cPanel warning: Site vulnerabilities found

Nobody has contacted me regarding any found security issues, so no idea what this could be. Let me know if you find any more information!

Ok, @eskapism. It could be a false warning.

I will let you know if I have any news.

Thanks for the reply!

Also commenting due to having the same issue from WP Toolkit on WHM.

Looking forward to seeing a solution, hopefully just a false-flag.

Hey guys,

I have written to [email protected], as advised when you find a security issue in a plugin, and here is what they have replied:

We would need to see the report that leads to this message. However, “CSV injection” is not a real attack vector for a website.

The basic idea is that any code which exports a CSV file could include data that is dangerous when you import the CSV file to Excel, or something similar.

Fundamentally, this is not a real issue, because it is entirely possible that you want that data in that format. After all, a CSV file is just a text file. CSV stands for comma separated values. So anything that creates such a text file could include things like hyperlinks or whatever. And then programs such as Microsoft Excel can interpret those in possibly unexpected ways.

However, this is not a threat against a website, nor could it be used to directly attack a website. If the plugin has a CSV export feature, then this sort of report gets made simply because it contains that feature. We’ve had several such similar reports in the past, for other plugins, and pretty much all of them have been invalid.

We did a search and cannot find such a report, so we cannot validate it. So I would say to treat such a report as suspect, until more information is available.

WordPress Plugin Review Team

So, I think it is just a false-flag from WHM.

Same alert in Plesk WP Toolkit. It comes from Patchstack:

https://patchstack.com/database/vulnerability/simple-history/wordpress-simple-history-plugin-3-3-1-csv-injection-vulnerability?_a_id=110

Patchstack has issues the same vulnerability warning today – pretty sure their vuln database is what WP Toolkit uses. Would be worth checking with them to check what they found or resolve the potential false positive.

I’ve read the details about the vulnerability but I must confess I don’t quite understand it. Doesn’t quite feel like a serious vulternability report. But maybe it’s just me who doesn’t understand it ???♀?.

Will try to find the time to contact patchstack and see what they say.

Oh, an btw “No reply from the vendor.” the page says. Well, no one has contacted me, so how can I even reply?

@eskapism Yeah it is way too generic, talking about potential harm outside the plugin when the CSV file is misused for malice. That ‘danger’ applies to every computer file ever created.

Patchstack should not have allowed this report by their terms.

This is Robert from Patchstack here to help if I can.

First, I would like to apologize to the users receiving a concerning report on a Friday morning of all times. I updated the finding regarding this bug in our database to help clarify the concerns, reducing the risk rating down to a Low. Other changes in how this was communicated could have helped too, but they’re out of my control right now.

What is CSV Injection? These have always been troubling vulnerabilities to report and communicate. There is no risk to the website itself, but there maybe a risk to users who download CSV files exported form the website. In a strange twist, it’s the web application that applies the patch to address this concern.

If you do not export CSV files using this plugin then this report is not applicable to you. And if you do, just be careful with the export file, by “careful” I mean: Do not disable multiple security features or ignore warnings when opening the file.

For @eskapism:

Because of the complex requirements of the attack vector, we recently stopped accepting CSV injection reports from the Patchstack Alliance bug bounty program. Why is it being published now? We accepted this report before therecent decision to stop accepting CSV Injection reports. We attempted to reach out to you multiple times in the last few months, but never heard back. It would really help us if you could share a security point of contact (but we should discuss this elsewhere)

We will be re-evaluating if we keep this report active at all, but the decision may take time and will take more time to propagate to the WordPress toolkit or other vendors. For now I have reduced the severity on our end, and can help answer any other questions or concerns you may have.

If you by chance wish to write a patch, I wrote about the concerns of CSV Injection, and how you can patch it easily here. https://patchstack.com/articles/patchstack-weekly-what-is-csv-injection/ — You should not feel this is an emergency thing to patch, but this would have been easier and less stressful had we been able to get in contact with you sooner.

• This reply was modified 1 year, 9 months ago by rawrly.

I got the same warning from Wordfence so is it a real issue or not? If so I will delete the plugin and look for another one. See below for the message I received from Wordfence.

Description

The Simple History plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 3.3.1. This allows subscriber-level attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

References

• patchstack.com

Share

Unfortunately WordFence is now reporting this as a Critical issue

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/simple-history/simple-history-331-authenticated-subscriber-csv-injection

Thanks for the feedback and explanation @rawrly.

I did however check my email (and spam folder), but no email from Patchstack regarding this.

Also, nowhere can I find any example of how this exploit can be used. I will gladly fix this issue if someone can provide an example of how this vulnerabilty works.

To the users of this plugin that are getting warnings from Patchstack, Wordfence, and possible other plugins: I will update the plugin later today to a new version, with the CSV export temporarily disabled just to hopefully get rid of the warnings.

Also, there is no danger in using the plugin, the Patchstack vulnerability only theoretically applies if you are exporting the log to a CSV file and the load this file in another software. But, as I mention before, I have not seen any proof of any real exploit or vulnerability yet.

@rawrly This is not a potential threat directly related to the Simple History plugin. You should remove this fake ‘vulnerability’ from your database. It is very misleading for website admins.

@rawrly have you confirmed this vulnerability yourself? I did manage to find some screenshots in the report, but they are screenshots of a JSON-export, not a CSV export. The key _server_remote_addr that they use is not even included in the CSV-export…

@eskapism perhaps a method like how Jetpack does it:

https://github.com/Automattic/jetpack/blob/d4068d52c35a30edc01b9356a4764132aeb532fd/projects/packages/forms/src/contact-form/class-contact-form-plugin.php#L1854

PS: Love your plugin.