| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 20 Feb 2014 12:28:22 +0300 From: Jerome Athias <athiasjerome@...il.com> To: Harry Metcalfe <harry@....com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: A question for the list - WordPress plugin inspections Yes btw you can simply submit by email to osvdb, packetstorm, etc. but I'm pretty sure they will catch it now ;) 2014-02-20 Harry Metcalfe <harry@....com>: > Hi Jerome, > > The criteria are here: > > https://security.dxw.com/about/plugin-inspections/ > > Is that what you mean? > > I agree using a common classification would be good. I'll have a look into > that. > > As mentioned before, though - these are not vulnerability reports. We do > those too: > > https://security.dxw.com/advisories/xss-and-csrf-in-user-domain-whitelist-v1-4/ > > and they are more detailed. Inspections are more about code smell, if you > know what I mean. So there aren't specific files, lines, etc. > > Harry > > > > On 20/02/2014 08:39, Jerome Athias wrote: >> >> It is valuable >> I concur (# line of code, file names and CVE submission). >> >> I would also suggest to use common classifications (or a mapping) such >> as OWASP TOP10, WASC, CWE (CAPEC) for your criterias. >> >> Providing details regarding the methodology or/and tools used for the >> assessment would be also valuable. >> (i.e. Checklist, RIPS, >> https://labs.portcullis.co.uk/tools/wordpress-build-review-tool/ ) >> >> Thank you >> Best regards >> >> 2014-02-19 Seth Arnold <seth.arnold@...onical.com>: >>> >>> On Wed, Feb 19, 2014 at 06:40:51PM +0000, Harry Metcalfe wrote: >>>> >>>> We write and publish light-touch inspections of WordPress plugins >>>> that we do for our clients. They are just a guide - we conduct some >>>> basic checks, not a thorough review. >>>> >>>> Would plugins which fail this inspection be of general interest to >>>> the list and therefore worth posting, as we would a vulnerability? >>>> >>>> Here's an example report: >>>> >>>> https://security.dxw.com/plugins/gd-star-rating-1-9-22/ >>>> >>>> Grateful for a steer... >>> >>> That's a very nice summary view, but it'd be more useful in this medium >>> if you included the lines of code that introduce the vulnerabilities. >>> >>> Most useful would be to coordinate with authors and MITRE for CVE numbers >>> for the issues you find to ensure the issues aren't forgotten about or >>> otherwise ignored. >>> >>> Thanks >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists