[wp-meta] [Making WordPress.org] #4662: A security risk on W.org plugins respository - no checksum / authorization of plugin version reporting
Making WordPress.org
noreply at wordpress.org
Wed Aug 7 18:24:33 UTC 2019
#4662: A security risk on W.org plugins respository - no checksum / authorization
of plugin version reporting
------------------------------+-------------------------
Reporter: KestutisIT | Owner: (none)
Type: defect | Status: new
Priority: high | Milestone:
Component: Plugin Directory | Keywords: needs-patch
------------------------------+-------------------------
As it came up on 5th comment in ticket #4661 (
https://meta.trac.wordpress.org/ticket/4661#comment:5 ), it appears that
there is absolutely not authorization on what is getting reported to
plugin's advanced view -> versions. As @Ipstenu confirmed, for plugins
there is not even SemVer validation used (as of SemVer.org), so it means
that **EVIL PERSON**, can create an **/akismet/** plugin, that has over 5
millions of current installs, and create a version in that plugin named
**Automattic has nothing to do with WordPress** and that message will be
seen to everyone who will visit
https://wordpress.org/plugins/akismet/advanced/ page.
So, as I have partnered with PayPal many times and did many PayPal
integrations, I can confirm that the most secure way for this, is to
generate **SHA2-512** or **RSA** ***.cer** file for each plugin after it
is released and keep that file in plugins folder. The certificate (*.cer)
will ensure that request is coming from that exact plugin from that exact
author.
In a perfect world, the checksum would be from a whole plugin's zip file,
as **PHPUnit** is doing.
But for minor case the checksum should be at least calculated from w.org
plugin URL and either:
1. Plugin's admin dashboard left menu image icon checksum
2. Or whole Plugin/Plugin.php (main file with meta description)
3. Or just a meta description.
4. Or plugins readme.txt file (as @Ipsteinu told that this is the only
always required file).
Maybe at the same time it will mean, that we should add a support for
versions.md (as GitHub loves .md and we are in new era of **.md**). So
that we don't need to update a certificate file so often as otherwise
checksum will change often, while if versions part would always be away of
the readme.txt, then it will not need to update that often.
**Note:** And even if SemVer (Semver.org) validation would be done there,
we still can create a bot that would report a million of installations of
Akismet of '99.99-EVIL-TEXT', and Semver allows to name the release.
So that's a security risk.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/4662>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list