[wp-meta] [Making WordPress.org] #4662: A security risk on W.org plugins respository - no checksum / authorization of plugin version reporting

Making WordPress.org noreply at wordpress.org
Wed Aug 7 18:24:33 UTC 2019 

#4662: A security risk on W.org plugins respository - no checksum / authorization
of plugin version reporting
------------------------------+-------------------------
 Reporter:  KestutisIT        |      Owner:  (none)
     Type:  defect            |     Status:  new
 Priority:  high              |  Milestone:
Component:  Plugin Directory  |   Keywords:  needs-patch
------------------------------+-------------------------
 As it came up on 5th comment in ticket #4661 (
 https://meta.trac.wordpress.org/ticket/4661#comment:5 ), it appears that
 there is absolutely not authorization on what is getting reported to
 plugin's advanced view -> versions. As @Ipstenu confirmed, for plugins
 there is not even SemVer validation used (as of SemVer.org), so it means
 that **EVIL PERSON**, can create an **/akismet/** plugin, that has over 5
 millions of current installs, and create a version in that plugin named
 **Automattic has nothing to do with WordPress** and that message will be
 seen to everyone who will visit
 https://wordpress.org/plugins/akismet/advanced/ page.

 So, as I have partnered with PayPal many times and did many PayPal
 integrations, I can confirm that the most secure way for this, is to
 generate **SHA2-512** or **RSA** ***.cer** file for each plugin after it
 is released and keep that file in plugins folder. The certificate (*.cer)
 will ensure that request is coming from that exact plugin from that exact
 author.

 In a perfect world, the checksum would be from a whole plugin's zip file,
 as **PHPUnit** is doing.
 But for minor case the checksum should be at least calculated from w.org
 plugin URL  and either:
 1. Plugin's admin dashboard left menu image icon checksum
 2. Or whole Plugin/Plugin.php (main file with meta description)
 3. Or just a meta description.
 4. Or plugins readme.txt file (as @Ipsteinu told that this is the only
 always required file).

 Maybe at the same time it will mean, that we should add a support for
 versions.md (as GitHub loves .md and we are in new era of **.md**). So
 that we don't need to update a certificate file so often as otherwise
 checksum will change often, while if versions part would always be away of
 the readme.txt, then it will not need to update that often.

 **Note:** And even if SemVer (Semver.org) validation would be done there,
 we still can create a bot that would report a million of installations of
 Akismet of '99.99-EVIL-TEXT', and Semver allows to name the release.

 So that's a security risk.

-- 
Ticket URL: <https://meta.trac.wordpress.org/ticket/4662>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org

More information about the wp-meta mailing list