep a tally on that too.
Though I am a bit surprised at the respondents here who *don't* want to
know about vulnerable plugins they may be running...
I think a separate mailing list would be a better idea than posting to
wp-hackers, for the same reason there are separate mailing lists and
separate IRC channels and separate development blogs for all the various
aspects of WordPress.
John
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
*Madalin Ignisca*
*web developer*
http://imadalin.ro/
Chris Christoff
2014-03-28 17:03:18 UTC
Permalink
-- Please reply above this line --

-----------------------------------------------------------
## Chris replied, on Mar 28 @ 1:02pm (AMT):

I think the point is when people signed up for this mailinglist they
didn't sign up for those notifications, which presumable entail
multiple emails per day (given 2 already today alone and security.dxw
seems to report 1 to 2 a day on average). While alot of people may
find the reports useful, they weren't the intended goal of this
mailinglist. That doesn't make them worthless, but rather means that
there should be a mailinglist where people can sign up for them only
if they want to receive them.
--
Chris Christoff
***@chriscct7.com
http://www.chriscct7.com [1]
@chriscct7
If you feel the need to donate, as a college student, I appreciate
donations of any amount. The easiest way to donate to my college fund
is via the donation button at the bottom of my
homepage: http://chriscct7.com/ [2]

Links:
------
[1] http://www.chriscct7.com
[2] http://chriscct7.com/


-----------------------------------------------------------
## wp-***@lists.automattic.com replied, on Mar 28 @ 12:59pm (AMT):

I'm in for this list.

-----------------------------------------------------------
## wp-***@lists.automattic.com replied, on Mar 28 @ 12:58pm (AMT):

I'd recommend a separate mailing list as well.
Post by John Blackbourn
Post by Harry Metcalfe
Anyone else agree? Who'd join such a list?
I'll keep a tally on that too.
Though I am a bit surprised at the respondents here who
*don't* want to
Post by John Blackbourn
Post by Harry Metcalfe
know about vulnerable plugins they may be running...
I think a separate mailing list would be a better idea than
posting to
Post by John Blackbourn
wp-hackers, for the same reason there are separate mailing
lists and
Post by John Blackbourn
separate IRC channels and separate development blogs for all
the various
Post by John Blackbourn
aspects of WordPress.
John
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
wp-***@lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers

-----------------------------------------------------------
## wp-***@lists.automattic.com replied, on Mar 28 @ 12:47pm (AMT):

A separate list with more obvious way of joining would benefit regular
users - they can just fill-out a form and get updates. And when they
do get
updates, they will be specifically targeted at security.

I'm pretty happy with the mailing list of Wordfence - they have a
huge user
base with all kinds of different setups that they can monitor and
find
exploits.

PS: I'm not saying that your reports are worthless - the idea is a
very
good one and I'm happy that you are donating some of your time
towards the
community.
Post by John Blackbourn
Post by Harry Metcalfe
Anyone else agree? Who'd join such a list?
I'll keep a tally on that too.
Though I am a bit surprised at the respondents here who
*don't* want to
Post by John Blackbourn
Post by Harry Metcalfe
know about vulnerable plugins they may be running...
I think a separate mailing list would be a better idea than
posting to
Post by John Blackbourn
wp-hackers, for the same reason there are separate mailing
lists and
Post by John Blackbourn
separate IRC channels and separate development blogs for all
the various
Post by John Blackbourn
aspects of WordPress.
John
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
wp-***@lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers

-----------------------------------------------------------
## Chris replied, on Mar 28 @ 12:45pm (AMT):

I agree. Make a seperate mailing list so those interested can optin.
Not force existing maillist subscribers to have to setup GMail filters
to delete these posts.
--
Chris Christoff
***@chriscct7.com
http://www.chriscct7.com [1]
@chriscct7
If you feel the need to donate, as a college student, I appreciate
donations of any amount. The easiest way to donate to my college fund
is via the donation button at the bottom of my
homepage: http://chriscct7.com/ [2]

Links:
------
[1] http://www.chriscct7.com
[2] http://chriscct7.com/


-----------------------------------------------------------
Post by John Blackbourn
Post by Harry Metcalfe
Anyone else agree? Who'd join such a list?
I'll keep a tally on that too.
Though I am a bit surprised at the respondents here who
*don't* want to
Post by John Blackbourn
Post by Harry Metcalfe
know about vulnerable plugins they may be running...
I think a separate mailing list would be a better idea than
posting to
Post by John Blackbourn
wp-hackers, for the same reason there are separate mailing
lists and
Post by John Blackbourn
separate IRC channels and separate development blogs for all
the various
Post by John Blackbourn
aspects of WordPress.
John
I concur!

I would certainly be open to joining that, and agree it should be
separate
from wp-hackers.

Dre Armeda
_______________________________________________
wp-hackers mailing list
wp-***@lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers

-----------------------------------------------------------
Ian Dunn
2014-03-28 18:29:03 UTC
Permalink
Post by Chris Christoff
I think the point is when people signed up for this mailinglist they
didn't sign up for those notifications, which presumable entail
multiple emails per day (given 2 already today alone and security.dxw
seems to report 1 to 2 a day on average).
I think it's more like 5-10 per month. DXW started posting these to the
list about a month ago, and IIRC this is only the second time they've
posted anything. So far they've batched them together when they have posted.

I'm all for keeping them on the list, because in my view it's relevant
for two reasons: 1) Most people on this list administer sites that are
potentially using these vulnerable plugins; 2) We all need to be
regularly reminded that security is important and easy to get wrong.

FWIW, you can already get these via e-mail by using Blogtrottr.com to
subscribe to DXW's RSS feed at https://security.dxw.com/advisories/feed/
Post by Chris Christoff
The problem with announcing security issues on a public list is that
people can use the hack. Specially when there isn’t any fix for it yet.

