[wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

Scott Herbert (via Phone) scott.a.herbert at googlemail.com
Fri Mar 28 16:37:37 UTC 2014 

Just by way of comparison Google give you 7 days, I think 14 days is fine. I tend to give companies 30days to have the patch out, unless they give me a good reason to delay. 



On 28 March 2014 16:30:50 GMT+00:00, Harry Metcalfe <harry at dxw.com> wrote:
>Hi Chris,
>
>The 14 days is just to acknowledge the report, not to release a fix.
>The 
>policy does not prescribe a time for fixes for exactly the reasons 
>you've outlined. We'll always work with people to agree a reasonable 
>time for fixing and publication, unless they don't reply to us. In
>which 
>case, we can't do much other than publish. We also generally do wait 
>longer than 14 days, as you can see from these reports.
>> Posting vulnerability reports here isn't going to alert the majority
>of the affected users, and it has that spammy feel (even though its not
>spam).
>I'll add you to the list! So far, we're 1 for and 1 against.
>
>Harry
>
>
>On 28/03/2014 16:20, Chris Christoff wrote:
>> -- Please reply above this line --
>>
>> -----------------------------------------------------------
>> ## Chris replied, on Mar 28 @ 12:20pm (AMT):
>>
>> I also disagree with how the issues are being disclosed.
>>   First off 14 days really isn't a long enough time. Imagine this
>> scenario:
>>   Day 1: Friday: Reported to WP Security team
>>   Day 1: Security team sends email to plugin author
>>   Day 4: Monday: Plugin author begins reading his emails about his
>> plugins that came in over the weekend and notices security email.
>>   Day 7: Thursday: Assuming the bug is easy to fix, an update is
>patch
>> is submitted as an update to WordPress.org
>>   Day 8: Update notifications begin to appear in WordPress backend,
>> given its now Friday, most users (if they even log into their site on
>> Fridays, will put off updating it till Monday mostly so they can read
>> through the changelog.
>>   Day 11: Users read through changelog and *hopefully* begin
>updating.
>>
>>   The problem is, this made 2 assumptions. First, you assume all
>> security vulnerabilities are both easy to fix, and the plugin can be
>> re-audited quickly. While most are likely easy to fix (ala the ones
>> reported thus far), most authors would also want to re-audit their
>> plugins codebase, and for anything over 100k LOC that's going to take
>> a lot of time. Second, you've only given users 3 days to update in
>> this scenario. Some users will not update the first week after an
>> update has been patched. Some not even the first 2 weeks. Maybe they
>> are enterprise or large business sites where they have to get
>approval
>> and independent testing must be done prior to accepting the patch.
>> Maybe, they are scared of updates for whatever reason and they want
>to
>> read reports the update hasn't broken someone's site first.
>>
>>   In any event, the "14 days" should be upped to the industry
>standard
>> 30 days. Currently, in a good case scenario (like the one above)
>> you've given users 3 days to update before you reveal a direct proof
>> of concept of how to exploit the vulnerability.
>>
>>   Even after 30 days, publishing a complete example of how to use the
>> vulnerability is still not all too responsible. I would move to a
>> system where you say what you can do to mitigate the issue after 30,
>> and then hold off on proof of concept for 60-90 days post report.
>>
>>   Finally, I'd have to agree with the others. Posting vulnerability
>> reports here isn't going to alert the majority of the affected users,
>> and it has that spammy feel (even though its not spam).
>> --
>> Chris Christoff
>> hello at chriscct7.com
>> http://www.chriscct7.com [1]
>> @chriscct7
>> If you feel the need to donate, as a college student, I appreciate
>> donations of any amount. The easiest way to donate to my college fund
>> is via the donation button at the bottom of my
>> homepage: http://chriscct7.com/ [2]
>>
>> Links:
>> ------
>> [1] http://www.chriscct7.com
>> [2] http://chriscct7.com/
>>
>>
>> -----------------------------------------------------------
>> ## wp-hackers at lists.automattic.com replied, on Mar 28 @ 12:06pm
>(AMT):
>>
>> Hi Harry,
>>
>>   >It was my assumption that this list would be interested to know
>> about vulnerable plugins.
>>
>>   There must be hundreds or thousands of plugin with security issues.
>I
>>   don't think everybody will be interested to know vulnerabilities in
>>   them.
>>
>>   >we are disclosing the vulnerability in order that anyone using
>> this plugin can take steps to protect themselves.
>>
>>   I guess most of the user of the plugin are not going to read this.
>>
>>   -Varun
>>   _______________________________________________
>>   wp-hackers mailing list
>>   wp-hackers at lists.automattic.com
>>   http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>> -----------------------------------------------------------
>> ## wp-hackers at lists.automattic.com replied, on Mar 28 @ 11:52am
>(AMT):
>>
>> Hi Chris,
>>
>>   We're aware of that, but not sure what alternative there is if the
>>   people who write plugins don't contact us when we report issues to
>> them.
>>   We try to give people enough time to fix things, but if it doesn't
>> look
>>   like they're going to, we believe it is the responsible thing to do
>> to
>>   publish vulnerabilities so that people affected by them can take
>> steps
>>   to protect themselves.
>>
>>   Our disclosure policy is here
>> <https://security.dxw.com/disclosure/>,
>>   and we always draw people's attention to it (see below). All that
>> said,
>>   it is a difficult area and I'm certainly open to suggestions about
>> how
>>   to do it better.
>>
>>   Harry
>>
>> -----------------------------------------------------------
>> ## wp-hackers at lists.automattic.com replied, on Mar 28 @ 11:29am
>(AMT):
>>
>> I think Daniel was refering to posting to a public list, some
>> malicious
>>   people could take advantage of this, and cause some havoc.
>>
>>   _______________________________________________
>>   wp-hackers mailing list
>>   wp-hackers at lists.automattic.com
>>   http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>> -----------------------------------------------------------
>> ## wp-hackers at lists.automattic.com replied, on Mar 28 @ 10:46am
>(AMT):
>>
>> Hi Daniel,
>>
>>   This vulnerability was reported to plugins at wordpress.org on 2nd
>>   February. The author has not responded, so we are disclosing the
>>   vulnerability in order that anyone using this plugin can take steps
>> to
>>   protect themselves.
>>
>>   This is certainly not an advertisement.
>>
>>   Administrivia: It was my assumption that this list would be
>> interested
>>   to know about vulnerable plugins. If anyone has strong feelings for
>> or
>>   against that assumption, please let me know off-list. If there is a
>>   consensus we will honour it.
>>
>>   Cheers,
>>
>>   Harry
>>
>> -----------------------------------------------------------
>> ## wp-hackers at lists.automattic.com replied, on Mar 28 @ 10:41am
>(AMT):
>>
>> Hi Harry,
>>
>>   Please refrain from advertising on this list. Plugin security
>issues
>> should
>>   be reported to plugins at wordpress.org
>>
>>   Thanks.
>>
>>   _______________________________________________
>>   wp-hackers mailing list
>>   wp-hackers at lists.automattic.com
>>   http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>> -----------------------------------------------------------
>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
>-- 
>Harry Metcalfe
>07790 559 876
>@harrym
>
>_______________________________________________
>wp-hackers mailing list
>wp-hackers at lists.automattic.com
>http://lists.automattic.com/mailman/listinfo/wp-hackers

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

More information about the wp-hackers mailing list