Viewing 14 replies - 1 through 14 (of 14 total)
  • Plugin Author DonnellC

    (@donnellc)

    What is the security vulnerability you’ve discovered?

    Plugin Author DonnellC

    (@donnellc)

    After going over the plug-in code. I do not see any security vulnerability.

    Also, it appears you are new to wordpress and seen you posting the same thing to other developers plug-ins. If you can not list what the issue is. Please do not open a ticket.

    Thread Starter nitstorm

    (@nitstorm)

    The thing is, most developers do not want to discuss security issues in the public forum. Hence I had requested for an email address to submit the report to. The issue in your case is CSRF. Do you want me to post the Proof of Concept code here as well?

    Plugin Author DonnellC

    (@donnellc)

    Yes, as i do not feel comfortable providing my email address to you.

    Thread Starter nitstorm

    (@nitstorm)

    Hi,

    Vulnerability Description:
    The issue is CSRF wherein any values could be modified and submitted. Additionally, there is provision to load any 3 JS libraries and a CSS file if one copies the generated code and creates a form as directed in the plugin’s instructions.

    Proof of Concept:
    Here’s the link to the PoC as you wished – https://gist.github.com/nitstorm/66e5bb4e1c643ea7a771

    It’s been shared a secret gist so that it’s not crawlable by search engines.

    Disclosure Timeline:
    2015-06-03 – Discovered. Contacted developer on forums
    2015-06-05 – Posting the PoC on the forum as per the developer’s wish.

    Disclaimer:
    This vulnerability report and PoC is purely meant for educational purposes. I will in no way be responsible as to how the information in this disclosure is used.

    Plugin Author DonnellC

    (@donnellc)

    I’m reviewing how to correct this issue.

    Thread Starter nitstorm

    (@nitstorm)

    That is good to hear. Please do keep me updated on the issue and its resolution.

    Thanks!

    Thread Starter nitstorm

    (@nitstorm)

    Hi,

    Still waiting for an update on the fix. Please do respond soon as the vulnerability details are public as per your previous request.

    Plugin Author DonnellC

    (@donnellc)

    After further investigation.

    There actually isn’t an issue with the way the plug-in works. This is not a security flaw. The only way your proof of concept works is if the user is logged in or have their sign-in information.

    There will be an update soon regarding your CSRF inquiry.

    Again there is “NOT” a security vulnerability regarding the information that you’re inquiring.

    Please signed out of WordPress. And try to submit that request when you’re signed out. You’ll see get proof of concept is not valid.

    Thread Starter nitstorm

    (@nitstorm)

    The point of a CSRF is hijacking an authenticated user’s session. So yes, the PoC will not work if the user is signed out.

    And CSRF is indeed a security vulnerability. Infact, it’s among OWASP’s Top 10 – https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)

    Plugin Author DonnellC

    (@donnellc)

    Then that would be a WordPress issue not a plugin issue.

    Like I said. I have a fix for it already. I haven’t released it to the public yet.

    Thread Starter nitstorm

    (@nitstorm)

    It would be your opinion that you feel it is a WordPress issue and not the plugin’s.

    Please do release the fix at the soonest since you already have it. I don’t think you realise the severity of the vulnerability issue present in your plugin. If an update is not made soon, I will be forced to escalate the issue to the WordPress Plugins team.

    Please also feel free to mail the WordPress Plugins team yourself to confirm if this is a real and valid security vulnerability or not.

    Plugin Author DonnellC

    (@donnellc)

    Nitstorm

    1.1 has been released.

    Thread Starter nitstorm

    (@nitstorm)

    DonnellC,

    Thank you. A full disclosure will be published within a couple of days and I’ll be making a CVE request for the issue.

Viewing 14 replies - 1 through 14 (of 14 total)
  • The topic ‘Discovered security vulnerabilities’ is closed to new replies.