That's assuming that the plugin author is going to fix the problem. If
they're not -- which has been demonstrated by their lack of response
when DXW privately disclosed the vulnerabilities to them two weeks ago
-- then the responsible thing to do is to release it publicly so that
users/admins are aware and can act to protect themselves. That is
standard practice.

Failing to disclose a vulnerability that won't be fixed hurts users and
helps hackers. Users are ignorant of it so they can't protect
themselves, while hackers will eventually find it and start exploiting
it. Failing to disclose it in the hopes that hackers won't find it on
their own is just security-through-obscurity.
Scott Herbert (via Phone)
2014-03-28 16:42:18 UTC
Permalink
I'd sign up to it. their was someone called "mustlive" who used to post lots of wp stuff on full-disclosure I'm sure I can send find a contact if you want.
Post by Harry Metcalfe
Anyone else agree? Who'd join such a list?
I'll keep a tally on that too.
Though I am a bit surprised at the respondents here who *don't* want to
know about vulnerable plugins they may be running...
Harry
Post by Nikola Nikolov
I'd suggest creating a mailing list - this way people can actually
opt-in
Post by Nikola Nikolov
to those emails(so people here that don't want to receive that kind
of
Post by Nikola Nikolov
information will not and those who want can sign-up for it).
Post by Varun Agrawal
There must be hundreds or thousands of plugin with security issues.
I
Post by Nikola Nikolov
Post by Varun Agrawal
Post by Varun Agrawal
don't think everybody will be interested to know vulnerabilities in
them.
I'm honestly not sure how to respond to that. I don't think I know
anyone
Post by Nikola Nikolov
Post by Varun Agrawal
who doesn't care about having an exploitable website. I agree that
there
Post by Nikola Nikolov
Post by Varun Agrawal
are hundreds of vulnerable plugins. That's what we're trying to help
fix,
Post by Nikola Nikolov
Post by Varun Agrawal
because it's unacceptable!
I guess most of the user of the plugin are not going to read this.
We'll do the best we can to make sure everyone who is interested
will find
Post by Nikola Nikolov
Post by Varun Agrawal
* Publish to our website
* Post to wp-hackers and Full Disclosure
* Request a CVE
If you have any ideas about how we can spread the word more, I'm all
ears.
Post by Nikola Nikolov
Post by Varun Agrawal
Harry
Post by Varun Agrawal
Hi Harry,
It was my assumption that this list would be interested to know
about
Post by Nikola Nikolov
Post by Varun Agrawal
Post by Varun Agrawal
Post by Harry Metcalfe
vulnerable plugins.
There must be hundreds or thousands of plugin with security issues.
I
Post by Nikola Nikolov
Post by Varun Agrawal
Post by Varun Agrawal
don't think everybody will be interested to know vulnerabilities in
them.
we are disclosing the vulnerability in order that anyone using
this
Post by Nikola Nikolov
Post by Varun Agrawal
Post by Varun Agrawal
Post by Harry Metcalfe
plugin can take steps to protect themselves.
I guess most of the user of the plugin are not going to read this.
-Varun
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Harry Metcalfe
07790 559 876
@harrym
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Harry Metcalfe
07790 559 876
@harrym
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
- --
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Dino Termini
2014-03-28 17:19:53 UTC
Permalink
Shouldn't the plugin be taken down from the repo? Maybe wordpress, just like it checks for updates, could display a warning in the admin.
Post by Harry Metcalfe
Anyone else agree? Who'd join such a list?
I'll keep a tally on that too.
Though I am a bit surprised at the respondents here who *don't* want to
know about vulnerable plugins they may be running...
Harry
Post by Nikola Nikolov
I'd suggest creating a mailing list - this way people can actually
opt-in
Post by Nikola Nikolov
to those emails(so people here that don't want to receive that kind
of
Post by Nikola Nikolov
information will not and those who want can sign-up for it).
Post by Varun Agrawal
There must be hundreds or thousands of plugin with security issues.
I
Post by Nikola Nikolov
Post by Varun Agrawal
Post by Varun Agrawal
don't think everybody will be interested to know vulnerabilities in
them.
I'm honestly not sure how to respond to that. I don't think I know
anyone
Post by Nikola Nikolov
Post by Varun Agrawal
who doesn't care about having an exploitable website. I agree that
there
Post by Nikola Nikolov
Post by Varun Agrawal
are hundreds of vulnerable plugins. That's what we're trying to help
fix,
Post by Nikola Nikolov
Post by Varun Agrawal
because it's unacceptable!
I guess most of the user of the plugin are not going to read this.
We'll do the best we can to make sure everyone who is interested
will find
Post by Nikola Nikolov
Post by Varun Agrawal
* Publish to our website
* Post to wp-hackers and Full Disclosure
* Request a CVE
If you have any ideas about how we can spread the word more, I'm all
ears.
Post by Nikola Nikolov
Post by Varun Agrawal
Harry
Post by Varun Agrawal
Hi Harry,
It was my assumption that this list would be interested to know
about
Post by Nikola Nikolov
Post by Varun Agrawal
Post by Varun Agrawal
Post by Harry Metcalfe
vulnerable plugins.
There must be hundreds or thousands of plugin with security issues.
I
Post by Nikola Nikolov
Post by Varun Agrawal
Post by Varun Agrawal
don't think everybody will be interested to know vulnerabilities in
them.
we are disclosing the vulnerability in order that anyone using
this
Post by Nikola Nikolov
Post by Varun Agrawal
Post by Varun Agrawal
Post by Harry Metcalfe
plugin can take steps to protect themselves.
I guess most of the user of the plugin are not going to read this.
-Varun
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Harry Metcalfe
07790 559 876
@harrym
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Harry Metcalfe
07790 559 876
@harrym
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Marko Heijnen
2014-03-28 17:54:40 UTC
Permalink
This is exactly something I’m currently working on. In my case I will only show a warning when there is a new update.
Current target date for this is the end of next month.

