[wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

Half-Elf on Tech ipstenu at halfelf.org
Fri Mar 28 19:30:31 UTC 2014


To clarify:

For PLUGIN security issues of plugins that are hosted on WPORG, you 
email plugins at wordpress.org

And we pull it as soon as we can review the PoC, verify it, contact the 
dev, and do everything else we do. Which may not be 'right away' 
(especially when someone sends in 50 reports in one day, yes that 
happened). Assuming we pull things same day is a lovely perfect-world. 
Ain't real though :)

Scott Herbert (via Phone) wrote:
>
> If you email security at wordpress.org they pull it straight away.
>
> On 28 March 2014 17:19:53 GMT+00:00, Dino 
> Termini<dino at duechiacchiere.it> wrote:
>>
>> Shouldn't the plugin be taken down from the repo? Maybe wordpress, just
>> like it checks for updates, could display a warning in the admin.
>>
>> On March 28, 2014 12:38:26 PM EDT, Harry Metcalfe<harry at dxw.com>
>> wrote:
>>>
>>> Anyone else agree? Who'd join such a list?
>>>
>>> I'll keep a tally on that too.
>>>
>>> Though I am a bit surprised at the respondents here who *don't* want
>>
>> to
>>>
>>> know about vulnerable plugins they may be running...
>>>
>>> Harry
>>>
>>>
>>> On 28/03/2014 16:37, Nikola Nikolov wrote:
>>>>
>>>> I'd suggest creating a mailing list - this way people can actually
>>>
>>> opt-in
>>>>
>>>> to those emails(so people here that don't want to receive that kind
>>>
>>> of
>>>>
>>>> information will not and those who want can sign-up for it).
>>>>
>>>>
>>>> On Fri, Mar 28, 2014 at 6:34 PM, Harry Metcalfe<harry at dxw.com>
>>>
>>> wrote:
>>>>
>>>>>
>>>>> There must be hundreds or thousands of plugin with security issues.
>>>>
>>>
>>> I
>>>>
>>>>>
>>>>>>
>>>>>> don't think everybody will be interested to know vulnerabilities
>>>>>
>>>>
>>>
>>
>> in
>>>
>>>>
>>>>>
>>>>>>
>>>>>> them.
>>>>>>
>>>>>
>>>>> I'm honestly not sure how to respond to that. I don't think I know
>>>>
>>>
>>> anyone
>>>>
>>>>>
>>>>> who doesn't care about having an exploitable website. I agree that
>>>>
>>>
>>> there
>>>>
>>>>>
>>>>> are hundreds of vulnerable plugins. That's what we're trying to
>>>>
>>>
>>
>> help
>>>
>>> fix,
>>>>
>>>>>
>>>>> because it's unacceptable!
>>>>>
>>>>>
>>>>> I guess most of the user of the plugin are not going to read
>>>>
>>>
>>
>> this.
>>>
>>>>
>>>>>
>>>>> We'll do the best we can to make sure everyone who is interested
>>>>
>>>
>>> will find
>>>>
>>>>>
>>>>> out. We currently:
>>>>>
>>>>> * Publish to our website
>>>>> * Tweet from @dxwsecurity
>>>>> * Post to wp-hackers and Full Disclosure
>>>>> * Request a CVE
>>>>>
>>>>> If you have any ideas about how we can spread the word more, I'm
>>>>
>>>
>>
>> all
>>>
>>> ears.
>>>>
>>>>>
>>>>> Harry
>>>>>
>>>>>
>>>>>
>>>>> On 28/03/2014 16:06, Varun Agrawal wrote:
>>>>>
>>>>>>
>>>>>> Hi Harry,
>>>>>>
>>>>>> It was my assumption that this list would be interested to know
>>>>>
>>>>
>>>
>>> about
>>>>
>>>>>
>>>>>>
>>>>>>>
>>>>>>> vulnerable plugins.
>>>>>>>
>>>>>>
>>>>>> There must be hundreds or thousands of plugin with security
>>>>>
>>>>
>>>
>>
>> issues.
>>>
>>> I
>>>>
>>>>>
>>>>>>
>>>>>> don't think everybody will be interested to know vulnerabilities
>>>>>
>>>>
>>>
>>
>> in
>>>
>>>>
>>>>>
>>>>>>
>>>>>> them.
>>>>>>
>>>>>>
>>>>>> we are disclosing the vulnerability in order that anyone using
>>>>>
>>>>
>>>
>>> this
>>>>
>>>>>
>>>>>>
>>>>>>>
>>>>>>> plugin can take steps to protect themselves.
>>>>>>>
>>>>>>
>>>>>> I guess most of the user of the plugin are not going to read this.
>>>>>>
>>>>>>
>>>>>> -Varun
>>>>>> _______________________________________________
>>>>>> wp-hackers mailing list
>>>>>> wp-hackers at lists.automattic.com
>>>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>>>
>>>>>
>>>>> --
>>>>> Harry Metcalfe
>>>>> 07790 559 876
>>>>> @harrym
>>>>>
>>>>> _______________________________________________
>>>>> wp-hackers mailing list
>>>>> wp-hackers at lists.automattic.com
>>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>>
>>>>
>>>> _______________________________________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.com
>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>
>>> -- 
>>> Harry Metcalfe
>>> 07790 559 876
>>> @harrym
>>>
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list