[wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)
Ian Dunn
ian at iandunn.name
Fri Mar 28 18:29:03 UTC 2014
On 3/28/14, 10:03 AM, Chris Christoff wrote:
> I think the point is when people signed up for this mailinglist they
> didn't sign up for those notifications, which presumable entail
> multiple emails per day (given 2 already today alone and security.dxw
> seems to report 1 to 2 a day on average).
I think it's more like 5-10 per month. DXW started posting these to the
list about a month ago, and IIRC this is only the second time they've
posted anything. So far they've batched them together when they have posted.
I'm all for keeping them on the list, because in my view it's relevant
for two reasons: 1) Most people on this list administer sites that are
potentially using these vulnerable plugins; 2) We all need to be
regularly reminded that security is important and easy to get wrong.
FWIW, you can already get these via e-mail by using Blogtrottr.com to
subscribe to DXW's RSS feed at https://security.dxw.com/advisories/feed/
On 3/28/14, 10:54 AM, Marko Heijnen wrote:
> The problem with announcing security issues on a public list is that
people can use the hack. Specially when there isn’t any fix for it yet.
That's assuming that the plugin author is going to fix the problem. If
they're not -- which has been demonstrated by their lack of response
when DXW privately disclosed the vulnerabilities to them two weeks ago
-- then the responsible thing to do is to release it publicly so that
users/admins are aware and can act to protect themselves. That is
standard practice.
Failing to disclose a vulnerability that won't be fixed hurts users and
helps hackers. Users are ignorant of it so they can't protect
themselves, while hackers will eventually find it and start exploiting
it. Failing to disclose it in the hopes that hackers won't find it on
their own is just security-through-obscurity.
More information about the wp-hackers
mailing list