CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

classic Classic list List threaded Threaded
35 messages Options
12
Reply | Threaded
Open this post in threaded view
|

CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

Harry Metcalfe-4
Details
================
Software: WP HTML Sitemap
Version: 1.2
Homepage: http://wordpress.org/plugins/wp-html-sitemap/
CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)

Description
================
CSRF vulnerability in WP HTML Sitemap 1.2

Vulnerability
================
A CSRF vulnerability exists which allows an attacker to delete the
sitemap if a logged-in admin user visits a link of the attacker’s choosing.
Line 202 of inc/AdminPage.php says “// check whether form was just
submitted” but the following if/elseif statements only check whether a
particular button was pressed without checking nonce values. The form in
question is printed in wp_html_sitemap_AdminPage::createSitemapForm()
around line 146 of the same file.

Proof of concept
================
This form deletes the sitemap without requiring a nonce value:
<form
action="http://not-a-real-site.local/wp-admin/options-general.php?page=wp-html-sitemap&tab=general"
method="POST">
<input type="text" name="deleteSitemap" value="Delete Sitemap">
<input type="submit">
</form>

Mitigations
================
Disable the plugin until a fix is available.

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our
disclosure policy: https://security.dxw.com/disclosure/

Please contact us on [hidden email] to acknowledge this report if you
received it via a third party (for example, [hidden email]) as
they generally cannot communicate with us on your behalf.

Please note that this vulnerability will be published if we do not
receive a response to this report with 14 days.

Timeline
================

2014-02-21: Discovered
2014-02-26: Reported
2014-03-28: No response received. Published


Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.


_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

Daniel Bachhuber-4
Hi Harry,

Please refrain from advertising on this list. Plugin security issues should
be reported to [hidden email]

Thanks.


On Fri, Mar 28, 2014 at 5:39 AM, Harry Metcalfe <[hidden email]> wrote:

> Details
> ================
> Software: WP HTML Sitemap
> Version: 1.2
> Homepage: http://wordpress.org/plugins/wp-html-sitemap/
> CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)
>
> Description
> ================
> CSRF vulnerability in WP HTML Sitemap 1.2
>
> Vulnerability
> ================
> A CSRF vulnerability exists which allows an attacker to delete the sitemap
> if a logged-in admin user visits a link of the attacker's choosing.
> Line 202 of inc/AdminPage.php says "// check whether form was just
> submitted" but the following if/elseif statements only check whether a
> particular button was pressed without checking nonce values. The form in
> question is printed in wp_html_sitemap_AdminPage::createSitemapForm()
> around line 146 of the same file.
>
> Proof of concept
> ================
> This form deletes the sitemap without requiring a nonce value:
> <form action="http://not-a-real-site.local/wp-admin/options-
> general.php?page=wp-html-sitemap&tab=general" method="POST">
> <input type="text" name="deleteSitemap" value="Delete Sitemap">
> <input type="submit">
> </form>
>
> Mitigations
> ================
> Disable the plugin until a fix is available.
>
> Disclosure policy
> ================
> dxw believes in responsible disclosure. Your attention is drawn to our
> disclosure policy: https://security.dxw.com/disclosure/
>
> Please contact us on [hidden email] to acknowledge this report if you
> received it via a third party (for example, [hidden email]) as
> they generally cannot communicate with us on your behalf.
>
> Please note that this vulnerability will be published if we do not receive
> a response to this report with 14 days.
>
> Timeline
> ================
>
> 2014-02-21: Discovered
> 2014-02-26: Reported
> 2014-03-28: No response received. Published
>
>
> Discovered by dxw:
> ================
> Tom Adams
> Please visit security.dxw.com for more information.
>
>
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

Harry Metcalfe-4
Hi Daniel,

This vulnerability was reported to [hidden email] on 2nd
February. The author has not responded, so we are disclosing the
vulnerability in order that anyone using this plugin can take steps to
protect themselves.

This is certainly not an advertisement.

Administrivia: It was my assumption that this list would be interested
to know about vulnerable plugins. If anyone has strong feelings for or
against that assumption, please let me know off-list. If there is a
consensus we will honour it.

Cheers,

Harry


On 28/03/2014 14:41, Daniel Bachhuber wrote:

> Hi Harry,
>
> Please refrain from advertising on this list. Plugin security issues should
> be reported to [hidden email]
>
> Thanks.
>
>
> On Fri, Mar 28, 2014 at 5:39 AM, Harry Metcalfe <[hidden email]> wrote:
>
>> Details
>> ================
>> Software: WP HTML Sitemap
>> Version: 1.2
>> Homepage: http://wordpress.org/plugins/wp-html-sitemap/
>> CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)
>>
>> Description
>> ================
>> CSRF vulnerability in WP HTML Sitemap 1.2
>>
>> Vulnerability
>> ================
>> A CSRF vulnerability exists which allows an attacker to delete the sitemap
>> if a logged-in admin user visits a link of the attacker's choosing.
>> Line 202 of inc/AdminPage.php says "// check whether form was just
>> submitted" but the following if/elseif statements only check whether a
>> particular button was pressed without checking nonce values. The form in
>> question is printed in wp_html_sitemap_AdminPage::createSitemapForm()
>> around line 146 of the same file.
>>
>> Proof of concept
>> ================
>> This form deletes the sitemap without requiring a nonce value:
>> <form action="http://not-a-real-site.local/wp-admin/options-
>> general.php?page=wp-html-sitemap&tab=general" method="POST">
>> <input type="text" name="deleteSitemap" value="Delete Sitemap">
>> <input type="submit">
>> </form>
>>
>> Mitigations
>> ================
>> Disable the plugin until a fix is available.
>>
>> Disclosure policy
>> ================
>> dxw believes in responsible disclosure. Your attention is drawn to our
>> disclosure policy: https://security.dxw.com/disclosure/
>>
>> Please contact us on [hidden email] to acknowledge this report if you
>> received it via a third party (for example, [hidden email]) as
>> they generally cannot communicate with us on your behalf.
>>
>> Please note that this vulnerability will be published if we do not receive
>> a response to this report with 14 days.
>>
>> Timeline
>> ================
>>
>> 2014-02-21: Discovered
>> 2014-02-26: Reported
>> 2014-03-28: No response received. Published
>>
>>
>> Discovered by dxw:
>> ================
>> Tom Adams
>> Please visit security.dxw.com for more information.
>>
>>
>> _______________________________________________
>> wp-hackers mailing list
>> [hidden email]
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers

--
Harry Metcalfe
07790 559 876
@harrym

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

Chris McCoy
I think Daniel was refering to posting to a public list, some malicious
people could take advantage of this, and cause some havoc.

On 2014-03-28, 10:46 AM, "Harry Metcalfe" <[hidden email]> wrote:

>Hi Daniel,
>
>This vulnerability was reported to [hidden email] on 2nd
>February. The author has not responded, so we are disclosing the
>vulnerability in order that anyone using this plugin can take steps to
>protect themselves.
>
>This is certainly not an advertisement.
>
>Administrivia: It was my assumption that this list would be interested
>to know about vulnerable plugins. If anyone has strong feelings for or
>against that assumption, please let me know off-list. If there is a
>consensus we will honour it.
>
>Cheers,
>
>Harry
>
>
>On 28/03/2014 14:41, Daniel Bachhuber wrote:
>> Hi Harry,
>>
>> Please refrain from advertising on this list. Plugin security issues
>>should
>> be reported to [hidden email]
>>
>> Thanks.
>>
>>
>> On Fri, Mar 28, 2014 at 5:39 AM, Harry Metcalfe <[hidden email]> wrote:
>>
>>> Details
>>> ================
>>> Software: WP HTML Sitemap
>>> Version: 1.2
>>> Homepage: http://wordpress.org/plugins/wp-html-sitemap/
>>> CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)
>>>
>>> Description
>>> ================
>>> CSRF vulnerability in WP HTML Sitemap 1.2
>>>
>>> Vulnerability
>>> ================
>>> A CSRF vulnerability exists which allows an attacker to delete the
>>>sitemap
>>> if a logged-in admin user visits a link of the attacker's choosing.
>>> Line 202 of inc/AdminPage.php says "// check whether form was just
>>> submitted" but the following if/elseif statements only check whether a
>>> particular button was pressed without checking nonce values. The form
>>>in
>>> question is printed in wp_html_sitemap_AdminPage::createSitemapForm()
>>> around line 146 of the same file.
>>>
>>> Proof of concept
>>> ================
>>> This form deletes the sitemap without requiring a nonce value:
>>> <form action="http://not-a-real-site.local/wp-admin/options-
>>> general.php?page=wp-html-sitemap&tab=general" method="POST">
>>> <input type="text" name="deleteSitemap" value="Delete Sitemap">
>>> <input type="submit">
>>> </form>
>>>
>>> Mitigations
>>> ================
>>> Disable the plugin until a fix is available.
>>>
>>> Disclosure policy
>>> ================
>>> dxw believes in responsible disclosure. Your attention is drawn to our
>>> disclosure policy: https://security.dxw.com/disclosure/
>>>
>>> Please contact us on [hidden email] to acknowledge this report if you
>>> received it via a third party (for example, [hidden email]) as
>>> they generally cannot communicate with us on your behalf.
>>>
>>> Please note that this vulnerability will be published if we do not
>>>receive
>>> a response to this report with 14 days.
>>>
>>> Timeline
>>> ================
>>>
>>> 2014-02-21: Discovered
>>> 2014-02-26: Reported
>>> 2014-03-28: No response received. Published
>>>
>>>
>>> Discovered by dxw:
>>> ================
>>> Tom Adams
>>> Please visit security.dxw.com for more information.
>>>
>>>
>>> _______________________________________________
>>> wp-hackers mailing list
>>> [hidden email]
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>
>> _______________________________________________
>> wp-hackers mailing list
>> [hidden email]
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
>--
>Harry Metcalfe
>07790 559 876
>@harrym
>
>_______________________________________________
>wp-hackers mailing list
>[hidden email]
>http://lists.automattic.com/mailman/listinfo/wp-hackers


_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

Harry Metcalfe-4
Hi Chris,

We're aware of that, but not sure what alternative there is if the
people who write plugins don't contact us when we report issues to them.
We try to give people enough time to fix things, but if it doesn't look
like they're going to, we believe it is the responsible thing to do to
publish vulnerabilities so that people affected by them can take steps
to protect themselves.

Our disclosure policy is here <https://security.dxw.com/disclosure/>,
and we always draw people's attention to it (see below). All that said,
it is a difficult area and I'm certainly open to suggestions about how
to do it better.

