Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Full Disclosure>
  3. Full-Disclosure
A question for the list - WordPress plugin inspections
harry at dxw
Feb 19, 2014, 10:40 AM
Post #1 of 8 (3032 views)
Permalink
Hello list,

We write and publish light-touch inspections of WordPress plugins that
we do for our clients. They are just a guide - we conduct some basic
checks, not a thorough review.

Would plugins which fail this inspection be of general interest to the
list and therefore worth posting, as we would a vulnerability?

Here's an example report:

https://security.dxw.com/plugins/gd-star-rating-1-9-22/

Grateful for a steer...

Harry

--
Harry Metcalfe
07790 559 876
@harrym

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: A question for the list - WordPress plugin inspections [ In reply to ]
seth.arnold at canonical
Feb 19, 2014, 11:27 AM
Post #2 of 8 (3015 views)
Permalink
On Wed, Feb 19, 2014 at 06:40:51PM +0000, Harry Metcalfe wrote:
> We write and publish light-touch inspections of WordPress plugins
> that we do for our clients. They are just a guide - we conduct some
> basic checks, not a thorough review.
>
> Would plugins which fail this inspection be of general interest to
> the list and therefore worth posting, as we would a vulnerability?
>
> Here's an example report:
>
> https://security.dxw.com/plugins/gd-star-rating-1-9-22/
>
> Grateful for a steer...

That's a very nice summary view, but it'd be more useful in this medium
if you included the lines of code that introduce the vulnerabilities.

Most useful would be to coordinate with authors and MITRE for CVE numbers
for the issues you find to ensure the issues aren't forgotten about or
otherwise ignored.

Thanks

Attached Files:

Re: A question for the list - WordPress plugin inspections [ In reply to ]
harry at dxw
Feb 19, 2014, 12:58 PM
Post #3 of 8 (3010 views)
Permalink
Hi Seth,

There really isn't time for us to do that, in the context of an
inspection. It's a very light-touch assessment.

When we find vulnerabilities we do also report those, after working with
the vendor. And they are more detailed. For example:

https://security.dxw.com/advisories/moving-any-file-php-user-has-access-to-in-bp-group-documents-1-2-1/

Harry

On 19/02/2014 19:27, Seth Arnold wrote:
> On Wed, Feb 19, 2014 at 06:40:51PM +0000, Harry Metcalfe wrote:
>> We write and publish light-touch inspections of WordPress plugins
>> that we do for our clients. They are just a guide - we conduct some
>> basic checks, not a thorough review.
>>
>> Would plugins which fail this inspection be of general interest to
>> the list and therefore worth posting, as we would a vulnerability?
>>
>> Here's an example report:
>>
>> https://security.dxw.com/plugins/gd-star-rating-1-9-22/
>>
>> Grateful for a steer...
> That's a very nice summary view, but it'd be more useful in this medium
> if you included the lines of code that introduce the vulnerabilities.
>
> Most useful would be to coordinate with authors and MITRE for CVE numbers
> for the issues you find to ensure the issues aren't forgotten about or
> otherwise ignored.
>
> Thanks
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Re: A question for the list - WordPress plugin inspections [ In reply to ]
thomas at tmacuk
Feb 19, 2014, 1:01 PM
Post #4 of 8 (3012 views)
Permalink
It might be worth speaking with the WPScan team over at http://wpscan.org/

Maybe they can do the hard work for you?