The problem with announcing security issues on a public list is that people can use the hack. Specially when there isn’t any fix for it yet.
To me doing this is only for your own interest that you get possible clients out of it. This because it doesn’t help the community in any way.

Marko
Post by Dino Termini
Shouldn't the plugin be taken down from the repo? Maybe wordpress, just like it checks for updates, could display a warning in the admin.
Post by Harry Metcalfe
Anyone else agree? Who'd join such a list?
I'll keep a tally on that too.
Though I am a bit surprised at the respondents here who *don't* want to
know about vulnerable plugins they may be running...
Harry
Post by Nikola Nikolov
I'd suggest creating a mailing list - this way people can actually
opt-in
Post by Nikola Nikolov
to those emails(so people here that don't want to receive that kind
of
Post by Nikola Nikolov
information will not and those who want can sign-up for it).
Post by Varun Agrawal
There must be hundreds or thousands of plugin with security issues.
I
Post by Nikola Nikolov
Post by Varun Agrawal
Post by Varun Agrawal
don't think everybody will be interested to know vulnerabilities in
them.
I'm honestly not sure how to respond to that. I don't think I know
anyone
Post by Nikola Nikolov
Post by Varun Agrawal
who doesn't care about having an exploitable website. I agree that
there
Post by Nikola Nikolov
Post by Varun Agrawal
are hundreds of vulnerable plugins. That's what we're trying to help
fix,
Post by Nikola Nikolov
Post by Varun Agrawal
because it's unacceptable!
I guess most of the user of the plugin are not going to read this.
We'll do the best we can to make sure everyone who is interested
will find
Post by Nikola Nikolov
Post by Varun Agrawal
* Publish to our website
* Post to wp-hackers and Full Disclosure
* Request a CVE
If you have any ideas about how we can spread the word more, I'm all
ears.
Post by Nikola Nikolov
Post by Varun Agrawal
Harry
Post by Varun Agrawal
Hi Harry,
It was my assumption that this list would be interested to know
about
Post by Nikola Nikolov
Post by Varun Agrawal
Post by Varun Agrawal
Post by Harry Metcalfe
vulnerable plugins.
There must be hundreds or thousands of plugin with security issues.
I
Post by Nikola Nikolov
Post by Varun Agrawal
Post by Varun Agrawal
don't think everybody will be interested to know vulnerabilities in
them.
we are disclosing the vulnerability in order that anyone using
this
Post by Nikola Nikolov
Post by Varun Agrawal
Post by Varun Agrawal
Post by Harry Metcalfe
plugin can take steps to protect themselves.
I guess most of the user of the plugin are not going to read this.
-Varun
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Harry Metcalfe
07790 559 876
@harrym
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Harry Metcalfe
07790 559 876
@harrym
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Scott Herbert (via Phone)
2014-03-28 18:53:36 UTC
Permalink
Post by Dino Termini
Shouldn't the plugin be taken down from the repo? Maybe wordpress, just
like it checks for updates, could display a warning in the admin.
Post by Harry Metcalfe
Anyone else agree? Who'd join such a list?
I'll keep a tally on that too.
Though I am a bit surprised at the respondents here who *don't* want
to
Post by Harry Metcalfe
know about vulnerable plugins they may be running...
Harry
Post by Nikola Nikolov
I'd suggest creating a mailing list - this way people can actually
opt-in
Post by Nikola Nikolov
to those emails(so people here that don't want to receive that kind
of
Post by Nikola Nikolov
information will not and those who want can sign-up for it).
Post by Varun Agrawal
There must be hundreds or thousands of plugin with security issues.
I
Post by Nikola Nikolov
Post by Varun Agrawal
Post by Varun Agrawal
don't think everybody will be interested to know vulnerabilities
in
Post by Harry Metcalfe
Post by Nikola Nikolov
Post by Varun Agrawal
Post by Varun Agrawal
them.
I'm honestly not sure how to respond to that. I don't think I know
anyone
Post by Nikola Nikolov
Post by Varun Agrawal
who doesn't care about having an exploitable website. I agree that
there
Post by Nikola Nikolov
Post by Varun Agrawal
are hundreds of vulnerable plugins. That's what we're trying to
help
Post by Harry Metcalfe
fix,
Post by Nikola Nikolov
Post by Varun Agrawal
because it's unacceptable!
I guess most of the user of the plugin are not going to read
this.
Post by Harry Metcalfe
Post by Nikola Nikolov
Post by Varun Agrawal
We'll do the best we can to make sure everyone who is interested
will find
Post by Nikola Nikolov
Post by Varun Agrawal
* Publish to our website
* Post to wp-hackers and Full Disclosure
* Request a CVE
If you have any ideas about how we can spread the word more, I'm
all
Post by Harry Metcalfe
ears.
Post by Nikola Nikolov
Post by Varun Agrawal
Harry
Post by Varun Agrawal
Hi Harry,
It was my assumption that this list would be interested to know
about
Post by Nikola Nikolov
Post by Varun Agrawal
Post by Varun Agrawal
Post by Harry Metcalfe
vulnerable plugins.
There must be hundreds or thousands of plugin with security
issues.
Post by Harry Metcalfe
I
Post by Nikola Nikolov
Post by Varun Agrawal
Post by Varun Agrawal
don't think everybody will be interested to know vulnerabilities
in
Post by Harry Metcalfe
Post by Nikola Nikolov
Post by Varun Agrawal
Post by Varun Agrawal
them.
we are disclosing the vulnerability in order that anyone using
this
Post by Nikola Nikolov
Post by Varun Agrawal
Post by Varun Agrawal
Post by Harry Metcalfe
plugin can take steps to protect themselves.
I guess most of the user of the plugin are not going to read this.
-Varun
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Harry Metcalfe
07790 559 876
@harrym
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Harry Metcalfe
07790 559 876
@harrym
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Half-Elf on Tech
2014-03-28 19:30:31 UTC
Permalink
To clarify:

For PLUGIN security issues of plugins that are hosted on WPORG, you
email ***@wordpress.org

And we pull it as soon as we can review the PoC, verify it, contact the
dev, and do everything else we do. Which may not be 'right away'
(especially when someone sends in 50 reports in one day, yes that
happened). Assuming we pull things same day is a lovely perfect-world.
Ain't real though :)
On 28 March 2014 17:19:53 GMT+00:00, Dino
Post by Dino Termini
Shouldn't the plugin be taken down from the repo? Maybe wordpress, just
like it checks for updates, could display a warning in the admin.
Post by Harry Metcalfe
Anyone else agree? Who'd join such a list?
I'll keep a tally on that too.
Though I am a bit surprised at the respondents here who *don't* want
to
Post by Harry Metcalfe
know about vulnerable plugins they may be running...
Harry
Post by Nikola Nikolov
I'd suggest creating a mailing list - this way people can actually
opt-in
Post by Nikola Nikolov
to those emails(so people here that don't want to receive that kind
of
Post by Nikola Nikolov
information will not and those who want can sign-up for it).
Post by Varun Agrawal
There must be hundreds or thousands of plugin with security issues.
I
Post by Nikola Nikolov
Post by Varun Agrawal
Post by Varun Agrawal
don't think everybody will be interested to know vulnerabilities
in
Post by Harry Metcalfe
Post by Nikola Nikolov
Post by Varun Agrawal
Post by Varun Agrawal
them.
I'm honestly not sure how to respond to that. I don't think I know
anyone
Post by Nikola Nikolov
Post by Varun Agrawal
who doesn't care about having an exploitable website. I agree that
there
Post by Nikola Nikolov
Post by Varun Agrawal
are hundreds of vulnerable plugins. That's what we're trying to
help
Post by Harry Metcalfe
fix,
Post by Nikola Nikolov
Post by Varun Agrawal
because it's unacceptable!
I guess most of the user of the plugin are not going to read
this.
Post by Harry Metcalfe
Post by Nikola Nikolov
Post by Varun Agrawal
We'll do the best we can to make sure everyone who is interested
will find
Post by Nikola Nikolov
Post by Varun Agrawal
* Publish to our website
* Post to wp-hackers and Full Disclosure
* Request a CVE
If you have any ideas about how we can spread the word more, I'm
all
Post by Harry Metcalfe
ears.
Post by Nikola Nikolov
Post by Varun Agrawal
Harry
Post by Varun Agrawal
Hi Harry,
It was my assumption that this list would be interested to know
about
Post by Nikola Nikolov
Post by Varun Agrawal
Post by Varun Agrawal
Post by Harry Metcalfe
vulnerable plugins.
There must be hundreds or thousands of plugin with security
issues.
Post by Harry Metcalfe
I
Post by Nikola Nikolov
Post by Varun Agrawal
Post by Varun Agrawal
don't think everybody will be interested to know vulnerabilities
in
Post by Harry Metcalfe
Post by Nikola Nikolov
Post by Varun Agrawal
Post by Varun Agrawal
them.
we are disclosing the vulnerability in order that anyone using
this
Post by Nikola Nikolov
Post by Varun Agrawal
Post by Varun Agrawal
Post by Harry Metcalfe
plugin can take steps to protect themselves.
I guess most of the user of the plugin are not going to read this.
-Varun
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Harry Metcalfe
07790 559 876
@harrym
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Harry Metcalfe
07790 559 876
@harrym
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Jamie Currie
2014-03-28 19:35:24 UTC
Permalink
I just did an "emergency" cleanup job for a company who got hacked. 80+
files had eval'd base64 encoded crud added to them, scattered throughout
various spots in WP including deep in admin subfolders. Source of the
intrusion appears to have been a plugin that was vulnerable to SQL
injection.

Obviously lots of other security failings that let it get to that point,
including not having recent updates. But it's hard to see where anyone
wouldn't want to be made aware of potential vulnerabilities. I'm pretty
sure this company -- who just paid rush rates to get it remediated --
would have appreciated them. Actually, I suppose I'd be the only one who
wouldn't want vulnerabilities exposed -- that was a pretty sweet check
for one day of work!