Harry


On 28/03/2014 15:29, Chris McCoy wrote:

> I think Daniel was refering to posting to a public list, some malicious
> people could take advantage of this, and cause some havoc.
>
> On 2014-03-28, 10:46 AM, "Harry Metcalfe" <[hidden email]> wrote:
>
>> Hi Daniel,
>>
>> This vulnerability was reported to [hidden email] on 2nd
>> February. The author has not responded, so we are disclosing the
>> vulnerability in order that anyone using this plugin can take steps to
>> protect themselves.
>>
>> This is certainly not an advertisement.
>>
>> Administrivia: It was my assumption that this list would be interested
>> to know about vulnerable plugins. If anyone has strong feelings for or
>> against that assumption, please let me know off-list. If there is a
>> consensus we will honour it.
>>
>> Cheers,
>>
>> Harry
>>
>>
>> On 28/03/2014 14:41, Daniel Bachhuber wrote:
>>> Hi Harry,
>>>
>>> Please refrain from advertising on this list. Plugin security issues
>>> should
>>> be reported to [hidden email]
>>>
>>> Thanks.
>>>
>>>
>>> On Fri, Mar 28, 2014 at 5:39 AM, Harry Metcalfe <[hidden email]> wrote:
>>>
>>>> Details
>>>> ================
>>>> Software: WP HTML Sitemap
>>>> Version: 1.2
>>>> Homepage: http://wordpress.org/plugins/wp-html-sitemap/
>>>> CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)
>>>>
>>>> Description
>>>> ================
>>>> CSRF vulnerability in WP HTML Sitemap 1.2
>>>>
>>>> Vulnerability
>>>> ================
>>>> A CSRF vulnerability exists which allows an attacker to delete the
>>>> sitemap
>>>> if a logged-in admin user visits a link of the attacker's choosing.
>>>> Line 202 of inc/AdminPage.php says "// check whether form was just
>>>> submitted" but the following if/elseif statements only check whether a
>>>> particular button was pressed without checking nonce values. The form
>>>> in
>>>> question is printed in wp_html_sitemap_AdminPage::createSitemapForm()
>>>> around line 146 of the same file.
>>>>
>>>> Proof of concept
>>>> ================
>>>> This form deletes the sitemap without requiring a nonce value:
>>>> <form action="http://not-a-real-site.local/wp-admin/options-
>>>> general.php?page=wp-html-sitemap&tab=general" method="POST">
>>>> <input type="text" name="deleteSitemap" value="Delete Sitemap">
>>>> <input type="submit">
>>>> </form>
>>>>
>>>> Mitigations
>>>> ================
>>>> Disable the plugin until a fix is available.
>>>>
>>>> Disclosure policy
>>>> ================
>>>> dxw believes in responsible disclosure. Your attention is drawn to our
>>>> disclosure policy: https://security.dxw.com/disclosure/
>>>>
>>>> Please contact us on [hidden email] to acknowledge this report if you
>>>> received it via a third party (for example, [hidden email]) as
>>>> they generally cannot communicate with us on your behalf.
>>>>
>>>> Please note that this vulnerability will be published if we do not
>>>> receive
>>>> a response to this report with 14 days.
>>>>
>>>> Timeline
>>>> ================
>>>>
>>>> 2014-02-21: Discovered
>>>> 2014-02-26: Reported
>>>> 2014-03-28: No response received. Published
>>>>
>>>>
>>>> Discovered by dxw:
>>>> ================
>>>> Tom Adams
>>>> Please visit security.dxw.com for more information.
>>>>
>>>>
>>>> _______________________________________________
>>>> wp-hackers mailing list
>>>> [hidden email]
>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>
>>> _______________________________________________
>>> wp-hackers mailing list
>>> [hidden email]
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>> --
>> Harry Metcalfe
>> 07790 559 876
>> @harrym
>>
>> _______________________________________________
>> wp-hackers mailing list
>> [hidden email]
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers

--
Harry Metcalfe
07790 559 876
@harrym

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

VarunAgw
Hi Harry,

>It was my assumption that this list would be interested to know about vulnerable plugins.

There must be hundreds or thousands of plugin with security issues. I
don't think everybody will be interested to know vulnerabilities in
them.


>we are disclosing the vulnerability in order that anyone using this plugin can take steps to protect themselves.

I guess most of the user of the plugin are not going to read this.


-Varun
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

chriscct7
-- Please reply above this line --

-----------------------------------------------------------
## Chris replied, on Mar 28 @ 12:20pm (AMT):

I also disagree with how the issues are being disclosed.
 First off 14 days really isn't a long enough time. Imagine this
scenario:
 Day 1: Friday: Reported to WP Security team
 Day 1: Security team sends email to plugin author
 Day 4: Monday: Plugin author begins reading his emails about his
plugins that came in over the weekend and notices security email.
 Day 7: Thursday: Assuming the bug is easy to fix, an update is patch
is submitted as an update to WordPress.org
 Day 8: Update notifications begin to appear in WordPress backend,
given its now Friday, most users (if they even log into their site on
Fridays, will put off updating it till Monday mostly so they can read
through the changelog.
 Day 11: Users read through changelog and *hopefully* begin updating.

 The problem is, this made 2 assumptions. First, you assume all
security vulnerabilities are both easy to fix, and the plugin can be
re-audited quickly. While most are likely easy to fix (ala the ones
reported thus far), most authors would also want to re-audit their
plugins codebase, and for anything over 100k LOC that's going to take
a lot of time. Second, you've only given users 3 days to update in
this scenario. Some users will not update the first week after an
update has been patched. Some not even the first 2 weeks. Maybe they
are enterprise or large business sites where they have to get approval
and independent testing must be done prior to accepting the patch.
Maybe, they are scared of updates for whatever reason and they want to
read reports the update hasn't broken someone's site first.

 In any event, the "14 days" should be upped to the industry standard
30 days. Currently, in a good case scenario (like the one above)
you've given users 3 days to update before you reveal a direct proof
of concept of how to exploit the vulnerability.

 Even after 30 days, publishing a complete example of how to use the
vulnerability is still not all too responsible. I would move to a
system where you say what you can do to mitigate the issue after 30,
and then hold off on proof of concept for 60-90 days post report.

 Finally, I'd have to agree with the others. Posting vulnerability
reports here isn't going to alert the majority of the affected users,
and it has that spammy feel (even though its not spam).
--
Chris Christoff
[hidden email]
http://www.chriscct7.com [1]
@chriscct7
If you feel the need to donate, as a college student, I appreciate
donations of any amount. The easiest way to donate to my college fund
is via the donation button at the bottom of my
homepage: http://chriscct7.com/ [2]

Links:
------
[1] http://www.chriscct7.com
[2] http://chriscct7.com/


-----------------------------------------------------------
## [hidden email] replied, on Mar 28 @ 12:06pm (AMT):

Hi Harry,

 >It was my assumption that this list would be interested to know
about vulnerable plugins.

 There must be hundreds or thousands of plugin with security issues. I
 don't think everybody will be interested to know vulnerabilities in
 them.

 >we are disclosing the vulnerability in order that anyone using
this plugin can take steps to protect themselves.

 I guess most of the user of the plugin are not going to read this.

 -Varun
 _______________________________________________
 wp-hackers mailing list
 [hidden email]
 http://lists.automattic.com/mailman/listinfo/wp-hackers

-----------------------------------------------------------
## [hidden email] replied, on Mar 28 @ 11:52am (AMT):

Hi Chris,

 We're aware of that, but not sure what alternative there is if the
 people who write plugins don't contact us when we report issues to
them.
 We try to give people enough time to fix things, but if it doesn't
look
 like they're going to, we believe it is the responsible thing to do
to
 publish vulnerabilities so that people affected by them can take
steps
 to protect themselves.

 Our disclosure policy is here
<https://security.dxw.com/disclosure/>,
 and we always draw people's attention to it (see below). All that
said,
 it is a difficult area and I'm certainly open to suggestions about
how
 to do it better.

 Harry

-----------------------------------------------------------
## [hidden email] replied, on Mar 28 @ 11:29am (AMT):

I think Daniel was refering to posting to a public list, some
malicious
 people could take advantage of this, and cause some havoc.

 _______________________________________________
 wp-hackers mailing list
 [hidden email]
 http://lists.automattic.com/mailman/listinfo/wp-hackers

-----------------------------------------------------------
## [hidden email] replied, on Mar 28 @ 10:46am (AMT):

Hi Daniel,

 This vulnerability was reported to [hidden email] on 2nd
 February. The author has not responded, so we are disclosing the
 vulnerability in order that anyone using this plugin can take steps
to
 protect themselves.

 This is certainly not an advertisement.

 Administrivia: It was my assumption that this list would be
interested
 to know about vulnerable plugins. If anyone has strong feelings for
or
 against that assumption, please let me know off-list. If there is a
 consensus we will honour it.

 Cheers,

 Harry

-----------------------------------------------------------
## [hidden email] replied, on Mar 28 @ 10:41am (AMT):

Hi Harry,

 Please refrain from advertising on this list. Plugin security issues
should
 be reported to [hidden email]

 Thanks.

 _______________________________________________
 wp-hackers mailing list
 [hidden email]
 http://lists.automattic.com/mailman/listinfo/wp-hackers

-----------------------------------------------------------

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

Harry Metcalfe-4
Hi Chris,

The 14 days is just to acknowledge the report, not to release a fix. The
policy does not prescribe a time for fixes for exactly the reasons
you've outlined. We'll always work with people to agree a reasonable
time for fixing and publication, unless they don't reply to us. In which
case, we can't do much other than publish. We also generally do wait
longer than 14 days, as you can see from these reports.
> Posting vulnerability reports here isn't going to alert the majority of the affected users, and it has that spammy feel (even though its not spam).
I'll add you to the list! So far, we're 1 for and 1 against.