Thanks,
Thomas

> Harry Metcalfe <mailto:harry@dxw.com>
> 19 February 2014 20:58
> Hi Seth,
>
> There really isn't time for us to do that, in the context of an
> inspection. It's a very light-touch assessment.
>
> When we find vulnerabilities we do also report those, after working
> with the vendor. And they are more detailed. For example:
>
>
> https://security.dxw.com/advisories/moving-any-file-php-user-has-access-to-in-bp-group-documents-1-2-1/
>
> Harry
>
> On 19/02/2014 19:27, Seth Arnold wrote:
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> Seth Arnold <mailto:seth.arnold@canonical.com>
> 19 February 2014 19:27
>
> That's a very nice summary view, but it'd be more useful in this medium
> if you included the lines of code that introduce the vulnerabilities.
>
> Most useful would be to coordinate with authors and MITRE for CVE numbers
> for the issues you find to ensure the issues aren't forgotten about or
> otherwise ignored.
>
> Thanks
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> Harry Metcalfe <mailto:harry@dxw.com>
> 19 February 2014 18:40
> Hello list,
>
> We write and publish light-touch inspections of WordPress plugins that
> we do for our clients. They are just a guide - we conduct some basic
> checks, not a thorough review.
>
> Would plugins which fail this inspection be of general interest to the
> list and therefore worth posting, as we would a vulnerability?
>
> Here's an example report:
>
> https://security.dxw.com/plugins/gd-star-rating-1-9-22/
>
> Grateful for a steer...
>
> Harry
>

Attached Files:

Re: A question for the list - WordPress plugin inspections [ In reply to ]
henri at nerv
Feb 19, 2014, 11:53 PM
Post #5 of 8 (2999 views)
Permalink
On Wed, Feb 19, 2014 at 08:58:49PM +0000, Harry Metcalfe wrote:
> Hi Seth,
>
> There really isn't time for us to do that, in the context of an
> inspection. It's a very light-touch assessment.
>
> When we find vulnerabilities we do also report those, after working
> with the vendor. And they are more detailed. For example:
>
> https://security.dxw.com/advisories/moving-any-file-php-user-has-access-to-in-bp-group-documents-1-2-1/
>
> Harry

People behind plugins@wordpress.org can help you with coordination. They can
also disable plugins so that there won't be new installations before maintainer
fixes issues. Note that security@ address should not be contacted when dealing
with plugin issues. It is important to get vulnerabilities fixed in upstream
codebase. I can also help you with communication, verification and such in my
own time.

---
Henri Salo

Attached Files:

Re: A question for the list - WordPress plugin inspections [ In reply to ]
athiasjerome at gmail
Feb 20, 2014, 12:39 AM
Post #6 of 8 (2991 views)
Permalink
It is valuable
I concur (# line of code, file names and CVE submission).

I would also suggest to use common classifications (or a mapping) such
as OWASP TOP10, WASC, CWE (CAPEC) for your criterias.

Providing details regarding the methodology or/and tools used for the
assessment would be also valuable.
(i.e. Checklist, RIPS,
https://labs.portcullis.co.uk/tools/wordpress-build-review-tool/ )

Thank you
Best regards

2014-02-19 Seth Arnold <seth.arnold@canonical.com>:
> On Wed, Feb 19, 2014 at 06:40:51PM +0000, Harry Metcalfe wrote:
>> We write and publish light-touch inspections of WordPress plugins
>> that we do for our clients. They are just a guide - we conduct some
>> basic checks, not a thorough review.
>>
>> Would plugins which fail this inspection be of general interest to
>> the list and therefore worth posting, as we would a vulnerability?
>>
>> Here's an example report:
>>
>> https://security.dxw.com/plugins/gd-star-rating-1-9-22/
>>
>> Grateful for a steer...
>
> That's a very nice summary view, but it'd be more useful in this medium
> if you included the lines of code that introduce the vulnerabilities.
>
> Most useful would be to coordinate with authors and MITRE for CVE numbers
> for the issues you find to ensure the issues aren't forgotten about or
> otherwise ignored.
>
> Thanks
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: A question for the list - WordPress plugin inspections [ In reply to ]
harry at dxw
Feb 20, 2014, 1:16 AM
Post #7 of 8 (2998 views)
Permalink
Hi Jerome,

The criteria are here:

https://security.dxw.com/about/plugin-inspections/

Is that what you mean?

I agree using a common classification would be good. I'll have a look
into that.

As mentioned before, though - these are not vulnerability reports. We do
those too:

https://security.dxw.com/advisories/xss-and-csrf-in-user-domain-whitelist-v1-4/

and they are more detailed. Inspections are more about code smell, if
you know what I mean. So there aren't specific files, lines, etc.

