[wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

Marko Heijnen mailing at markoheijnen.nl
Fri Mar 28 17:54:40 UTC 2014


This is exactly something I’m currently working on. In my case I will only show a warning when there is a new update.
Current target date for this is the end of next month.

The problem with announcing security issues on a public list is that people can use the hack. Specially when there isn’t any fix for it yet.
To me doing this is only for your own interest that you get possible clients out of it. This because it doesn’t help the community in any way.

Marko


Op 28 Mar 2014, om 18:19 heeft Dino Termini <dino at duechiacchiere.it> het volgende geschreven:

> Shouldn't the plugin be taken down from the repo? Maybe wordpress, just like it checks for updates, could display a warning in the admin. 
> 
> On March 28, 2014 12:38:26 PM EDT, Harry Metcalfe <harry at dxw.com> wrote:
>> Anyone else agree? Who'd join such a list?
>> 
>> I'll keep a tally on that too.
>> 
>> Though I am a bit surprised at the respondents here who *don't* want to
>> 
>> know about vulnerable plugins they may be running...
>> 
>> Harry
>> 
>> 
>> On 28/03/2014 16:37, Nikola Nikolov wrote:
>>> I'd suggest creating a mailing list - this way people can actually
>> opt-in
>>> to those emails(so people here that don't want to receive that kind
>> of
>>> information will not and those who want can sign-up for it).
>>> 
>>> 
>>> On Fri, Mar 28, 2014 at 6:34 PM, Harry Metcalfe <harry at dxw.com>
>> wrote:
>>> 
>>>> There must be hundreds or thousands of plugin with security issues.
>> I
>>>>> don't think everybody will be interested to know vulnerabilities in
>>>>> them.
>>>>> 
>>>> I'm honestly not sure how to respond to that. I don't think I know
>> anyone
>>>> who doesn't care about having an exploitable website. I agree that
>> there
>>>> are hundreds of vulnerable plugins. That's what we're trying to help
>> fix,
>>>> because it's unacceptable!
>>>> 
>>>> 
>>>>  I guess most of the user of the plugin are not going to read this.
>>>> We'll do the best we can to make sure everyone who is interested
>> will find
>>>> out. We currently:
>>>> 
>>>>  * Publish to our website
>>>>  * Tweet from @dxwsecurity
>>>>  * Post to wp-hackers and Full Disclosure
>>>>  * Request a CVE
>>>> 
>>>> If you have any ideas about how we can spread the word more, I'm all
>> ears.
>>>> 
>>>> Harry
>>>> 
>>>> 
>>>> 
>>>> On 28/03/2014 16:06, Varun Agrawal wrote:
>>>> 
>>>>> Hi Harry,
>>>>> 
>>>>>  It was my assumption that this list would be interested to know
>> about
>>>>>> vulnerable plugins.
>>>>>> 
>>>>> There must be hundreds or thousands of plugin with security issues.
>> I
>>>>> don't think everybody will be interested to know vulnerabilities in
>>>>> them.
>>>>> 
>>>>> 
>>>>>  we are disclosing the vulnerability in order that anyone using
>> this
>>>>>> plugin can take steps to protect themselves.
>>>>>> 
>>>>> I guess most of the user of the plugin are not going to read this.
>>>>> 
>>>>> 
>>>>> -Varun
>>>>> _______________________________________________
>>>>> wp-hackers mailing list
>>>>> wp-hackers at lists.automattic.com
>>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>> 
>>>> --
>>>> Harry Metcalfe
>>>> 07790 559 876
>>>> @harrym
>>>> 
>>>> _______________________________________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.com
>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>> 
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>> 
>> -- 
>> Harry Metcalfe
>> 07790 559 876
>> @harrym
>> 
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list