Harry


On 28/03/2014 16:20, Chris Christoff wrote:

> -- Please reply above this line --
>
> -----------------------------------------------------------
> ## Chris replied, on Mar 28 @ 12:20pm (AMT):
>
> I also disagree with how the issues are being disclosed.
>   First off 14 days really isn't a long enough time. Imagine this
> scenario:
>   Day 1: Friday: Reported to WP Security team
>   Day 1: Security team sends email to plugin author
>   Day 4: Monday: Plugin author begins reading his emails about his
> plugins that came in over the weekend and notices security email.
>   Day 7: Thursday: Assuming the bug is easy to fix, an update is patch
> is submitted as an update to WordPress.org
>   Day 8: Update notifications begin to appear in WordPress backend,
> given its now Friday, most users (if they even log into their site on
> Fridays, will put off updating it till Monday mostly so they can read
> through the changelog.
>   Day 11: Users read through changelog and *hopefully* begin updating.
>
>   The problem is, this made 2 assumptions. First, you assume all
> security vulnerabilities are both easy to fix, and the plugin can be
> re-audited quickly. While most are likely easy to fix (ala the ones
> reported thus far), most authors would also want to re-audit their
> plugins codebase, and for anything over 100k LOC that's going to take
> a lot of time. Second, you've only given users 3 days to update in
> this scenario. Some users will not update the first week after an
> update has been patched. Some not even the first 2 weeks. Maybe they
> are enterprise or large business sites where they have to get approval
> and independent testing must be done prior to accepting the patch.
> Maybe, they are scared of updates for whatever reason and they want to
> read reports the update hasn't broken someone's site first.
>
>   In any event, the "14 days" should be upped to the industry standard
> 30 days. Currently, in a good case scenario (like the one above)
> you've given users 3 days to update before you reveal a direct proof
> of concept of how to exploit the vulnerability.
>
>   Even after 30 days, publishing a complete example of how to use the
> vulnerability is still not all too responsible. I would move to a
> system where you say what you can do to mitigate the issue after 30,
> and then hold off on proof of concept for 60-90 days post report.
>
>   Finally, I'd have to agree with the others. Posting vulnerability
> reports here isn't going to alert the majority of the affected users,
> and it has that spammy feel (even though its not spam).
> --
> Chris Christoff
> [hidden email]
> http://www.chriscct7.com [1]
> @chriscct7
> If you feel the need to donate, as a college student, I appreciate
> donations of any amount. The easiest way to donate to my college fund
> is via the donation button at the bottom of my
> homepage: http://chriscct7.com/ [2]
>
> Links:
> ------
> [1] http://www.chriscct7.com
> [2] http://chriscct7.com/
>
>
> -----------------------------------------------------------
> ## [hidden email] replied, on Mar 28 @ 12:06pm (AMT):
>
> Hi Harry,
>
>   >It was my assumption that this list would be interested to know
> about vulnerable plugins.
>
>   There must be hundreds or thousands of plugin with security issues. I
>   don't think everybody will be interested to know vulnerabilities in
>   them.
>
>   >we are disclosing the vulnerability in order that anyone using
> this plugin can take steps to protect themselves.
>
>   I guess most of the user of the plugin are not going to read this.
>
>   -Varun
>   _______________________________________________
>   wp-hackers mailing list
>   [hidden email]
>   http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> -----------------------------------------------------------
> ## [hidden email] replied, on Mar 28 @ 11:52am (AMT):
>
> Hi Chris,
>
>   We're aware of that, but not sure what alternative there is if the
>   people who write plugins don't contact us when we report issues to
> them.
>   We try to give people enough time to fix things, but if it doesn't
> look
>   like they're going to, we believe it is the responsible thing to do
> to
>   publish vulnerabilities so that people affected by them can take
> steps
>   to protect themselves.
>
>   Our disclosure policy is here
> <https://security.dxw.com/disclosure/>,
>   and we always draw people's attention to it (see below). All that
> said,
>   it is a difficult area and I'm certainly open to suggestions about
> how
>   to do it better.
>
>   Harry
>
> -----------------------------------------------------------
> ## [hidden email] replied, on Mar 28 @ 11:29am (AMT):
>
> I think Daniel was refering to posting to a public list, some
> malicious
>   people could take advantage of this, and cause some havoc.
>
>   _______________________________________________
>   wp-hackers mailing list
>   [hidden email]
>   http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> -----------------------------------------------------------
> ## [hidden email] replied, on Mar 28 @ 10:46am (AMT):
>
> Hi Daniel,
>
>   This vulnerability was reported to [hidden email] on 2nd
>   February. The author has not responded, so we are disclosing the
>   vulnerability in order that anyone using this plugin can take steps
> to
>   protect themselves.
>
>   This is certainly not an advertisement.
>
>   Administrivia: It was my assumption that this list would be
> interested
>   to know about vulnerable plugins. If anyone has strong feelings for
> or
>   against that assumption, please let me know off-list. If there is a
>   consensus we will honour it.
>
>   Cheers,
>
>   Harry
>
> -----------------------------------------------------------
> ## [hidden email] replied, on Mar 28 @ 10:41am (AMT):
>
> Hi Harry,
>
>   Please refrain from advertising on this list. Plugin security issues
> should
>   be reported to [hidden email]
>
>   Thanks.
>
>   _______________________________________________
>   wp-hackers mailing list
>   [hidden email]
>   http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> -----------------------------------------------------------
>
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers

--
Harry Metcalfe
07790 559 876
@harrym

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

Nikola Nikolov
In reply to this post by chriscct7
@Chris - they are actually giving plugin authors 14 days to acknowledge the
report - which I assume means to just send an email along the lines of
"Okay, I'll take care of that ASAP". And again - 14 days is not a long time
- sometimes I'd away(and without internet access) for more than that.

I do agree that posting a proof of concept is not a good idea so soon. For
instance Wordfence sends out emails to their subscribers when plugin
vulnerabilities have been found(and usually when their users have suffered
from those vulnerabilities) and suggest what action users should take. For
instance "Plugin author has responded and patch is available in the next
release, available now", or "disable and delete plugin until a patch is
released or "contact plugin author".


On Fri, Mar 28, 2014 at 6:20 PM, Chris Christoff <[hidden email]>wrote:

> -- Please reply above this line --
>
> -----------------------------------------------------------
> ## Chris replied, on Mar 28 @ 12:20pm (AMT):
>
> I also disagree with how the issues are being disclosed.
>  First off 14 days really isn't a long enough time. Imagine this
> scenario:
>  Day 1: Friday: Reported to WP Security team
>  Day 1: Security team sends email to plugin author
>  Day 4: Monday: Plugin author begins reading his emails about his
> plugins that came in over the weekend and notices security email.
>  Day 7: Thursday: Assuming the bug is easy to fix, an update is patch
> is submitted as an update to WordPress.org
>  Day 8: Update notifications begin to appear in WordPress backend,
> given its now Friday, most users (if they even log into their site on
> Fridays, will put off updating it till Monday mostly so they can read
> through the changelog.
>  Day 11: Users read through changelog and *hopefully* begin updating.
>
>  The problem is, this made 2 assumptions. First, you assume all
> security vulnerabilities are both easy to fix, and the plugin can be
> re-audited quickly. While most are likely easy to fix (ala the ones
> reported thus far), most authors would also want to re-audit their
> plugins codebase, and for anything over 100k LOC that's going to take
> a lot of time. Second, you've only given users 3 days to update in
> this scenario. Some users will not update the first week after an
> update has been patched. Some not even the first 2 weeks. Maybe they
> are enterprise or large business sites where they have to get approval
> and independent testing must be done prior to accepting the patch.
> Maybe, they are scared of updates for whatever reason and they want to
> read reports the update hasn't broken someone's site first.
>
>  In any event, the "14 days" should be upped to the industry standard
> 30 days. Currently, in a good case scenario (like the one above)
> you've given users 3 days to update before you reveal a direct proof
> of concept of how to exploit the vulnerability.
>
>  Even after 30 days, publishing a complete example of how to use the
> vulnerability is still not all too responsible. I would move to a
> system where you say what you can do to mitigate the issue after 30,
> and then hold off on proof of concept for 60-90 days post report.
>
>  Finally, I'd have to agree with the others. Posting vulnerability
> reports here isn't going to alert the majority of the affected users,
> and it has that spammy feel (even though its not spam).
> --
> Chris Christoff
> [hidden email]
> http://www.chriscct7.com [1]
> @chriscct7
> If you feel the need to donate, as a college student, I appreciate
> donations of any amount. The easiest way to donate to my college fund
> is via the donation button at the bottom of my
> homepage: http://chriscct7.com/ [2]
>
> Links:
> ------
> [1] http://www.chriscct7.com
> [2] http://chriscct7.com/
>
>
> -----------------------------------------------------------
> ## [hidden email] replied, on Mar 28 @ 12:06pm (AMT):
>
> Hi Harry,
>
>  >It was my assumption that this list would be interested to know
> about vulnerable plugins.
>
>  There must be hundreds or thousands of plugin with security issues. I
>  don't think everybody will be interested to know vulnerabilities in
>  them.
>
>  >we are disclosing the vulnerability in order that anyone using
> this plugin can take steps to protect themselves.
>
>  I guess most of the user of the plugin are not going to read this.
>
>  -Varun
>  _______________________________________________
>  wp-hackers mailing list
>  [hidden email]
>  http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> -----------------------------------------------------------
> ## [hidden email] replied, on Mar 28 @ 11:52am (AMT):
>
> Hi Chris,
>
>  We're aware of that, but not sure what alternative there is if the
>  people who write plugins don't contact us when we report issues to
> them.
>  We try to give people enough time to fix things, but if it doesn't
> look
>  like they're going to, we believe it is the responsible thing to do
> to
>  publish vulnerabilities so that people affected by them can take
> steps
>  to protect themselves.
>
>  Our disclosure policy is here
> <https://security.dxw.com/disclosure/>,
>  and we always draw people's attention to it (see below). All that
> said,
>  it is a difficult area and I'm certainly open to suggestions about
> how
>  to do it better.
>
>  Harry
>
> -----------------------------------------------------------
> ## [hidden email] replied, on Mar 28 @ 11:29am (AMT):
>
> I think Daniel was refering to posting to a public list, some
> malicious
>  people could take advantage of this, and cause some havoc.
>
>  _______________________________________________
>  wp-hackers mailing list
>  [hidden email]
>  http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> -----------------------------------------------------------
> ## [hidden email] replied, on Mar 28 @ 10:46am (AMT):
>
> Hi Daniel,
>
>  This vulnerability was reported to [hidden email] on 2nd
>  February. The author has not responded, so we are disclosing the
>  vulnerability in order that anyone using this plugin can take steps
> to
>  protect themselves.
>
>  This is certainly not an advertisement.
>
>  Administrivia: It was my assumption that this list would be
> interested
>  to know about vulnerable plugins. If anyone has strong feelings for
> or
>  against that assumption, please let me know off-list. If there is a
>  consensus we will honour it.
>
>  Cheers,
>
>  Harry
>
> -----------------------------------------------------------
> ## [hidden email] replied, on Mar 28 @ 10:41am (AMT):
>
> Hi Harry,
>
>  Please refrain from advertising on this list. Plugin security issues
> should
>  be reported to [hidden email]
>
>  Thanks.
>
>  _______________________________________________
>  wp-hackers mailing list
>  [hidden email]
>  http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> -----------------------------------------------------------
>
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

Harry Metcalfe-4
In reply to this post by VarunAgw
> There must be hundreds or thousands of plugin with security issues. I
> don't think everybody will be interested to know vulnerabilities in
> them.
I'm honestly not sure how to respond to that. I don't think I know
anyone who doesn't care about having an exploitable website. I agree
that there are hundreds of vulnerable plugins. That's what we're trying
to help fix, because it's unacceptable!