Harry


On 20/02/2014 08:39, Jerome Athias wrote:
> It is valuable
> I concur (# line of code, file names and CVE submission).
>
> I would also suggest to use common classifications (or a mapping) such
> as OWASP TOP10, WASC, CWE (CAPEC) for your criterias.
>
> Providing details regarding the methodology or/and tools used for the
> assessment would be also valuable.
> (i.e. Checklist, RIPS,
> https://labs.portcullis.co.uk/tools/wordpress-build-review-tool/ )
>
> Thank you
> Best regards
>
> 2014-02-19 Seth Arnold <seth.arnold@canonical.com>:
>> On Wed, Feb 19, 2014 at 06:40:51PM +0000, Harry Metcalfe wrote:
>>> We write and publish light-touch inspections of WordPress plugins
>>> that we do for our clients. They are just a guide - we conduct some
>>> basic checks, not a thorough review.
>>>
>>> Would plugins which fail this inspection be of general interest to
>>> the list and therefore worth posting, as we would a vulnerability?
>>>
>>> Here's an example report:
>>>
>>> https://security.dxw.com/plugins/gd-star-rating-1-9-22/
>>>
>>> Grateful for a steer...
>> That's a very nice summary view, but it'd be more useful in this medium
>> if you included the lines of code that introduce the vulnerabilities.
>>
>> Most useful would be to coordinate with authors and MITRE for CVE numbers
>> for the issues you find to ensure the issues aren't forgotten about or
>> otherwise ignored.
>>
>> Thanks
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: A question for the list - WordPress plugin inspections [ In reply to ]
athiasjerome at gmail
Feb 20, 2014, 1:28 AM
Post #8 of 8 (3005 views)
Permalink
Yes

btw you can simply submit by email to osvdb, packetstorm, etc.
but I'm pretty sure they will catch it now ;)

2014-02-20 Harry Metcalfe <harry@dxw.com>:
> Hi Jerome,
>
> The criteria are here:
>
> https://security.dxw.com/about/plugin-inspections/
>
> Is that what you mean?
>
> I agree using a common classification would be good. I'll have a look into
> that.
>
> As mentioned before, though - these are not vulnerability reports. We do
> those too:
>
> https://security.dxw.com/advisories/xss-and-csrf-in-user-domain-whitelist-v1-4/
>
> and they are more detailed. Inspections are more about code smell, if you
> know what I mean. So there aren't specific files, lines, etc.
>
> Harry
>
>
>
> On 20/02/2014 08:39, Jerome Athias wrote:
>>
>> It is valuable
>> I concur (# line of code, file names and CVE submission).
>>
>> I would also suggest to use common classifications (or a mapping) such
>> as OWASP TOP10, WASC, CWE (CAPEC) for your criterias.
>>
>> Providing details regarding the methodology or/and tools used for the
>> assessment would be also valuable.
>> (i.e. Checklist, RIPS,
>> https://labs.portcullis.co.uk/tools/wordpress-build-review-tool/ )
>>
>> Thank you
>> Best regards
>>
>> 2014-02-19 Seth Arnold <seth.arnold@canonical.com>:
>>>
>>> On Wed, Feb 19, 2014 at 06:40:51PM +0000, Harry Metcalfe wrote:
>>>>
>>>> We write and publish light-touch inspections of WordPress plugins
>>>> that we do for our clients. They are just a guide - we conduct some
>>>> basic checks, not a thorough review.
>>>>
>>>> Would plugins which fail this inspection be of general interest to
>>>> the list and therefore worth posting, as we would a vulnerability?
>>>>
>>>> Here's an example report:
>>>>
>>>> https://security.dxw.com/plugins/gd-star-rating-1-9-22/
>>>>
>>>> Grateful for a steer...
>>>
>>> That's a very nice summary view, but it'd be more useful in this medium
>>> if you included the lines of code that introduce the vulnerabilities.
>>>
>>> Most useful would be to coordinate with authors and MITRE for CVE numbers
>>> for the issues you find to ensure the issues aren't forgotten about or
>>> otherwise ignored.
>>>
>>> Thanks
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal