[wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

Harry Metcalfe harry at dxw.com
Fri Mar 28 16:36:57 UTC 2014


If reports are acknowledged, and plugin authors keep us in the loop, 
we've so far always published on the same day as an update is released, 
with advice to update to the new version as soon as possible. I think 
the only circumstances under which we might publish sooner than that 
would be for a very serious vulnerability that the plugin author was not 
taking seriously.

Harry



On 28/03/2014 16:31, Nikola Nikolov wrote:
> @Chris - they are actually giving plugin authors 14 days to acknowledge the
> report - which I assume means to just send an email along the lines of
> "Okay, I'll take care of that ASAP". And again - 14 days is not a long time
> - sometimes I'd away(and without internet access) for more than that.
>
> I do agree that posting a proof of concept is not a good idea so soon. For
> instance Wordfence sends out emails to their subscribers when plugin
> vulnerabilities have been found(and usually when their users have suffered
> from those vulnerabilities) and suggest what action users should take. For
> instance "Plugin author has responded and patch is available in the next
> release, available now", or "disable and delete plugin until a patch is
> released or "contact plugin author".
>
>
> On Fri, Mar 28, 2014 at 6:20 PM, Chris Christoff <hello at chriscct7.com>wrote:
>
>> -- Please reply above this line --
>>
>> -----------------------------------------------------------
>> ## Chris replied, on Mar 28 @ 12:20pm (AMT):
>>
>> I also disagree with how the issues are being disclosed.
>>   First off 14 days really isn't a long enough time. Imagine this
>> scenario:
>>   Day 1: Friday: Reported to WP Security team
>>   Day 1: Security team sends email to plugin author
>>   Day 4: Monday: Plugin author begins reading his emails about his
>> plugins that came in over the weekend and notices security email.
>>   Day 7: Thursday: Assuming the bug is easy to fix, an update is patch
>> is submitted as an update to WordPress.org
>>   Day 8: Update notifications begin to appear in WordPress backend,
>> given its now Friday, most users (if they even log into their site on
>> Fridays, will put off updating it till Monday mostly so they can read
>> through the changelog.
>>   Day 11: Users read through changelog and *hopefully* begin updating.
>>
>>   The problem is, this made 2 assumptions. First, you assume all
>> security vulnerabilities are both easy to fix, and the plugin can be
>> re-audited quickly. While most are likely easy to fix (ala the ones
>> reported thus far), most authors would also want to re-audit their
>> plugins codebase, and for anything over 100k LOC that's going to take
>> a lot of time. Second, you've only given users 3 days to update in
>> this scenario. Some users will not update the first week after an
>> update has been patched. Some not even the first 2 weeks. Maybe they
>> are enterprise or large business sites where they have to get approval
>> and independent testing must be done prior to accepting the patch.
>> Maybe, they are scared of updates for whatever reason and they want to
>> read reports the update hasn't broken someone's site first.
>>
>>   In any event, the "14 days" should be upped to the industry standard
>> 30 days. Currently, in a good case scenario (like the one above)
>> you've given users 3 days to update before you reveal a direct proof
>> of concept of how to exploit the vulnerability.
>>
>>   Even after 30 days, publishing a complete example of how to use the
>> vulnerability is still not all too responsible. I would move to a
>> system where you say what you can do to mitigate the issue after 30,
>> and then hold off on proof of concept for 60-90 days post report.
>>
>>   Finally, I'd have to agree with the others. Posting vulnerability
>> reports here isn't going to alert the majority of the affected users,
>> and it has that spammy feel (even though its not spam).
>> --
>> Chris Christoff
>> hello at chriscct7.com
>> http://www.chriscct7.com [1]
>> @chriscct7
>> If you feel the need to donate, as a college student, I appreciate
>> donations of any amount. The easiest way to donate to my college fund
>> is via the donation button at the bottom of my
>> homepage: http://chriscct7.com/ [2]
>>
>> Links:
>> ------
>> [1] http://www.chriscct7.com
>> [2] http://chriscct7.com/
>>
>>
>> -----------------------------------------------------------
>> ## wp-hackers at lists.automattic.com replied, on Mar 28 @ 12:06pm (AMT):
>>
>> Hi Harry,
>>
>>   >It was my assumption that this list would be interested to know
>> about vulnerable plugins.
>>
>>   There must be hundreds or thousands of plugin with security issues. I
>>   don't think everybody will be interested to know vulnerabilities in
>>   them.
>>
>>   >we are disclosing the vulnerability in order that anyone using
>> this plugin can take steps to protect themselves.
>>
>>   I guess most of the user of the plugin are not going to read this.
>>
>>   -Varun
>>   _______________________________________________
>>   wp-hackers mailing list
>>   wp-hackers at lists.automattic.com
>>   http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>> -----------------------------------------------------------
>> ## wp-hackers at lists.automattic.com replied, on Mar 28 @ 11:52am (AMT):
>>
>> Hi Chris,
>>
>>   We're aware of that, but not sure what alternative there is if the
>>   people who write plugins don't contact us when we report issues to
>> them.
>>   We try to give people enough time to fix things, but if it doesn't
>> look
>>   like they're going to, we believe it is the responsible thing to do
>> to
>>   publish vulnerabilities so that people affected by them can take
>> steps
>>   to protect themselves.
>>
>>   Our disclosure policy is here
>> <https://security.dxw.com/disclosure/>,
>>   and we always draw people's attention to it (see below). All that
>> said,
>>   it is a difficult area and I'm certainly open to suggestions about
>> how
>>   to do it better.
>>
>>   Harry
>>
>> -----------------------------------------------------------
>> ## wp-hackers at lists.automattic.com replied, on Mar 28 @ 11:29am (AMT):
>>
>> I think Daniel was refering to posting to a public list, some
>> malicious
>>   people could take advantage of this, and cause some havoc.
>>
>>   _______________________________________________
>>   wp-hackers mailing list
>>   wp-hackers at lists.automattic.com
>>   http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>> -----------------------------------------------------------
>> ## wp-hackers at lists.automattic.com replied, on Mar 28 @ 10:46am (AMT):
>>
>> Hi Daniel,
>>
>>   This vulnerability was reported to plugins at wordpress.org on 2nd
>>   February. The author has not responded, so we are disclosing the
>>   vulnerability in order that anyone using this plugin can take steps
>> to
>>   protect themselves.
>>
>>   This is certainly not an advertisement.
>>
>>   Administrivia: It was my assumption that this list would be
>> interested
>>   to know about vulnerable plugins. If anyone has strong feelings for
>> or
>>   against that assumption, please let me know off-list. If there is a
>>   consensus we will honour it.
>>
>>   Cheers,
>>
>>   Harry
>>
>> -----------------------------------------------------------
>> ## wp-hackers at lists.automattic.com replied, on Mar 28 @ 10:41am (AMT):
>>
>> Hi Harry,
>>
>>   Please refrain from advertising on this list. Plugin security issues
>> should
>>   be reported to plugins at wordpress.org
>>
>>   Thanks.
>>
>>   _______________________________________________
>>   wp-hackers mailing list
>>   wp-hackers at lists.automattic.com
>>   http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>> -----------------------------------------------------------
>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

-- 
Harry Metcalfe
07790 559 876
@harrym



More information about the wp-hackers mailing list