Jamie


------ Original Message ------
From: "Scott Herbert (via Phone)" <***@googlemail.com>
To: wp-***@lists.automattic.com
Sent: 3/28/2014 11:53:36 AM
Subject: Re: [wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2
(WordPress plugin)
On 28 March 2014 17:19:53 GMT+00:00, Dino Termini
Post by Dino Termini
Shouldn't the plugin be taken down from the repo? Maybe wordpress, just
like it checks for updates, could display a warning in the admin.
Post by Harry Metcalfe
Anyone else agree? Who'd join such a list?
I'll keep a tally on that too.
Though I am a bit surprised at the respondents here who *don't* want
to
Post by Harry Metcalfe
know about vulnerable plugins they may be running...
Harry
Post by Nikola Nikolov
I'd suggest creating a mailing list - this way people can actually
opt-in
Post by Nikola Nikolov
to those emails(so people here that don't want to receive that kind
of
Post by Nikola Nikolov
information will not and those who want can sign-up for it).
Post by Varun Agrawal
There must be hundreds or thousands of plugin with security issues.
I
Post by Nikola Nikolov
Post by Varun Agrawal
Post by Varun Agrawal
don't think everybody will be interested to know vulnerabilities
in
Post by Harry Metcalfe
Post by Nikola Nikolov
Post by Varun Agrawal
Post by Varun Agrawal
them.
I'm honestly not sure how to respond to that. I don't think I know
anyone
Post by Nikola Nikolov
Post by Varun Agrawal
who doesn't care about having an exploitable website. I agree that
there
Post by Nikola Nikolov
Post by Varun Agrawal
are hundreds of vulnerable plugins. That's what we're trying to
help
Post by Harry Metcalfe
fix,
Post by Nikola Nikolov
Post by Varun Agrawal
because it's unacceptable!
I guess most of the user of the plugin are not going to read
this.
Post by Harry Metcalfe
Post by Nikola Nikolov
Post by Varun Agrawal
We'll do the best we can to make sure everyone who is interested
will find
Post by Nikola Nikolov
Post by Varun Agrawal
* Publish to our website
* Post to wp-hackers and Full Disclosure
* Request a CVE
If you have any ideas about how we can spread the word more, I'm
all
Post by Harry Metcalfe
ears.
Post by Nikola Nikolov
Post by Varun Agrawal
Harry
Post by Varun Agrawal
Hi Harry,
It was my assumption that this list would be interested to know
about
Post by Nikola Nikolov
Post by Varun Agrawal
Post by Varun Agrawal
Post by Harry Metcalfe
vulnerable plugins.
There must be hundreds or thousands of plugin with security
issues.
Post by Harry Metcalfe
I
Post by Nikola Nikolov
Post by Varun Agrawal
Post by Varun Agrawal
don't think everybody will be interested to know vulnerabilities
in
Post by Harry Metcalfe
Post by Nikola Nikolov
Post by Varun Agrawal
Post by Varun Agrawal
them.
we are disclosing the vulnerability in order that anyone using
this
Post by Nikola Nikolov
Post by Varun Agrawal
Post by Varun Agrawal
Post by Harry Metcalfe
plugin can take steps to protect themselves.
I guess most of the user of the plugin are not going to read this.
-Varun
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Harry Metcalfe
07790 559 876
@harrym
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Harry Metcalfe
07790 559 876
@harrym
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Tom Barrett
2014-03-28 20:54:30 UTC
Permalink
Most of all, I'd like it if people trimmed their emails to be less spammy.

I think what Harry is doing is a good thing, and I want to be aware of
security issues with wordpress.org plugins (as well as any others).

I'm happy for security reports, as per Harry's recent ones, to be posted
here.
Dino Termini
2014-03-28 21:00:48 UTC
Permalink
Again, I think this should be added to wp core, and managed through the repo. When a plugin is removed from the repo, or better "deactivated" (not downloadable but with a big red warning saying why, just like they do for plugins older than 2 years), people get a notice in their admin telling them what happened. Only a few geeks (including myself) would check that other mailing list, leaving the majority of wp users unprotected.

Should I file a request on trac?

Dino
Post by Tom Barrett
Most of all, I'd like it if people trimmed their emails to be less spammy.
I think what Harry is doing is a good thing, and I want to be aware of
security issues with wordpress.org plugins (as well as any others).
I'm happy for security reports, as per Harry's recent ones, to be posted
here.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Daniel
2014-03-28 21:03:59 UTC
Permalink
That's a better way of doing things
Post by Dino Termini
Again, I think this should be added to wp core, and managed through the
repo. When a plugin is removed from the repo, or better "deactivated" (not
downloadable but with a big red warning saying why, just like they do for
plugins older than 2 years), people get a notice in their admin telling them
what happened. Only a few geeks (including myself) would check that other
mailing list, leaving the majority of wp users unprotected.
Should I file a request on trac?
Dino
Post by Tom Barrett
Most of all, I'd like it if people trimmed their emails to be less spammy.
I think what Harry is doing is a good thing, and I want to be aware of
security issues with wordpress.org plugins (as well as any others).
I'm happy for security reports, as per Harry's recent ones, to be posted
here.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Regards,
Daniel Fenn
Mark Costlow
2014-03-28 21:19:03 UTC
Permalink
I like that idea too.


For anyone interested, @exploitdb on twitter posts exploits in all
manner of software, including many web apps, including WP plugins.
(I have nothing to do with it, I just follow it).

Mark
Post by Daniel
That's a better way of doing things
Post by Dino Termini
Again, I think this should be added to wp core, and managed through the
repo. When a plugin is removed from the repo, or better "deactivated" (not
downloadable but with a big red warning saying why, just like they do for
plugins older than 2 years), people get a notice in their admin telling them
what happened. Only a few geeks (including myself) would check that other
mailing list, leaving the majority of wp users unprotected.
Should I file a request on trac?
Dino
Post by Tom Barrett
Most of all, I'd like it if people trimmed their emails to be less spammy.
I think what Harry is doing is a good thing, and I want to be aware of
security issues with wordpress.org plugins (as well as any others).
I'm happy for security reports, as per Harry's recent ones, to be posted
here.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Regards,
Daniel Fenn
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Mark Costlow | Southwest Cyberport | Fax: +1-505-232-7975
***@swcp.com | Web: www.swcp.com | Voice: +1-505-232-7992

Mail Minder - Intelligent Push Notifications for Email on the iPhone
http://mailminderapp.com/download or in the App Store
TV productions
2014-03-28 21:33:33 UTC
Permalink
I like the idea of a warning trough the wordpress.org repo.

It might be nice if there would be a button like "WP version x and
plugin version y work/don't work" with a text like "Security issue
found" and when it is clicked by one (or one authorized account), there
should be a big warning. This warning should be displayed on the plugin
page, but also appear in the WP backend of WP installs with that plugin
activated/installed.

This is, I think, the right way to warn users about the unsafe plugins
they are using.

