[wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

Jamie Currie jamie at wunderdojo.com
Fri Mar 28 19:35:24 UTC 2014


I just did an "emergency" cleanup job for a company who got hacked. 80+ 
files had eval'd base64 encoded crud added to them, scattered throughout 
various spots in WP including deep in admin subfolders. Source of the 
intrusion appears to have been a plugin that was vulnerable to SQL 
injection.

Obviously lots of other security failings that let it get to that point, 
including not having recent updates. But it's hard to see where anyone 
wouldn't want to be made aware of potential vulnerabilities. I'm pretty 
sure this company -- who just paid rush rates to get it remediated -- 
would have appreciated them. Actually, I suppose I'd be the only one who 
wouldn't want vulnerabilities exposed -- that was a pretty sweet check 
for one day of work!

Jamie


------ Original Message ------
From: "Scott Herbert (via Phone)" <scott.a.herbert at googlemail.com>
To: wp-hackers at lists.automattic.com
Sent: 3/28/2014 11:53:36 AM
Subject: Re: [wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2 
(WordPress plugin)
>If you email security at wordpress.org they pull it straight away.
>
>On 28 March 2014 17:19:53 GMT+00:00, Dino Termini 
><dino at duechiacchiere.it> wrote:
>>Shouldn't the plugin be taken down from the repo? Maybe wordpress, 
>>just
>>like it checks for updates, could display a warning in the admin.
>>
>>On March 28, 2014 12:38:26 PM EDT, Harry Metcalfe <harry at dxw.com>
>>wrote:
>>>Anyone else agree? Who'd join such a list?
>>>
>>>I'll keep a tally on that too.
>>>
>>>Though I am a bit surprised at the respondents here who *don't* want
>>to
>>>
>>>know about vulnerable plugins they may be running...
>>>
>>>Harry
>>>
>>>
>>>On 28/03/2014 16:37, Nikola Nikolov wrote:
>>>>  I'd suggest creating a mailing list - this way people can actually
>>>opt-in
>>>>  to those emails(so people here that don't want to receive that kind
>>>of
>>>>  information will not and those who want can sign-up for it).
>>>>
>>>>
>>>>  On Fri, Mar 28, 2014 at 6:34 PM, Harry Metcalfe <harry at dxw.com>
>>>wrote:
>>>>
>>>>>  There must be hundreds or thousands of plugin with security 
>>>>>issues.
>>>I
>>>>>>  don't think everybody will be interested to know vulnerabilities
>>in
>>>>>>  them.
>>>>>>
>>>>>  I'm honestly not sure how to respond to that. I don't think I know
>>>anyone
>>>>>  who doesn't care about having an exploitable website. I agree that
>>>there
>>>>>  are hundreds of vulnerable plugins. That's what we're trying to
>>help
>>>fix,
>>>>>  because it's unacceptable!
>>>>>
>>>>>
>>>>>    I guess most of the user of the plugin are not going to read
>>this.
>>>>>  We'll do the best we can to make sure everyone who is interested
>>>will find
>>>>>  out. We currently:
>>>>>
>>>>>    * Publish to our website
>>>>>    * Tweet from @dxwsecurity
>>>>>    * Post to wp-hackers and Full Disclosure
>>>>>    * Request a CVE
>>>>>
>>>>>  If you have any ideas about how we can spread the word more, I'm
>>all
>>>ears.
>>>>>
>>>>>  Harry
>>>>>
>>>>>
>>>>>
>>>>>  On 28/03/2014 16:06, Varun Agrawal wrote:
>>>>>
>>>>>>  Hi Harry,
>>>>>>
>>>>>>    It was my assumption that this list would be interested to know
>>>about
>>>>>>>  vulnerable plugins.
>>>>>>>
>>>>>>  There must be hundreds or thousands of plugin with security
>>issues.
>>>I
>>>>>>  don't think everybody will be interested to know vulnerabilities
>>in
>>>>>>  them.
>>>>>>
>>>>>>
>>>>>>    we are disclosing the vulnerability in order that anyone using
>>>this
>>>>>>>  plugin can take steps to protect themselves.
>>>>>>>
>>>>>>  I guess most of the user of the plugin are not going to read 
>>>>>>this.
>>>>>>
>>>>>>
>>>>>>  -Varun
>>>>>>  _______________________________________________
>>>>>>  wp-hackers mailing list
>>>>>>  wp-hackers at lists.automattic.com
>>>>>>  http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>>>
>>>>>  --
>>>>>  Harry Metcalfe
>>>>>  07790 559 876
>>>>>  @harrym
>>>>>
>>>>>  _______________________________________________
>>>>>  wp-hackers mailing list
>>>>>  wp-hackers at lists.automattic.com
>>>>>  http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>>
>>>>  _______________________________________________
>>>>  wp-hackers mailing list
>>>>  wp-hackers at lists.automattic.com
>>>>  http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>
>>>--
>>>Harry Metcalfe
>>>07790 559 876
>>>@harrym
>>>
>>>_______________________________________________
>>>wp-hackers mailing list
>>>wp-hackers at lists.automattic.com
>>>http://lists.automattic.com/mailman/listinfo/wp-hackers
>>_______________________________________________
>>wp-hackers mailing list
>>wp-hackers at lists.automattic.com
>>http://lists.automattic.com/mailman/listinfo/wp-hackers
>
>--
>Sent from my Android device with K-9 Mail. Please excuse my brevity.
>_______________________________________________
>wp-hackers mailing list
>wp-hackers at lists.automattic.com
>http://lists.automattic.com/mailman/listinfo/wp-hackers


More information about the wp-hackers mailing list