> I guess most of the user of the plugin are not going to read this.
We'll do the best we can to make sure everyone who is interested will
find out. We currently:

  * Publish to our website
  * Tweet from @dxwsecurity
  * Post to wp-hackers and Full Disclosure
  * Request a CVE

If you have any ideas about how we can spread the word more, I'm all ears.

Harry


On 28/03/2014 16:06, Varun Agrawal wrote:

> Hi Harry,
>
>> It was my assumption that this list would be interested to know about vulnerable plugins.
> There must be hundreds or thousands of plugin with security issues. I
> don't think everybody will be interested to know vulnerabilities in
> them.
>
>
>> we are disclosing the vulnerability in order that anyone using this plugin can take steps to protect themselves.
> I guess most of the user of the plugin are not going to read this.
>
>
> -Varun
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers

--
Harry Metcalfe
07790 559 876
@harrym

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

Harry Metcalfe-4
In reply to this post by Nikola Nikolov
If reports are acknowledged, and plugin authors keep us in the loop,
we've so far always published on the same day as an update is released,
with advice to update to the new version as soon as possible. I think
the only circumstances under which we might publish sooner than that
would be for a very serious vulnerability that the plugin author was not
taking seriously.

Harry



On 28/03/2014 16:31, Nikola Nikolov wrote:

> @Chris - they are actually giving plugin authors 14 days to acknowledge the
> report - which I assume means to just send an email along the lines of
> "Okay, I'll take care of that ASAP". And again - 14 days is not a long time
> - sometimes I'd away(and without internet access) for more than that.
>
> I do agree that posting a proof of concept is not a good idea so soon. For
> instance Wordfence sends out emails to their subscribers when plugin
> vulnerabilities have been found(and usually when their users have suffered
> from those vulnerabilities) and suggest what action users should take. For
> instance "Plugin author has responded and patch is available in the next
> release, available now", or "disable and delete plugin until a patch is
> released or "contact plugin author".
>
>
> On Fri, Mar 28, 2014 at 6:20 PM, Chris Christoff <[hidden email]>wrote:
>
>> -- Please reply above this line --
>>
>> -----------------------------------------------------------
>> ## Chris replied, on Mar 28 @ 12:20pm (AMT):
>>
>> I also disagree with how the issues are being disclosed.
>>   First off 14 days really isn't a long enough time. Imagine this
>> scenario:
>>   Day 1: Friday: Reported to WP Security team
>>   Day 1: Security team sends email to plugin author
>>   Day 4: Monday: Plugin author begins reading his emails about his
>> plugins that came in over the weekend and notices security email.
>>   Day 7: Thursday: Assuming the bug is easy to fix, an update is patch
>> is submitted as an update to WordPress.org
>>   Day 8: Update notifications begin to appear in WordPress backend,
>> given its now Friday, most users (if they even log into their site on
>> Fridays, will put off updating it till Monday mostly so they can read
>> through the changelog.
>>   Day 11: Users read through changelog and *hopefully* begin updating.
>>
>>   The problem is, this made 2 assumptions. First, you assume all
>> security vulnerabilities are both easy to fix, and the plugin can be
>> re-audited quickly. While most are likely easy to fix (ala the ones
>> reported thus far), most authors would also want to re-audit their
>> plugins codebase, and for anything over 100k LOC that's going to take
>> a lot of time. Second, you've only given users 3 days to update in
>> this scenario. Some users will not update the first week after an
>> update has been patched. Some not even the first 2 weeks. Maybe they
>> are enterprise or large business sites where they have to get approval
>> and independent testing must be done prior to accepting the patch.
>> Maybe, they are scared of updates for whatever reason and they want to
>> read reports the update hasn't broken someone's site first.
>>
>>   In any event, the "14 days" should be upped to the industry standard
>> 30 days. Currently, in a good case scenario (like the one above)
>> you've given users 3 days to update before you reveal a direct proof
>> of concept of how to exploit the vulnerability.
>>
>>   Even after 30 days, publishing a complete example of how to use the
>> vulnerability is still not all too responsible. I would move to a
>> system where you say what you can do to mitigate the issue after 30,
>> and then hold off on proof of concept for 60-90 days post report.
>>
>>   Finally, I'd have to agree with the others. Posting vulnerability
>> reports here isn't going to alert the majority of the affected users,
>> and it has that spammy feel (even though its not spam).
>> --
>> Chris Christoff
>> [hidden email]
>> http://www.chriscct7.com [1]
>> @chriscct7
>> If you feel the need to donate, as a college student, I appreciate
>> donations of any amount. The easiest way to donate to my college fund
>> is via the donation button at the bottom of my
>> homepage: http://chriscct7.com/ [2]
>>
>> Links:
>> ------
>> [1] http://www.chriscct7.com
>> [2] http://chriscct7.com/
>>
>>
>> -----------------------------------------------------------
>> ## [hidden email] replied, on Mar 28 @ 12:06pm (AMT):
>>
>> Hi Harry,
>>
>>   >It was my assumption that this list would be interested to know
>> about vulnerable plugins.
>>
>>   There must be hundreds or thousands of plugin with security issues. I
>>   don't think everybody will be interested to know vulnerabilities in
>>   them.
>>
>>   >we are disclosing the vulnerability in order that anyone using
>> this plugin can take steps to protect themselves.
>>
>>   I guess most of the user of the plugin are not going to read this.
>>
>>   -Varun
>>   _______________________________________________
>>   wp-hackers mailing list
>>   [hidden email]
>>   http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>> -----------------------------------------------------------
>> ## [hidden email] replied, on Mar 28 @ 11:52am (AMT):
>>
>> Hi Chris,
>>
>>   We're aware of that, but not sure what alternative there is if the
>>   people who write plugins don't contact us when we report issues to
>> them.
>>   We try to give people enough time to fix things, but if it doesn't
>> look
>>   like they're going to, we believe it is the responsible thing to do
>> to
>>   publish vulnerabilities so that people affected by them can take
>> steps
>>   to protect themselves.
>>
>>   Our disclosure policy is here
>> <https://security.dxw.com/disclosure/>,
>>   and we always draw people's attention to it (see below). All that
>> said,
>>   it is a difficult area and I'm certainly open to suggestions about
>> how
>>   to do it better.
>>
>>   Harry
>>
>> -----------------------------------------------------------
>> ## [hidden email] replied, on Mar 28 @ 11:29am (AMT):
>>
>> I think Daniel was refering to posting to a public list, some
>> malicious
>>   people could take advantage of this, and cause some havoc.
>>
>>   _______________________________________________
>>   wp-hackers mailing list
>>   [hidden email]
>>   http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>> -----------------------------------------------------------
>> ## [hidden email] replied, on Mar 28 @ 10:46am (AMT):
>>
>> Hi Daniel,
>>
>>   This vulnerability was reported to [hidden email] on 2nd
>>   February. The author has not responded, so we are disclosing the
>>   vulnerability in order that anyone using this plugin can take steps
>> to
>>   protect themselves.
>>
>>   This is certainly not an advertisement.
>>
>>   Administrivia: It was my assumption that this list would be
>> interested
>>   to know about vulnerable plugins. If anyone has strong feelings for
>> or
>>   against that assumption, please let me know off-list. If there is a
>>   consensus we will honour it.
>>
>>   Cheers,
>>
>>   Harry
>>
>> -----------------------------------------------------------
>> ## [hidden email] replied, on Mar 28 @ 10:41am (AMT):
>>
>> Hi Harry,
>>
>>   Please refrain from advertising on this list. Plugin security issues
>> should
>>   be reported to [hidden email]
>>
>>   Thanks.
>>
>>   _______________________________________________
>>   wp-hackers mailing list
>>   [hidden email]
>>   http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>> -----------------------------------------------------------
>>
>> _______________________________________________
>> wp-hackers mailing list
>> [hidden email]
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers

--
Harry Metcalfe
07790 559 876
@harrym

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

Nikola Nikolov
In reply to this post by Harry Metcalfe-4
I'd suggest creating a mailing list - this way people can actually opt-in
to those emails(so people here that don't want to receive that kind of
information will not and those who want can sign-up for it).


On Fri, Mar 28, 2014 at 6:34 PM, Harry Metcalfe <[hidden email]> wrote:

> There must be hundreds or thousands of plugin with security issues. I
>> don't think everybody will be interested to know vulnerabilities in
>> them.
>>
> I'm honestly not sure how to respond to that. I don't think I know anyone
> who doesn't care about having an exploitable website. I agree that there
> are hundreds of vulnerable plugins. That's what we're trying to help fix,
> because it's unacceptable!
>
>
>  I guess most of the user of the plugin are not going to read this.
>>
> We'll do the best we can to make sure everyone who is interested will find
> out. We currently:
>
>  * Publish to our website
>  * Tweet from @dxwsecurity
>  * Post to wp-hackers and Full Disclosure
>  * Request a CVE
>
> If you have any ideas about how we can spread the word more, I'm all ears.
>
> Harry
>
>
>
> On 28/03/2014 16:06, Varun Agrawal wrote:
>
>> Hi Harry,
>>
>>  It was my assumption that this list would be interested to know about
>>> vulnerable plugins.
>>>
>> There must be hundreds or thousands of plugin with security issues. I
>> don't think everybody will be interested to know vulnerabilities in
>> them.
>>
>>
>>  we are disclosing the vulnerability in order that anyone using this
>>> plugin can take steps to protect themselves.
>>>
>> I guess most of the user of the plugin are not going to read this.
>>
>>
>> -Varun
>> _______________________________________________
>> wp-hackers mailing list
>> [hidden email]
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>
> --
> Harry Metcalfe
> 07790 559 876
> @harrym
>
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

Scott Herbert (via Phone)
In reply to this post by Harry Metcalfe-4
Just by way of comparison Google give you 7 days, I think 14 days is fine. I tend to give companies 30days to have the patch out, unless they give me a good reason to delay.