Ties

---
TV productions :: Web development and stuff
http://tv-productions.org
Post by Mark Costlow
I like that idea too.
manner of software, including many web apps, including WP plugins.
(I have nothing to do with it, I just follow it).
Mark
That's a better way of doing things
Post by Dino Termini
Again, I think this should be added to wp core, and managed through the
repo. When a plugin is removed from the repo, or better "deactivated" (not
downloadable but with a big red warning saying why, just like they do for
plugins older than 2 years), people get a notice in their admin telling them
what happened. Only a few geeks (including myself) would check that other
mailing list, leaving the majority of wp users unprotected.
Should I file a request on trac?
Dino
Post by Tom Barrett
Most of all, I'd like it if people trimmed their emails to be less spammy.
I think what Harry is doing is a good thing, and I want to be aware of
security issues with wordpress.org plugins (as well as any others).
I'm happy for security reports, as per Harry's recent ones, to be posted
here.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Regards,
Daniel Fenn
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Harry Metcalfe
2014-03-31 09:32:34 UTC
Permalink
Hello everyone,

Thanks all for the feedback. There isn't really a clear consensus here
about what everyone would like to see. There is an clear desire for a
mailing list, though, so I've set that up.

You can visit:
http://lists.dxw.com/mailman/listinfo/dxw-wp-security_lists.dxw.com or
send an email to dxw-wp-security-***@lists.dxw.com.

From now on, we will post all advisories to that list.

I will continue to post some advisories here, but only when I think
they'll be of more general interest - for example, for a popular plugin,
or a high-impact vulnerability.

Hope that's ok, and open to suggestions as always.

Harry
Post by Tom Barrett
Most of all, I'd like it if people trimmed their emails to be less spammy.
I think what Harry is doing is a good thing, and I want to be aware of
security issues with wordpress.org plugins (as well as any others).
I'm happy for security reports, as per Harry's recent ones, to be posted
here.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Harry Metcalfe
07790 559 876
@harrym
Jacob Snyder
2014-03-28 16:51:44 UTC
Permalink
I disagree with the sentiment that discussing vulnerable plugins is a bad
topic for this list (am I wrong?). I do want the info, and I would opt in
to Harry's list, but I don't see why I have to. This backlash from a few
people seems a little strong...


