[wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)
Chris Christoff
hello at chriscct7.com
Fri Mar 28 16:20:47 UTC 2014
-- Please reply above this line --
-----------------------------------------------------------
## Chris replied, on Mar 28 @ 12:20pm (AMT):
I also disagree with how the issues are being disclosed.
First off 14 days really isn't a long enough time. Imagine this
scenario:
Day 1: Friday: Reported to WP Security team
Day 1: Security team sends email to plugin author
Day 4: Monday: Plugin author begins reading his emails about his
plugins that came in over the weekend and notices security email.
Day 7: Thursday: Assuming the bug is easy to fix, an update is patch
is submitted as an update to WordPress.org
Day 8: Update notifications begin to appear in WordPress backend,
given its now Friday, most users (if they even log into their site on
Fridays, will put off updating it till Monday mostly so they can read
through the changelog.
Day 11: Users read through changelog and *hopefully* begin updating.
The problem is, this made 2 assumptions. First, you assume all
security vulnerabilities are both easy to fix, and the plugin can be
re-audited quickly. While most are likely easy to fix (ala the ones
reported thus far), most authors would also want to re-audit their
plugins codebase, and for anything over 100k LOC that's going to take
a lot of time. Second, you've only given users 3 days to update in
this scenario. Some users will not update the first week after an
update has been patched. Some not even the first 2 weeks. Maybe they
are enterprise or large business sites where they have to get approval
and independent testing must be done prior to accepting the patch.
Maybe, they are scared of updates for whatever reason and they want to
read reports the update hasn't broken someone's site first.
In any event, the "14 days" should be upped to the industry standard
30 days. Currently, in a good case scenario (like the one above)
you've given users 3 days to update before you reveal a direct proof
of concept of how to exploit the vulnerability.
Even after 30 days, publishing a complete example of how to use the
vulnerability is still not all too responsible. I would move to a
system where you say what you can do to mitigate the issue after 30,
and then hold off on proof of concept for 60-90 days post report.
Finally, I'd have to agree with the others. Posting vulnerability
reports here isn't going to alert the majority of the affected users,
and it has that spammy feel (even though its not spam).
--
Chris Christoff
hello at chriscct7.com
http://www.chriscct7.com [1]
@chriscct7
If you feel the need to donate, as a college student, I appreciate
donations of any amount. The easiest way to donate to my college fund
is via the donation button at the bottom of my
homepage: http://chriscct7.com/ [2]
Links:
------
[1] http://www.chriscct7.com
[2] http://chriscct7.com/
-----------------------------------------------------------
## wp-hackers at lists.automattic.com replied, on Mar 28 @ 12:06pm (AMT):
Hi Harry,
>It was my assumption that this list would be interested to know
about vulnerable plugins.
There must be hundreds or thousands of plugin with security issues. I
don't think everybody will be interested to know vulnerabilities in
them.
>we are disclosing the vulnerability in order that anyone using
this plugin can take steps to protect themselves.
I guess most of the user of the plugin are not going to read this.
-Varun
_______________________________________________
wp-hackers mailing list
wp-hackers at lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers
-----------------------------------------------------------
## wp-hackers at lists.automattic.com replied, on Mar 28 @ 11:52am (AMT):
Hi Chris,
We're aware of that, but not sure what alternative there is if the
people who write plugins don't contact us when we report issues to
them.
We try to give people enough time to fix things, but if it doesn't
look
like they're going to, we believe it is the responsible thing to do
to
publish vulnerabilities so that people affected by them can take
steps
to protect themselves.
Our disclosure policy is here
<https://security.dxw.com/disclosure/>,
and we always draw people's attention to it (see below). All that
said,
it is a difficult area and I'm certainly open to suggestions about
how
to do it better.
Harry
-----------------------------------------------------------
## wp-hackers at lists.automattic.com replied, on Mar 28 @ 11:29am (AMT):
I think Daniel was refering to posting to a public list, some
malicious
people could take advantage of this, and cause some havoc.
_______________________________________________
wp-hackers mailing list
wp-hackers at lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers
-----------------------------------------------------------
## wp-hackers at lists.automattic.com replied, on Mar 28 @ 10:46am (AMT):
Hi Daniel,
This vulnerability was reported to plugins at wordpress.org on 2nd
February. The author has not responded, so we are disclosing the
vulnerability in order that anyone using this plugin can take steps
to
protect themselves.
This is certainly not an advertisement.
Administrivia: It was my assumption that this list would be
interested
to know about vulnerable plugins. If anyone has strong feelings for
or
against that assumption, please let me know off-list. If there is a
consensus we will honour it.
Cheers,
Harry
-----------------------------------------------------------
## wp-hackers at lists.automattic.com replied, on Mar 28 @ 10:41am (AMT):
Hi Harry,
Please refrain from advertising on this list. Plugin security issues
should
be reported to plugins at wordpress.org
Thanks.
_______________________________________________
wp-hackers mailing list
wp-hackers at lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers
-----------------------------------------------------------
More information about the wp-hackers
mailing list