On 28 March 2014 16:30:50 GMT+00:00, Harry Metcalfe <[hidden email]> wrote:

>Hi Chris,
>
>The 14 days is just to acknowledge the report, not to release a fix.
>The
>policy does not prescribe a time for fixes for exactly the reasons
>you've outlined. We'll always work with people to agree a reasonable
>time for fixing and publication, unless they don't reply to us. In
>which
>case, we can't do much other than publish. We also generally do wait
>longer than 14 days, as you can see from these reports.
>> Posting vulnerability reports here isn't going to alert the majority
>of the affected users, and it has that spammy feel (even though its not
>spam).
>I'll add you to the list! So far, we're 1 for and 1 against.
>
>Harry
>
>
>On 28/03/2014 16:20, Chris Christoff wrote:
>> -- Please reply above this line --
>>
>> -----------------------------------------------------------
>> ## Chris replied, on Mar 28 @ 12:20pm (AMT):
>>
>> I also disagree with how the issues are being disclosed.
>>   First off 14 days really isn't a long enough time. Imagine this
>> scenario:
>>   Day 1: Friday: Reported to WP Security team
>>   Day 1: Security team sends email to plugin author
>>   Day 4: Monday: Plugin author begins reading his emails about his
>> plugins that came in over the weekend and notices security email.
>>   Day 7: Thursday: Assuming the bug is easy to fix, an update is
>patch
>> is submitted as an update to WordPress.org
>>   Day 8: Update notifications begin to appear in WordPress backend,
>> given its now Friday, most users (if they even log into their site on
>> Fridays, will put off updating it till Monday mostly so they can read
>> through the changelog.
>>   Day 11: Users read through changelog and *hopefully* begin
>updating.
>>
>>   The problem is, this made 2 assumptions. First, you assume all
>> security vulnerabilities are both easy to fix, and the plugin can be
>> re-audited quickly. While most are likely easy to fix (ala the ones
>> reported thus far), most authors would also want to re-audit their
>> plugins codebase, and for anything over 100k LOC that's going to take
>> a lot of time. Second, you've only given users 3 days to update in
>> this scenario. Some users will not update the first week after an
>> update has been patched. Some not even the first 2 weeks. Maybe they
>> are enterprise or large business sites where they have to get
>approval
>> and independent testing must be done prior to accepting the patch.
>> Maybe, they are scared of updates for whatever reason and they want
>to
>> read reports the update hasn't broken someone's site first.
>>
>>   In any event, the "14 days" should be upped to the industry
>standard
>> 30 days. Currently, in a good case scenario (like the one above)
>> you've given users 3 days to update before you reveal a direct proof
>> of concept of how to exploit the vulnerability.
>>
>>   Even after 30 days, publishing a complete example of how to use the
>> vulnerability is still not all too responsible. I would move to a
>> system where you say what you can do to mitigate the issue after 30,
>> and then hold off on proof of concept for 60-90 days post report.
>>
>>   Finally, I'd have to agree with the others. Posting vulnerability
>> reports here isn't going to alert the majority of the affected users,
>> and it has that spammy feel (even though its not spam).
>> --
>> Chris Christoff
>> [hidden email]
>> http://www.chriscct7.com [1]
>> @chriscct7
>> If you feel the need to donate, as a college student, I appreciate
>> donations of any amount. The easiest way to donate to my college fund
>> is via the donation button at the bottom of my
>> homepage: http://chriscct7.com/ [2]
>>
>> Links:
>> ------
>> [1] http://www.chriscct7.com
>> [2] http://chriscct7.com/
>>
>>
>> -----------------------------------------------------------
>> ## [hidden email] replied, on Mar 28 @ 12:06pm
>(AMT):
>>
>> Hi Harry,
>>
>>   >It was my assumption that this list would be interested to know
>> about vulnerable plugins.
>>
>>   There must be hundreds or thousands of plugin with security issues.
>I
>>   don't think everybody will be interested to know vulnerabilities in
>>   them.
>>
>>   >we are disclosing the vulnerability in order that anyone using
>> this plugin can take steps to protect themselves.
>>
>>   I guess most of the user of the plugin are not going to read this.
>>
>>   -Varun
>>   _______________________________________________
>>   wp-hackers mailing list
>>   [hidden email]
>>   http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>> -----------------------------------------------------------
>> ## [hidden email] replied, on Mar 28 @ 11:52am
>(AMT):
>>
>> Hi Chris,
>>
>>   We're aware of that, but not sure what alternative there is if the
>>   people who write plugins don't contact us when we report issues to
>> them.
>>   We try to give people enough time to fix things, but if it doesn't
>> look
>>   like they're going to, we believe it is the responsible thing to do
>> to
>>   publish vulnerabilities so that people affected by them can take
>> steps
>>   to protect themselves.
>>
>>   Our disclosure policy is here
>> <https://security.dxw.com/disclosure/>,
>>   and we always draw people's attention to it (see below). All that
>> said,
>>   it is a difficult area and I'm certainly open to suggestions about
>> how
>>   to do it better.
>>
>>   Harry
>>
>> -----------------------------------------------------------
>> ## [hidden email] replied, on Mar 28 @ 11:29am
>(AMT):
>>
>> I think Daniel was refering to posting to a public list, some
>> malicious
>>   people could take advantage of this, and cause some havoc.
>>
>>   _______________________________________________
>>   wp-hackers mailing list
>>   [hidden email]
>>   http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>> -----------------------------------------------------------
>> ## [hidden email] replied, on Mar 28 @ 10:46am
>(AMT):
>>
>> Hi Daniel,
>>
>>   This vulnerability was reported to [hidden email] on 2nd
>>   February. The author has not responded, so we are disclosing the
>>   vulnerability in order that anyone using this plugin can take steps
>> to
>>   protect themselves.
>>
>>   This is certainly not an advertisement.
>>
>>   Administrivia: It was my assumption that this list would be
>> interested
>>   to know about vulnerable plugins. If anyone has strong feelings for
>> or
>>   against that assumption, please let me know off-list. If there is a
>>   consensus we will honour it.
>>
>>   Cheers,
>>
>>   Harry
>>
>> -----------------------------------------------------------
>> ## [hidden email] replied, on Mar 28 @ 10:41am
>(AMT):
>>
>> Hi Harry,
>>
>>   Please refrain from advertising on this list. Plugin security
>issues
>> should
>>   be reported to [hidden email]
>>
>>   Thanks.
>>
>>   _______________________________________________
>>   wp-hackers mailing list
>>   [hidden email]
>>   http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>> -----------------------------------------------------------
>>
>> _______________________________________________
>> wp-hackers mailing list
>> [hidden email]
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
>--
>Harry Metcalfe
>07790 559 876
>@harrym
>
>_______________________________________________
>wp-hackers mailing list
>[hidden email]
>http://lists.automattic.com/mailman/listinfo/wp-hackers

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

Harry Metcalfe-4
In reply to this post by Nikola Nikolov
Anyone else agree? Who'd join such a list?

I'll keep a tally on that too.

Though I am a bit surprised at the respondents here who *don't* want to
know about vulnerable plugins they may be running...

Harry


On 28/03/2014 16:37, Nikola Nikolov wrote:

> I'd suggest creating a mailing list - this way people can actually opt-in
> to those emails(so people here that don't want to receive that kind of
> information will not and those who want can sign-up for it).
>
>
> On Fri, Mar 28, 2014 at 6:34 PM, Harry Metcalfe <[hidden email]> wrote:
>
>> There must be hundreds or thousands of plugin with security issues. I
>>> don't think everybody will be interested to know vulnerabilities in
>>> them.
>>>
>> I'm honestly not sure how to respond to that. I don't think I know anyone
>> who doesn't care about having an exploitable website. I agree that there
>> are hundreds of vulnerable plugins. That's what we're trying to help fix,
>> because it's unacceptable!
>>
>>
>>   I guess most of the user of the plugin are not going to read this.
>> We'll do the best we can to make sure everyone who is interested will find
>> out. We currently:
>>
>>   * Publish to our website
>>   * Tweet from @dxwsecurity
>>   * Post to wp-hackers and Full Disclosure
>>   * Request a CVE
>>
>> If you have any ideas about how we can spread the word more, I'm all ears.
>>
>> Harry
>>
>>
>>
>> On 28/03/2014 16:06, Varun Agrawal wrote:
>>
>>> Hi Harry,
>>>
>>>   It was my assumption that this list would be interested to know about
>>>> vulnerable plugins.
>>>>
>>> There must be hundreds or thousands of plugin with security issues. I
>>> don't think everybody will be interested to know vulnerabilities in
>>> them.
>>>
>>>
>>>   we are disclosing the vulnerability in order that anyone using this
>>>> plugin can take steps to protect themselves.
>>>>
>>> I guess most of the user of the plugin are not going to read this.
>>>
>>>
>>> -Varun
>>> _______________________________________________
>>> wp-hackers mailing list
>>> [hidden email]
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>
>> --
>> Harry Metcalfe
>> 07790 559 876
>> @harrym
>>
>> _______________________________________________
>> wp-hackers mailing list
>> [hidden email]
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers

--
Harry Metcalfe
07790 559 876
@harrym

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

John Blackbourn
On 28 March 2014 16:38, Harry Metcalfe <[hidden email]> wrote:

> Anyone else agree? Who'd join such a list?
>
> I'll keep a tally on that too.
>
> Though I am a bit surprised at the respondents here who *don't* want to
> know about vulnerable plugins they may be running...


I think a separate mailing list would be a better idea than posting to
wp-hackers, for the same reason there are separate mailing lists and
separate IRC channels and separate development blogs for all the various
aspects of WordPress.

John
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

Scott Herbert (via Phone)
In reply to this post by Harry Metcalfe-4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I'd sign up to it. their was someone called "mustlive" who used to post lots of wp stuff on full-disclosure I'm sure I can send find a contact if you want.



On 28 March 2014 16:38:26 GMT+00:00, Harry Metcalfe <[hidden email]> wrote:

>Anyone else agree? Who'd join such a list?
>
>I'll keep a tally on that too.
>
>Though I am a bit surprised at the respondents here who *don't* want to
>
>know about vulnerable plugins they may be running...
>
>Harry
>
>
>On 28/03/2014 16:37, Nikola Nikolov wrote:
>> I'd suggest creating a mailing list - this way people can actually
>opt-in
>> to those emails(so people here that don't want to receive that kind
>of
>> information will not and those who want can sign-up for it).
>>
>>
>> On Fri, Mar 28, 2014 at 6:34 PM, Harry Metcalfe <[hidden email]>
>wrote:
>>
>>> There must be hundreds or thousands of plugin with security issues.
>I
>>>> don't think everybody will be interested to know vulnerabilities in
>>>> them.
>>>>
>>> I'm honestly not sure how to respond to that. I don't think I know
>anyone
>>> who doesn't care about having an exploitable website. I agree that
>there
>>> are hundreds of vulnerable plugins. That's what we're trying to help
>fix,
>>> because it's unacceptable!
>>>
>>>
>>>   I guess most of the user of the plugin are not going to read this.
>>> We'll do the best we can to make sure everyone who is interested
>will find
>>> out. We currently:
>>>
>>>   * Publish to our website
>>>   * Tweet from @dxwsecurity
>>>   * Post to wp-hackers and Full Disclosure
>>>   * Request a CVE
>>>
>>> If you have any ideas about how we can spread the word more, I'm all
>ears.
>>>
>>> Harry
>>>
>>>
>>>
>>> On 28/03/2014 16:06, Varun Agrawal wrote:
>>>
>>>> Hi Harry,
>>>>
>>>>   It was my assumption that this list would be interested to know
>about
>>>>> vulnerable plugins.
>>>>>
>>>> There must be hundreds or thousands of plugin with security issues.
>I
>>>> don't think everybody will be interested to know vulnerabilities in
>>>> them.
>>>>
>>>>
>>>>   we are disclosing the vulnerability in order that anyone using
>this
>>>>> plugin can take steps to protect themselves.
>>>>>
>>>> I guess most of the user of the plugin are not going to read this.
>>>>
>>>>
>>>> -Varun
>>>> _______________________________________________
>>>> wp-hackers mailing list
>>>> [hidden email]
>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>
>>> --
>>> Harry Metcalfe
>>> 07790 559 876
>>> @harrym
>>>
>>> _______________________________________________
>>> wp-hackers mailing list
>>> [hidden email]
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>
>> _______________________________________________
>> wp-hackers mailing list
>> [hidden email]
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
>--
>Harry Metcalfe
>07790 559 876
>@harrym
>
>_______________________________________________
>wp-hackers mailing list
>[hidden email]
>http://lists.automattic.com/mailman/listinfo/wp-hackers