On Fri, Mar 28, 2014 at 11:38 AM,
Send wp-hackers mailing list submissions to
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.automattic.com/mailman/listinfo/wp-hackers
or, via email, send a message with subject or body 'help' to
You can reach the person managing the list at
When replying, please edit your Subject line so it is more specific
than "Re: Contents of wp-hackers digest..."
1. Re: CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress
plugin) (Harry Metcalfe)
2. Re: CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress
plugin) (Harry Metcalfe)
3. Re: CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress
plugin) (Nikola Nikolov)
4. Re: CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress
plugin) (Scott Herbert (via Phone))
5. Re: CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress
plugin) (Harry Metcalfe)
----------------------------------------------------------------------
Message: 1
Date: Fri, 28 Mar 2014 16:34:03 +0000
Subject: Re: [wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2
(WordPress plugin)
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Post by Varun Agrawal
There must be hundreds or thousands of plugin with security issues. I
don't think everybody will be interested to know vulnerabilities in
them.
I'm honestly not sure how to respond to that. I don't think I know
anyone who doesn't care about having an exploitable website. I agree
that there are hundreds of vulnerable plugins. That's what we're trying
to help fix, because it's unacceptable!
Post by Varun Agrawal
I guess most of the user of the plugin are not going to read this.
We'll do the best we can to make sure everyone who is interested will
* Publish to our website
* Post to wp-hackers and Full Disclosure
* Request a CVE
If you have any ideas about how we can spread the word more, I'm all ears.
Harry
Post by Varun Agrawal
Hi Harry,
It was my assumption that this list would be interested to know about
vulnerable plugins.
Post by Varun Agrawal
There must be hundreds or thousands of plugin with security issues. I
don't think everybody will be interested to know vulnerabilities in
them.
we are disclosing the vulnerability in order that anyone using this
plugin can take steps to protect themselves.
Post by Varun Agrawal
I guess most of the user of the plugin are not going to read this.
-Varun
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Harry Metcalfe
07790 559 876
@harrym
------------------------------
Message: 2
Date: Fri, 28 Mar 2014 16:36:57 +0000
Subject: Re: [wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2
(WordPress plugin)
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
If reports are acknowledged, and plugin authors keep us in the loop,
we've so far always published on the same day as an update is released,
with advice to update to the new version as soon as possible. I think
the only circumstances under which we might publish sooner than that
would be for a very serious vulnerability that the plugin author was not
taking seriously.
Harry
Post by Varun Agrawal
@Chris - they are actually giving plugin authors 14 days to acknowledge
the
Post by Varun Agrawal
report - which I assume means to just send an email along the lines of
"Okay, I'll take care of that ASAP". And again - 14 days is not a long
time
Post by Varun Agrawal
- sometimes I'd away(and without internet access) for more than that.
I do agree that posting a proof of concept is not a good idea so soon.
For
Post by Varun Agrawal
instance Wordfence sends out emails to their subscribers when plugin
vulnerabilities have been found(and usually when their users have
suffered
Post by Varun Agrawal
from those vulnerabilities) and suggest what action users should take.
For
Post by Varun Agrawal
instance "Plugin author has responded and patch is available in the next
release, available now", or "disable and delete plugin until a patch is
released or "contact plugin author".
-- Please reply above this line --
-----------------------------------------------------------
I also disagree with how the issues are being disclosed.
First off 14 days really isn't a long enough time. Imagine this
Day 1: Friday: Reported to WP Security team
Day 1: Security team sends email to plugin author
Day 4: Monday: Plugin author begins reading his emails about his
plugins that came in over the weekend and notices security email.
Day 7: Thursday: Assuming the bug is easy to fix, an update is patch
is submitted as an update to WordPress.org
Day 8: Update notifications begin to appear in WordPress backend,
given its now Friday, most users (if they even log into their site on
Fridays, will put off updating it till Monday mostly so they can read
through the changelog.
Day 11: Users read through changelog and *hopefully* begin updating.
The problem is, this made 2 assumptions. First, you assume all
security vulnerabilities are both easy to fix, and the plugin can be
re-audited quickly. While most are likely easy to fix (ala the ones
reported thus far), most authors would also want to re-audit their
plugins codebase, and for anything over 100k LOC that's going to take
a lot of time. Second, you've only given users 3 days to update in
this scenario. Some users will not update the first week after an
update has been patched. Some not even the first 2 weeks. Maybe they
are enterprise or large business sites where they have to get approval
and independent testing must be done prior to accepting the patch.
Maybe, they are scared of updates for whatever reason and they want to
read reports the update hasn't broken someone's site first.
In any event, the "14 days" should be upped to the industry standard
30 days. Currently, in a good case scenario (like the one above)
you've given users 3 days to update before you reveal a direct proof
of concept of how to exploit the vulnerability.
Even after 30 days, publishing a complete example of how to use the
vulnerability is still not all too responsible. I would move to a
system where you say what you can do to mitigate the issue after 30,
and then hold off on proof of concept for 60-90 days post report.
Finally, I'd have to agree with the others. Posting vulnerability
reports here isn't going to alert the majority of the affected users,
and it has that spammy feel (even though its not spam).
--
Chris Christoff
http://www.chriscct7.com [1]
@chriscct7
If you feel the need to donate, as a college student, I appreciate
donations of any amount. The easiest way to donate to my college fund
is via the donation button at the bottom of my
homepage: http://chriscct7.com/ [2]
------
[1] http://www.chriscct7.com
[2] http://chriscct7.com/
-----------------------------------------------------------
Hi Harry,
It was my assumption that this list would be interested to know
about vulnerable plugins.
There must be hundreds or thousands of plugin with security issues. I
don't think everybody will be interested to know vulnerabilities in
them.
we are disclosing the vulnerability in order that anyone using
this plugin can take steps to protect themselves.
I guess most of the user of the plugin are not going to read this.
-Varun
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
-----------------------------------------------------------
Hi Chris,
We're aware of that, but not sure what alternative there is if the
people who write plugins don't contact us when we report issues to
them.
We try to give people enough time to fix things, but if it doesn't
look
like they're going to, we believe it is the responsible thing to do
to
publish vulnerabilities so that people affected by them can take
steps
to protect themselves.
Our disclosure policy is here
<https://security.dxw.com/disclosure/>,
and we always draw people's attention to it (see below). All that
said,
it is a difficult area and I'm certainly open to suggestions about
how
to do it better.
Harry
-----------------------------------------------------------
I think Daniel was refering to posting to a public list, some
malicious
people could take advantage of this, and cause some havoc.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
-----------------------------------------------------------
Hi Daniel,
February. The author has not responded, so we are disclosing the
vulnerability in order that anyone using this plugin can take steps
to
protect themselves.
This is certainly not an advertisement.
Administrivia: It was my assumption that this list would be
interested
to know about vulnerable plugins. If anyone has strong feelings for
or
against that assumption, please let me know off-list. If there is a
consensus we will honour it.
Cheers,
Harry
-----------------------------------------------------------
Hi Harry,
Please refrain from advertising on this list. Plugin security issues
should
Thanks.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
-----------------------------------------------------------
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Harry Metcalfe
07790 559 876
@harrym
------------------------------
Message: 3
Date: Fri, 28 Mar 2014 18:37:16 +0200
Subject: Re: [wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2
(WordPress plugin)
<CAOwx47eeAh6Es3zKB7Mjvvz3kN6WpWpKtqE=+
Content-Type: text/plain; charset=ISO-8859-1
I'd suggest creating a mailing list - this way people can actually opt-in
to those emails(so people here that don't want to receive that kind of
information will not and those who want can sign-up for it).
Post by Varun Agrawal
There must be hundreds or thousands of plugin with security issues. I
don't think everybody will be interested to know vulnerabilities in
them.
I'm honestly not sure how to respond to that. I don't think I know anyone
who doesn't care about having an exploitable website. I agree that there
are hundreds of vulnerable plugins. That's what we're trying to help fix,
because it's unacceptable!
I guess most of the user of the plugin are not going to read this.
We'll do the best we can to make sure everyone who is interested will
find
Post by Varun Agrawal
* Publish to our website
* Post to wp-hackers and Full Disclosure
* Request a CVE
If you have any ideas about how we can spread the word more, I'm all
ears.
Post by Varun Agrawal
Harry
Hi Harry,
It was my assumption that this list would be interested to know about
vulnerable plugins.
There must be hundreds or thousands of plugin with security issues. I
don't think everybody will be interested to know vulnerabilities in
them.
we are disclosing the vulnerability in order that anyone using this
plugin can take steps to protect themselves.
I guess most of the user of the plugin are not going to read this.
-Varun
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Harry Metcalfe
07790 559 876
@harrym
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
------------------------------
Message: 4
Date: Fri, 28 Mar 2014 16:37:37 +0000
Subject: Re: [wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2
(WordPress plugin)
Content-Type: text/plain; charset=UTF-8
Just by way of comparison Google give you 7 days, I think 14 days is fine.
I tend to give companies 30days to have the patch out, unless they give me
a good reason to delay.
Post by Varun Agrawal
Hi Chris,
The 14 days is just to acknowledge the report, not to release a fix.
The
policy does not prescribe a time for fixes for exactly the reasons
you've outlined. We'll always work with people to agree a reasonable
time for fixing and publication, unless they don't reply to us. In
which
case, we can't do much other than publish. We also generally do wait
longer than 14 days, as you can see from these reports.
Posting vulnerability reports here isn't going to alert the majority
of the affected users, and it has that spammy feel (even though its not
spam).
I'll add you to the list! So far, we're 1 for and 1 against.
Harry
-- Please reply above this line --
-----------------------------------------------------------
I also disagree with how the issues are being disclosed.
First off 14 days really isn't a long enough time. Imagine this
Day 1: Friday: Reported to WP Security team
Day 1: Security team sends email to plugin author
Day 4: Monday: Plugin author begins reading his emails about his
plugins that came in over the weekend and notices security email.
Day 7: Thursday: Assuming the bug is easy to fix, an update is
patch
is submitted as an update to WordPress.org
Day 8: Update notifications begin to appear in WordPress backend,
given its now Friday, most users (if they even log into their site on
Fridays, will put off updating it till Monday mostly so they can read
through the changelog.
Day 11: Users read through changelog and *hopefully* begin
updating.
The problem is, this made 2 assumptions. First, you assume all
security vulnerabilities are both easy to fix, and the plugin can be
re-audited quickly. While most are likely easy to fix (ala the ones
reported thus far), most authors would also want to re-audit their
plugins codebase, and for anything over 100k LOC that's going to take
a lot of time. Second, you've only given users 3 days to update in
this scenario. Some users will not update the first week after an
update has been patched. Some not even the first 2 weeks. Maybe they
are enterprise or large business sites where they have to get
approval
and independent testing must be done prior to accepting the patch.
Maybe, they are scared of updates for whatever reason and they want
to
read reports the update hasn't broken someone's site first.
In any event, the "14 days" should be upped to the industry
standard
30 days. Currently, in a good case scenario (like the one above)
you've given users 3 days to update before you reveal a direct proof
of concept of how to exploit the vulnerability.
Even after 30 days, publishing a complete example of how to use the
vulnerability is still not all too responsible. I would move to a
system where you say what you can do to mitigate the issue after 30,
and then hold off on proof of concept for 60-90 days post report.
Finally, I'd have to agree with the others. Posting vulnerability
reports here isn't going to alert the majority of the affected users,
and it has that spammy feel (even though its not spam).
--
Chris Christoff
http://www.chriscct7.com [1]
@chriscct7
If you feel the need to donate, as a college student, I appreciate
donations of any amount. The easiest way to donate to my college fund
is via the donation button at the bottom of my
homepage: http://chriscct7.com/ [2]
------
[1] http://www.chriscct7.com
[2] http://chriscct7.com/
-----------------------------------------------------------
Hi Harry,
It was my assumption that this list would be interested to know
about vulnerable plugins.
There must be hundreds or thousands of plugin with security issues.
I
don't think everybody will be interested to know vulnerabilities in
them.
we are disclosing the vulnerability in order that anyone using
this plugin can take steps to protect themselves.
I guess most of the user of the plugin are not going to read this.
-Varun
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
-----------------------------------------------------------
Hi Chris,
We're aware of that, but not sure what alternative there is if the
people who write plugins don't contact us when we report issues to
them.
We try to give people enough time to fix things, but if it doesn't
look
like they're going to, we believe it is the responsible thing to do
to
publish vulnerabilities so that people affected by them can take
steps
to protect themselves.
Our disclosure policy is here
<https://security.dxw.com/disclosure/>,
and we always draw people's attention to it (see below). All that
said,
it is a difficult area and I'm certainly open to suggestions about
how
to do it better.
Harry
-----------------------------------------------------------
I think Daniel was refering to posting to a public list, some
malicious
people could take advantage of this, and cause some havoc.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
-----------------------------------------------------------
Hi Daniel,
February. The author has not responded, so we are disclosing the
vulnerability in order that anyone using this plugin can take steps
to
protect themselves.
This is certainly not an advertisement.
Administrivia: It was my assumption that this list would be
interested
to know about vulnerable plugins. If anyone has strong feelings for
or
against that assumption, please let me know off-list. If there is a
consensus we will honour it.
Cheers,
Harry
-----------------------------------------------------------
Hi Harry,
Please refrain from advertising on this list. Plugin security
issues
should
Thanks.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
-----------------------------------------------------------
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Harry Metcalfe
07790 559 876
@harrym
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
------------------------------
Message: 5
Date: Fri, 28 Mar 2014 16:38:26 +0000
Subject: Re: [wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2
(WordPress plugin)
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Anyone else agree? Who'd join such a list?
I'll keep a tally on that too.
Though I am a bit surprised at the respondents here who *don't* want to
know about vulnerable plugins they may be running...
Harry
Post by Varun Agrawal
I'd suggest creating a mailing list - this way people can actually opt-in
to those emails(so people here that don't want to receive that kind of
information will not and those who want can sign-up for it).
There must be hundreds or thousands of plugin with security issues. I
don't think everybody will be interested to know vulnerabilities in
them.
I'm honestly not sure how to respond to that. I don't think I know
anyone
Post by Varun Agrawal
who doesn't care about having an exploitable website. I agree that there
are hundreds of vulnerable plugins. That's what we're trying to help
fix,
Post by Varun Agrawal
because it's unacceptable!
I guess most of the user of the plugin are not going to read this.
We'll do the best we can to make sure everyone who is interested will
find
Post by Varun Agrawal
* Publish to our website
* Post to wp-hackers and Full Disclosure
* Request a CVE
If you have any ideas about how we can spread the word more, I'm all
ears.
Post by Varun Agrawal
Harry
Hi Harry,
It was my assumption that this list would be interested to know about
Post by Harry Metcalfe
vulnerable plugins.
There must be hundreds or thousands of plugin with security issues. I
don't think everybody will be interested to know vulnerabilities in
them.
we are disclosing the vulnerability in order that anyone using this
Post by Harry Metcalfe
plugin can take steps to protect themselves.
I guess most of the user of the plugin are not going to read this.
-Varun
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Harry Metcalfe
07790 559 876
@harrym
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
Harry Metcalfe
07790 559 876
@harrym
------------------------------
Subject: Digest Footer
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
------------------------------
End of wp-hackers Digest, Vol 110, Issue 45
*******************************************
Loading...