[wp-hackers] WordPress plugin inspections

Simon Blackbourn piemanek at gmail.com
Thu Feb 20 00:14:06 UTC 2014


Hi Harry

I think there is potentially a very useful idea and service here, but I
really think a lot more care, depth, clarity (and possibly right to reply
for plugin authors) needs to go into the reviews.

Here's an example that really stands out to me:
https://security.dxw.com/plugins/relevanssi-premium


"This plugin also has a history of broken releases, including one which
> contained malicious code added to the distribution after the author's
> website was hacked in July 2013."



I was the person who discovered that Mikko's website had been hacked and
the resulting attempted malicious code that was inserted into his plugin (I
say attempted, because due to a typo by the hacker it didn't actually do
anything). I reported it responsibly by emailing him privately at 11.30pm
on a Friday night. By the Monday he had fixed it, released a new version,
installed additional security measures on his server and emailed all his
users to openly explain and apologise for what had happened, which is
pretty much a textbook exemplary way to deal with this sort of thing.

It seems unfair therefore that you have turned something that happened
seven months ago that was resolved so speedily and responsibly into a very
public black mark against this plugin, especially in a format that doesn't
give the author any right to reply.


"We have sampled a quite a few of these queries and none appear to be
> injectable, but we suspect this is more likely to be due to luck than good
> judgement."



What you're saying here is you conducted an incomplete test, couldn't find
anything wrong, yet you then decided that this must be luck, so you're
going to count it against the plugin anyway?! The word 'suspect' really
shouldn't have any place in a professional and public vulnerability review
- either you test fully and find a vulnerability (which you then report in
the proper manner to the author) or you don't.

You've then failed the plugin on three code-related criteria, but then
state in the box on the right that you haven't actually done a proper code
inspection.

Finally, it's very unclear to me who the reviews are aimed at? If it's for
non-teccie end users, then they are very unlikely to understand concepts
such as "unprepared SQL statements", but as a developer, an incomplete high
level review that hasn't delved comprehensively into the code is no use to
me at all.

All the best
Simon


More information about the wp-hackers mailing list