- --
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-----BEGIN PGP SIGNATURE-----
Version: APG v1.0.9

iQFMBAEBCAA2BQJTNaZqLxxTY290dCBIZXJiZXJ0IDxzY290dC5hLmhlcmJlcnRA
Z29vZ2xlbWFpbC5jb20+AAoJEJHf3PUjVwdR2QYH/3Rg431s2zEPvYrLZRFIwCRC
UtNvuVTAd180qV6MhHUtOJNV727ph4k4ZlzFz81DX4z0OBhvnlGUQ3M6CfHGMPZL
ey+s2mbOhNudslwkSE7Ei1QFa3o9L3jXokyABNVbGRswoZcFCirVimeEZxscMYmC
+uLe50gSTxVHHr+m/81eXOc24gD/nz122M1CMX/q29SJ9A8v/PpPGlFKBGOIRGJl
LohhAzhbhKOQcNV5uBxrrfp2Z/CPCbXPUF3qAVFurjIIxnKuX7NOXNOmt3zB/XBN
NepxnXRIlI/VWNvPi3j/RWErscJ84iASpUhT/ZAA3FvFkSYuZ6MVJPRYF6m4Vc4=
=Tdhu
-----END PGP SIGNATURE-----

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

Dre Armeda-3
In reply to this post by John Blackbourn
On Fri, Mar 28, 2014 at 9:41 AM, John Blackbourn
<[hidden email]>wrote:

> On 28 March 2014 16:38, Harry Metcalfe <[hidden email]> wrote:
>
> > Anyone else agree? Who'd join such a list?
> >
> > I'll keep a tally on that too.
> >
> > Though I am a bit surprised at the respondents here who *don't* want to
> > know about vulnerable plugins they may be running...
>
>
> I think a separate mailing list would be a better idea than posting to
> wp-hackers, for the same reason there are separate mailing lists and
> separate IRC channels and separate development blogs for all the various
> aspects of WordPress.
>
> John
>


I concur!

I would certainly be open to joining that, and agree it should be separate
from wp-hackers.


Dre Armeda
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

chriscct7
-- Please reply above this line --

-----------------------------------------------------------
## Chris replied, on Mar 28 @ 12:45pm (AMT):

I agree. Make a seperate mailing list so those interested can optin.
Not force existing maillist subscribers to have to setup GMail filters
to delete these posts.
--
Chris Christoff
[hidden email]
http://www.chriscct7.com [1]
@chriscct7
If you feel the need to donate, as a college student, I appreciate
donations of any amount. The easiest way to donate to my college fund
is via the donation button at the bottom of my
homepage: http://chriscct7.com/ [2]

Links:
------
[1] http://www.chriscct7.com
[2] http://chriscct7.com/


-----------------------------------------------------------
## [hidden email] replied, on Mar 28 @ 12:43pm (AMT):

<[hidden email]>wrote:

 >
 > > Anyone else agree? Who'd join such a list?
 > >
 > > I'll keep a tally on that too.
 > >
 > > Though I am a bit surprised at the respondents here who
*don't* want to
 > > know about vulnerable plugins they may be running...
 >
 >
 > I think a separate mailing list would be a better idea than
posting to
 > wp-hackers, for the same reason there are separate mailing
lists and
 > separate IRC channels and separate development blogs for all
the various
 > aspects of WordPress.
 >
 > John
 >

 I concur!

 I would certainly be open to joining that, and agree it should be
separate
 from wp-hackers.

 Dre Armeda
 _______________________________________________
 wp-hackers mailing list
 [hidden email]
 http://lists.automattic.com/mailman/listinfo/wp-hackers

-----------------------------------------------------------
## [hidden email] replied, on Mar 28 @ 12:42pm (AMT):

-----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA256

 I'd sign up to it. their was someone called "mustlive" who used to
post lots of wp stuff on full-disclosure I'm sure I can send find a
contact if you want.

 - --
 Sent from my Android device with K-9 Mail. Please excuse my brevity.
 -----BEGIN PGP SIGNATURE-----
 Version: APG v1.0.9

 iQFMBAEBCAA2BQJTNaZqLxxTY290dCBIZXJiZXJ0IDxzY290dC5hLmhlcmJlcnRA
 Z29vZ2xlbWFpbC5jb20+AAoJEJHf3PUjVwdR2QYH/3Rg431s2zEPvYrLZRFIwCRC
 UtNvuVTAd180qV6MhHUtOJNV727ph4k4ZlzFz81DX4z0OBhvnlGUQ3M6CfHGMPZL
 ey+s2mbOhNudslwkSE7Ei1QFa3o9L3jXokyABNVbGRswoZcFCirVimeEZxscMYmC
 +uLe50gSTxVHHr+m/81eXOc24gD/nz122M1CMX/q29SJ9A8v/PpPGlFKBGOIRGJl
 LohhAzhbhKOQcNV5uBxrrfp2Z/CPCbXPUF3qAVFurjIIxnKuX7NOXNOmt3zB/XBN
 NepxnXRIlI/VWNvPi3j/RWErscJ84iASpUhT/ZAA3FvFkSYuZ6MVJPRYF6m4Vc4=
 =Tdhu
 -----END PGP SIGNATURE-----

 _______________________________________________
 wp-hackers mailing list
 [hidden email]
 http://lists.automattic.com/mailman/listinfo/wp-hackers

-----------------------------------------------------------
## [hidden email] replied, on Mar 28 @ 12:41pm (AMT):

Anyone else agree? Who'd join such a list?
 >
 > I'll keep a tally on that too.
 >
 > Though I am a bit surprised at the respondents here who *don't*
want to
 > know about vulnerable plugins they may be running...

 I think a separate mailing list would be a better idea than posting
to
 wp-hackers, for the same reason there are separate mailing lists and
 separate IRC channels and separate development blogs for all the
various
 aspects of WordPress.

 John
 _______________________________________________
 wp-hackers mailing list
 [hidden email]
 http://lists.automattic.com/mailman/listinfo/wp-hackers

-----------------------------------------------------------
## [hidden email] replied, on Mar 28 @ 12:38pm (AMT):

Anyone else agree? Who'd join such a list?

 I'll keep a tally on that too.

 Though I am a bit surprised at the respondents here who *don't* want
to
 know about vulnerable plugins they may be running...

 Harry

-----------------------------------------------------------
## [hidden email] replied, on Mar 28 @ 12:37pm (AMT):

Just by way of comparison Google give you 7 days, I think 14 days is
fine. I tend to give companies 30days to have the patch out, unless
they give me a good reason to delay.

-----------------------------------------------------------

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

Nikola Nikolov
In reply to this post by John Blackbourn
A separate list with more obvious way of joining would benefit regular
users - they can just fill-out a form and get updates. And when they do get
updates, they will be specifically targeted at security.

I'm pretty happy with the mailing list of Wordfence - they have a huge user
base with all kinds of different setups that they can monitor and find
exploits.

PS: I'm not saying that your reports are worthless - the idea is a very
good one and I'm happy that you are donating some of your time towards the
community.


On Fri, Mar 28, 2014 at 6:41 PM, John Blackbourn
<[hidden email]>wrote:

> On 28 March 2014 16:38, Harry Metcalfe <[hidden email]> wrote:
>
> > Anyone else agree? Who'd join such a list?
> >
> > I'll keep a tally on that too.
> >
> > Though I am a bit surprised at the respondents here who *don't* want to
> > know about vulnerable plugins they may be running...
>
>
> I think a separate mailing list would be a better idea than posting to
> wp-hackers, for the same reason there are separate mailing lists and
> separate IRC channels and separate development blogs for all the various
> aspects of WordPress.
>
> John
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

Jacob Snyder
In reply to this post by Harry Metcalfe-4
I disagree with the sentiment that discussing vulnerable plugins is a bad
topic for this list (am I wrong?). I do want the info, and I would opt in
to Harry's list, but I don't see why I have to. This backlash from a few
people seems a little strong...


On Fri, Mar 28, 2014 at 11:38 AM,
<[hidden email]>wrote:

> Send wp-hackers mailing list submissions to
>         [hidden email]
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.automattic.com/mailman/listinfo/wp-hackers
> or, via email, send a message with subject or body 'help' to
>         [hidden email]
>
> You can reach the person managing the list at
>         [hidden email]
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of wp-hackers digest..."
>
>
> Today's Topics:
>
>    1. Re: CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress
>       plugin) (Harry Metcalfe)
>    2. Re: CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress
>       plugin) (Harry Metcalfe)
>    3. Re: CSRF vulnerability in WP HTML Sitemap 1.2     (WordPress
>       plugin) (Nikola Nikolov)
>    4. Re: CSRF vulnerability in WP HTML Sitemap 1.2     (WordPress
>       plugin) (Scott Herbert (via Phone))
>    5. Re: CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress
>       plugin) (Harry Metcalfe)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 28 Mar 2014 16:34:03 +0000
> From: Harry Metcalfe <[hidden email]>
> To: [hidden email]
> Subject: Re: [wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2
>         (WordPress plugin)
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> > There must be hundreds or thousands of plugin with security issues. I
> > don't think everybody will be interested to know vulnerabilities in
> > them.
> I'm honestly not sure how to respond to that. I don't think I know
> anyone who doesn't care about having an exploitable website. I agree
> that there are hundreds of vulnerable plugins. That's what we're trying
> to help fix, because it's unacceptable!
>
> > I guess most of the user of the plugin are not going to read this.
> We'll do the best we can to make sure everyone who is interested will
> find out. We currently:
>
>   * Publish to our website
>   * Tweet from @dxwsecurity
>   * Post to wp-hackers and Full Disclosure
>   * Request a CVE
>
> If you have any ideas about how we can spread the word more, I'm all ears.
>
> Harry
>
>
> On 28/03/2014 16:06, Varun Agrawal wrote:
> > Hi Harry,
> >
> >> It was my assumption that this list would be interested to know about
> vulnerable plugins.
> > There must be hundreds or thousands of plugin with security issues. I
> > don't think everybody will be interested to know vulnerabilities in
> > them.
> >
> >
> >> we are disclosing the vulnerability in order that anyone using this
> plugin can take steps to protect themselves.
> > I guess most of the user of the plugin are not going to read this.
> >
> >
> > -Varun
> > _______________________________________________
> > wp-hackers mailing list
> > [hidden email]
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> --
> Harry Metcalfe
> 07790 559 876
> @harrym
>
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 28 Mar 2014 16:36:57 +0000
> From: Harry Metcalfe <[hidden email]>
> To: [hidden email]
> Subject: Re: [wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2
>         (WordPress plugin)
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> If reports are acknowledged, and plugin authors keep us in the loop,
> we've so far always published on the same day as an update is released,
> with advice to update to the new version as soon as possible. I think
> the only circumstances under which we might publish sooner than that
> would be for a very serious vulnerability that the plugin author was not
> taking seriously.
>
> Harry
>
>
>
> On 28/03/2014 16:31, Nikola Nikolov wrote:
> > @Chris - they are actually giving plugin authors 14 days to acknowledge
> the
> > report - which I assume means to just send an email along the lines of
> > "Okay, I'll take care of that ASAP". And again - 14 days is not a long
> time
> > - sometimes I'd away(and without internet access) for more than that.
> >
> > I do agree that posting a proof of concept is not a good idea so soon.
> For
> > instance Wordfence sends out emails to their subscribers when plugin
> > vulnerabilities have been found(and usually when their users have
> suffered
> > from those vulnerabilities) and suggest what action users should take.
> For
> > instance "Plugin author has responded and patch is available in the next
> > release, available now", or "disable and delete plugin until a patch is
> > released or "contact plugin author".
> >
> >
> > On Fri, Mar 28, 2014 at 6:20 PM, Chris Christoff <[hidden email]
> >wrote:
> >
> >> -- Please reply above this line --
> >>
> >> -----------------------------------------------------------
> >> ## Chris replied, on Mar 28 @ 12:20pm (AMT):
> >>
> >> I also disagree with how the issues are being disclosed.
> >>   First off 14 days really isn't a long enough time. Imagine this
> >> scenario:
> >>   Day 1: Friday: Reported to WP Security team
> >>   Day 1: Security team sends email to plugin author
> >>   Day 4: Monday: Plugin author begins reading his emails about his
> >> plugins that came in over the weekend and notices security email.
> >>   Day 7: Thursday: Assuming the bug is easy to fix, an update is patch
> >> is submitted as an update to WordPress.org
> >>   Day 8: Update notifications begin to appear in WordPress backend,
> >> given its now Friday, most users (if they even log into their site on
> >> Fridays, will put off updating it till Monday mostly so they can read
> >> through the changelog.
> >>   Day 11: Users read through changelog and *hopefully* begin updating.
> >>
> >>   The problem is, this made 2 assumptions. First, you assume all
> >> security vulnerabilities are both easy to fix, and the plugin can be
> >> re-audited quickly. While most are likely easy to fix (ala the ones
> >> reported thus far), most authors would also want to re-audit their
> >> plugins codebase, and for anything over 100k LOC that's going to take
> >> a lot of time. Second, you've only given users 3 days to update in
> >> this scenario. Some users will not update the first week after an
> >> update has been patched. Some not even the first 2 weeks. Maybe they
> >> are enterprise or large business sites where they have to get approval
> >> and independent testing must be done prior to accepting the patch.
> >> Maybe, they are scared of updates for whatever reason and they want to
> >> read reports the update hasn't broken someone's site first.
> >>
> >>   In any event, the "14 days" should be upped to the industry standard
> >> 30 days. Currently, in a good case scenario (like the one above)
> >> you've given users 3 days to update before you reveal a direct proof
> >> of concept of how to exploit the vulnerability.
> >>
> >>   Even after 30 days, publishing a complete example of how to use the
> >> vulnerability is still not all too responsible. I would move to a
> >> system where you say what you can do to mitigate the issue after 30,
> >> and then hold off on proof of concept for 60-90 days post report.
> >>
> >>   Finally, I'd have to agree with the others. Posting vulnerability
> >> reports here isn't going to alert the majority of the affected users,
> >> and it has that spammy feel (even though its not spam).
> >> --
> >> Chris Christoff
> >> [hidden email]
> >> http://www.chriscct7.com [1]
> >> @chriscct7
> >> If you feel the need to donate, as a college student, I appreciate
> >> donations of any amount. The easiest way to donate to my college fund
> >> is via the donation button at the bottom of my
> >> homepage: http://chriscct7.com/ [2]
> >>
> >> Links:
> >> ------
> >> [1] http://www.chriscct7.com
> >> [2] http://chriscct7.com/
> >>
> >>
> >> -----------------------------------------------------------
> >> ## [hidden email] replied, on Mar 28 @ 12:06pm (AMT):
> >>
> >> Hi Harry,
> >>
> >>   >It was my assumption that this list would be interested to know
> >> about vulnerable plugins.
> >>
> >>   There must be hundreds or thousands of plugin with security issues. I
> >>   don't think everybody will be interested to know vulnerabilities in
> >>   them.
> >>
> >>   >we are disclosing the vulnerability in order that anyone using
> >> this plugin can take steps to protect themselves.
> >>
> >>   I guess most of the user of the plugin are not going to read this.
> >>
> >>   -Varun
> >>   _______________________________________________
> >>   wp-hackers mailing list
> >>   [hidden email]
> >>   http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> >> -----------------------------------------------------------
> >> ## [hidden email] replied, on Mar 28 @ 11:52am (AMT):
> >>
> >> Hi Chris,
> >>
> >>   We're aware of that, but not sure what alternative there is if the
> >>   people who write plugins don't contact us when we report issues to
> >> them.
> >>   We try to give people enough time to fix things, but if it doesn't
> >> look
> >>   like they're going to, we believe it is the responsible thing to do
> >> to
> >>   publish vulnerabilities so that people affected by them can take
> >> steps
> >>   to protect themselves.
> >>
> >>   Our disclosure policy is here
> >> <https://security.dxw.com/disclosure/>,
> >>   and we always draw people's attention to it (see below). All that
> >> said,
> >>   it is a difficult area and I'm certainly open to suggestions about
> >> how
> >>   to do it better.
> >>
> >>   Harry
> >>
> >> -----------------------------------------------------------
> >> ## [hidden email] replied, on Mar 28 @ 11:29am (AMT):
> >>
> >> I think Daniel was refering to posting to a public list, some
> >> malicious
> >>   people could take advantage of this, and cause some havoc.
> >>
> >>   _______________________________________________
> >>   wp-hackers mailing list
> >>   [hidden email]
> >>   http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> >> -----------------------------------------------------------
> >> ## [hidden email] replied, on Mar 28 @ 10:46am (AMT):
> >>
> >> Hi Daniel,
> >>
> >>   This vulnerability was reported to [hidden email] on 2nd
> >>   February. The author has not responded, so we are disclosing the
> >>   vulnerability in order that anyone using this plugin can take steps
> >> to
> >>   protect themselves.
> >>
> >>   This is certainly not an advertisement.
> >>
> >>   Administrivia: It was my assumption that this list would be
> >> interested
> >>   to know about vulnerable plugins. If anyone has strong feelings for
> >> or
> >>   against that assumption, please let me know off-list. If there is a
> >>   consensus we will honour it.
> >>
> >>   Cheers,
> >>
> >>   Harry
> >>
> >> -----------------------------------------------------------
> >> ## [hidden email] replied, on Mar 28 @ 10:41am (AMT):
> >>
> >> Hi Harry,
> >>
> >>   Please refrain from advertising on this list. Plugin security issues
> >> should
> >>   be reported to [hidden email]
> >>
> >>   Thanks.
> >>
> >>   _______________________________________________
> >>   wp-hackers mailing list
> >>   [hidden email]
> >>   http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> >> -----------------------------------------------------------
> >>
> >> _______________________________________________
> >> wp-hackers mailing list
> >> [hidden email]
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> > _______________________________________________
> > wp-hackers mailing list
> > [hidden email]
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> --
> Harry Metcalfe
> 07790 559 876
> @harrym
>
>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 28 Mar 2014 18:37:16 +0200
> From: Nikola Nikolov <[hidden email]>
> To: [hidden email]
> Subject: Re: [wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2
>         (WordPress plugin)
> Message-ID:
>         <CAOwx47eeAh6Es3zKB7Mjvvz3kN6WpWpKtqE=+
> [hidden email]>
> Content-Type: text/plain; charset=ISO-8859-1
>
> I'd suggest creating a mailing list - this way people can actually opt-in
> to those emails(so people here that don't want to receive that kind of
> information will not and those who want can sign-up for it).
>
>
> On Fri, Mar 28, 2014 at 6:34 PM, Harry Metcalfe <[hidden email]> wrote:
>
> > There must be hundreds or thousands of plugin with security issues. I
> >> don't think everybody will be interested to know vulnerabilities in
> >> them.
> >>
> > I'm honestly not sure how to respond to that. I don't think I know anyone
> > who doesn't care about having an exploitable website. I agree that there
> > are hundreds of vulnerable plugins. That's what we're trying to help fix,
> > because it's unacceptable!
> >
> >
> >  I guess most of the user of the plugin are not going to read this.
> >>
> > We'll do the best we can to make sure everyone who is interested will
> find
> > out. We currently:
> >
> >  * Publish to our website
> >  * Tweet from @dxwsecurity
> >  * Post to wp-hackers and Full Disclosure
> >  * Request a CVE
> >
> > If you have any ideas about how we can spread the word more, I'm all
> ears.
> >
> > Harry
> >
> >
> >
> > On 28/03/2014 16:06, Varun Agrawal wrote:
> >
> >> Hi Harry,
> >>
> >>  It was my assumption that this list would be interested to know about
> >>> vulnerable plugins.
> >>>
> >> There must be hundreds or thousands of plugin with security issues. I
> >> don't think everybody will be interested to know vulnerabilities in
> >> them.
> >>
> >>
> >>  we are disclosing the vulnerability in order that anyone using this
> >>> plugin can take steps to protect themselves.
> >>>
> >> I guess most of the user of the plugin are not going to read this.
> >>
> >>
> >> -Varun
> >> _______________________________________________
> >> wp-hackers mailing list
> >> [hidden email]
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> >
> > --
> > Harry Metcalfe
> > 07790 559 876
> > @harrym
> >
> > _______________________________________________
> > wp-hackers mailing list
> > [hidden email]
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
>
>
> ------------------------------
>
> Message: 4
> Date: Fri, 28 Mar 2014 16:37:37 +0000
> From: "Scott Herbert (via Phone)" <[hidden email]>
> To: [hidden email]
> Subject: Re: [wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2
>         (WordPress plugin)
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset=UTF-8
>
> Just by way of comparison Google give you 7 days, I think 14 days is fine.
> I tend to give companies 30days to have the patch out, unless they give me
> a good reason to delay.
>
>
>
> On 28 March 2014 16:30:50 GMT+00:00, Harry Metcalfe <[hidden email]> wrote:
> >Hi Chris,
> >
> >The 14 days is just to acknowledge the report, not to release a fix.
> >The
> >policy does not prescribe a time for fixes for exactly the reasons
> >you've outlined. We'll always work with people to agree a reasonable
> >time for fixing and publication, unless they don't reply to us. In
> >which
> >case, we can't do much other than publish. We also generally do wait
> >longer than 14 days, as you can see from these reports.
> >> Posting vulnerability reports here isn't going to alert the majority
> >of the affected users, and it has that spammy feel (even though its not
> >spam).
> >I'll add you to the list! So far, we're 1 for and 1 against.
> >
> >Harry
> >
> >
> >On 28/03/2014 16:20, Chris Christoff wrote:
> >> -- Please reply above this line --
> >>
> >> -----------------------------------------------------------
> >> ## Chris replied, on Mar 28 @ 12:20pm (AMT):
> >>
> >> I also disagree with how the issues are being disclosed.
> >>   First off 14 days really isn't a long enough time. Imagine this
> >> scenario:
> >>   Day 1: Friday: Reported to WP Security team
> >>   Day 1: Security team sends email to plugin author
> >>   Day 4: Monday: Plugin author begins reading his emails about his
> >> plugins that came in over the weekend and notices security email.
> >>   Day 7: Thursday: Assuming the bug is easy to fix, an update is
> >patch
> >> is submitted as an update to WordPress.org
> >>   Day 8: Update notifications begin to appear in WordPress backend,
> >> given its now Friday, most users (if they even log into their site on
> >> Fridays, will put off updating it till Monday mostly so they can read
> >> through the changelog.
> >>   Day 11: Users read through changelog and *hopefully* begin
> >updating.
> >>
> >>   The problem is, this made 2 assumptions. First, you assume all
> >> security vulnerabilities are both easy to fix, and the plugin can be
> >> re-audited quickly. While most are likely easy to fix (ala the ones
> >> reported thus far), most authors would also want to re-audit their
> >> plugins codebase, and for anything over 100k LOC that's going to take
> >> a lot of time. Second, you've only given users 3 days to update in
> >> this scenario. Some users will not update the first week after an
> >> update has been patched. Some not even the first 2 weeks. Maybe they
> >> are enterprise or large business sites where they have to get
> >approval
> >> and independent testing must be done prior to accepting the patch.
> >> Maybe, they are scared of updates for whatever reason and they want
> >to
> >> read reports the update hasn't broken someone's site first.
> >>
> >>   In any event, the "14 days" should be upped to the industry
> >standard
> >> 30 days. Currently, in a good case scenario (like the one above)
> >> you've given users 3 days to update before you reveal a direct proof
> >> of concept of how to exploit the vulnerability.
> >>
> >>   Even after 30 days, publishing a complete example of how to use the
> >> vulnerability is still not all too responsible. I would move to a
> >> system where you say what you can do to mitigate the issue after 30,
> >> and then hold off on proof of concept for 60-90 days post report.
> >>
> >>   Finally, I'd have to agree with the others. Posting vulnerability
> >> reports here isn't going to alert the majority of the affected users,
> >> and it has that spammy feel (even though its not spam).
> >> --
> >> Chris Christoff
> >> [hidden email]
> >> http://www.chriscct7.com [1]
> >> @chriscct7
> >> If you feel the need to donate, as a college student, I appreciate
> >> donations of any amount. The easiest way to donate to my college fund
> >> is via the donation button at the bottom of my
> >> homepage: http://chriscct7.com/ [2]
> >>
> >> Links:
> >> ------
> >> [1] http://www.chriscct7.com
> >> [2] http://chriscct7.com/
> >>
> >>
> >> -----------------------------------------------------------
> >> ## [hidden email] replied, on Mar 28 @ 12:06pm
> >(AMT):
> >>
> >> Hi Harry,
> >>
> >>   >It was my assumption that this list would be interested to know
> >> about vulnerable plugins.
> >>
> >>   There must be hundreds or thousands of plugin with security issues.
> >I
> >>   don't think everybody will be interested to know vulnerabilities in
> >>   them.
> >>
> >>   >we are disclosing the vulnerability in order that anyone using
> >> this plugin can take steps to protect themselves.
> >>
> >>   I guess most of the user of the plugin are not going to read this.
> >>
> >>   -Varun
> >>   _______________________________________________
> >>   wp-hackers mailing list
> >>   [hidden email]
> >>   http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> >> -----------------------------------------------------------
> >> ## [hidden email] replied, on Mar 28 @ 11:52am
> >(AMT):
> >>
> >> Hi Chris,
> >>
> >>   We're aware of that, but not sure what alternative there is if the
> >>   people who write plugins don't contact us when we report issues to
> >> them.
> >>   We try to give people enough time to fix things, but if it doesn't
> >> look
> >>   like they're going to, we believe it is the responsible thing to do
> >> to
> >>   publish vulnerabilities so that people affected by them can take
> >> steps
> >>   to protect themselves.
> >>
> >>   Our disclosure policy is here
> >> <https://security.dxw.com/disclosure/>,
> >>   and we always draw people's attention to it (see below). All that
> >> said,
> >>   it is a difficult area and I'm certainly open to suggestions about
> >> how
> >>   to do it better.
> >>
> >>   Harry
> >>
> >> -----------------------------------------------------------
> >> ## [hidden email] replied, on Mar 28 @ 11:29am
> >(AMT):
> >>
> >> I think Daniel was refering to posting to a public list, some
> >> malicious
> >>   people could take advantage of this, and cause some havoc.
> >>
> >>   _______________________________________________
> >>   wp-hackers mailing list
> >>   [hidden email]
> >>   http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> >> -----------------------------------------------------------
> >> ## [hidden email] replied, on Mar 28 @ 10:46am
> >(AMT):
> >>
> >> Hi Daniel,
> >>
> >>   This vulnerability was reported to [hidden email] on 2nd
> >>   February. The author has not responded, so we are disclosing the
> >>   vulnerability in order that anyone using this plugin can take steps
> >> to
> >>   protect themselves.
> >>
> >>   This is certainly not an advertisement.
> >>
> >>   Administrivia: It was my assumption that this list would be
> >> interested
> >>   to know about vulnerable plugins. If anyone has strong feelings for
> >> or
> >>   against that assumption, please let me know off-list. If there is a
> >>   consensus we will honour it.
> >>
> >>   Cheers,
> >>
> >>   Harry
> >>
> >> -----------------------------------------------------------
> >> ## [hidden email] replied, on Mar 28 @ 10:41am
> >(AMT):
> >>
> >> Hi Harry,
> >>
> >>   Please refrain from advertising on this list. Plugin security
> >issues
> >> should
> >>   be reported to [hidden email]
> >>
> >>   Thanks.
> >>
> >>   _______________________________________________
> >>   wp-hackers mailing list
> >>   [hidden email]
> >>   http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> >> -----------------------------------------------------------
> >>
> >> _______________________________________________
> >> wp-hackers mailing list
> >> [hidden email]
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> >--
> >Harry Metcalfe
> >07790 559 876
> >@harrym
> >
> >_______________________________________________
> >wp-hackers mailing list
> >[hidden email]
> >http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
> ------------------------------
>
> Message: 5
> Date: Fri, 28 Mar 2014 16:38:26 +0000
> From: Harry Metcalfe <[hidden email]>
> To: [hidden email]
> Subject: Re: [wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2
>         (WordPress plugin)
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Anyone else agree? Who'd join such a list?
>
> I'll keep a tally on that too.
>
> Though I am a bit surprised at the respondents here who *don't* want to
> know about vulnerable plugins they may be running...
>
> Harry
>
>
> On 28/03/2014 16:37, Nikola Nikolov wrote:
> > I'd suggest creating a mailing list - this way people can actually opt-in
> > to those emails(so people here that don't want to receive that kind of
> > information will not and those who want can sign-up for it).
> >
> >
> > On Fri, Mar 28, 2014 at 6:34 PM, Harry Metcalfe <[hidden email]> wrote:
> >
> >> There must be hundreds or thousands of plugin with security issues. I
> >>> don't think everybody will be interested to know vulnerabilities in
> >>> them.
> >>>
> >> I'm honestly not sure how to respond to that. I don't think I know
> anyone
> >> who doesn't care about having an exploitable website. I agree that there
> >> are hundreds of vulnerable plugins. That's what we're trying to help
> fix,
> >> because it's unacceptable!
> >>
> >>
> >>   I guess most of the user of the plugin are not going to read this.
> >> We'll do the best we can to make sure everyone who is interested will
> find
> >> out. We currently:
> >>
> >>   * Publish to our website
> >>   * Tweet from @dxwsecurity
> >>   * Post to wp-hackers and Full Disclosure
> >>   * Request a CVE
> >>
> >> If you have any ideas about how we can spread the word more, I'm all
> ears.
> >>
> >> Harry
> >>
> >>
> >>
> >> On 28/03/2014 16:06, Varun Agrawal wrote:
> >>
> >>> Hi Harry,
> >>>
> >>>   It was my assumption that this list would be interested to know about
> >>>> vulnerable plugins.
> >>>>
> >>> There must be hundreds or thousands of plugin with security issues. I
> >>> don't think everybody will be interested to know vulnerabilities in
> >>> them.
> >>>
> >>>
> >>>   we are disclosing the vulnerability in order that anyone using this
> >>>> plugin can take steps to protect themselves.
> >>>>
> >>> I guess most of the user of the plugin are not going to read this.
> >>>
> >>>
> >>> -Varun
> >>> _______________________________________________
> >>> wp-hackers mailing list
> >>> [hidden email]
> >>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>>
> >> --
> >> Harry Metcalfe
> >> 07790 559 876
> >> @harrym
> >>
> >> _______________________________________________
> >> wp-hackers mailing list
> >> [hidden email]
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> > _______________________________________________
> > wp-hackers mailing list
> > [hidden email]
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> --
> Harry Metcalfe
> 07790 559 876
> @harrym
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
>
> ------------------------------
>
> End of wp-hackers Digest, Vol 110, Issue 45
> *******************************************
>
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
12