Re: Fwd: 0-DAY XSS of cforms II is now fixed after a year and four months (was Re: cforms WordPress Plugin Cross Site Scripting Vulnerability - CVE-2010-3977)

[Kousuke Ebihara <kousuke () co3k org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear Rodrigo,

Thanks for your response. And I had misunderstood about some points. At first, I apologize about that.

> I sent to the developer a complete advisory, including the exploit code.

Is that advisory the same of http://seclists.org/bugtraq/2010/Nov/21 ? --(A)

>  Actually, the developer reply was:
>  "No one else ever complained about this problem and we have millions
of users, so we are not fixing it"

Oh, I think his the response is not good.

However, wait, are there no bad points in your advisory? The above (A) question is for confirming that point.

Indeed, his response to my first contact (and my vulnerability report) wasn't proper. (I think he read that roughly)

But he finally admits the mistakes, by my response. After that, I see that his attitude has honesty. It shows that he 
is the developer of the software that is used by many users.

So I'm guessing he didn't understand about the vulnerability well.

Did you explain about XSS (e.g. its threats)? I did it.

> I don't have any obligation in confirming a fix.

Is this not only mentioning of this case?

Of course you don't have such a obligation.

But I think you should confirm a fix as manners. At least some easy checks.

> I never said the bug was patched... Maybe you should redirect this comment to Secunia instead?

Oh, sorry, I've mistaken in this point.

Sometimes, I wonder by wrong version informations from some security organization including Secunia. I think it is good 
opportunity to complain about that so I will do that soon. Thanks for that advice.

> I never said the bug was patched...

Well, you've not said the vulnerability is patched, but also you've not explained that is unpatched.

I agree with your saying:

> If the user is not aware that
*snip*
> he will never have the power to decide.
*snip*
> I just go ahead and publish so the users can decide what to do.

I think this is good thinking. For this reason, this case is very sorry.

As you know, unpatched vulnerability is worse than patched one. For example, the user needs to apply additional patch 
for this XSS not only updating.

So, you had to clear that vulnerability is unpatched. Without it, your action is not that different to black hat's 
action. (This might be out of line)

Coordinating vulnerabilities is great job, so please don't spoil your work by yourself.

> This is an open-source project, so any user that is security-aware could apply a patch themselves.

Exactly, I've noticed this by your advisory. However, on the other hand, your advisory made it difficult for the user 
to know the right situation. If you announced it carefully, the current situation was better than now.

Of course actions of Secunia was more harmful, and the developer was of course bad.

But your actions look like lack of some considerations, for example, you couldn't prevail on the developer to fix the 
XSS, and published the unclear advisory. My saying "halfway job" contains such actions.

Thanks,
Kousuke


P.S.

Just so there's no confusion, at this point, I appreciate you.

Responded to me is one. A value of that response. And, an attitude like "If you have further questions, I'm glad to 
help.".

So, my response is for your (and other's) better workings. Please understand my wish.

In addition, I want to inform this vulnerability of cforms as many users as possible. I could do it to Japanese user. 
But I think it is difficult for me to non-Japanese speaker ... can someone do it?


(12/02/17 20:49), Rodrigo Rubira Branco (BSDaemon) wrote:
> Dear Kousuke,
>
> First of all, let me clarify that the disclosure process has been
> entirely coordinated by me, and thus, Wagner, Conviso and Check Point
> have no responsibilities over any mistake I eventually made.
>
> Anyway, just to clarify your points:
>
> > First, you must have reported to the developer, but in what way?
>
> I sent to the developer a complete advisory, including the exploit code.
>
> > Confusing the XSS vulnerability with PHP code execution
> > vulnerability is so funny. I can't help feeling that you told it
> > sloppily.
>
> I never confused the vulnerabilities.   And I never said the bug was
> patched... Maybe you should redirect this comment to Secunia instead?
>
> > Second, why didn't you confirm the fix before publishing exploit?
>
> I don't have any obligation in confirming a fix.   Actually, the
> developer reply was:
>   "No one else ever complained about this problem and we have millions
> of users, so we are not fixing it"
>
> Thus, I didn't even knew there was a fix at any point in time.
>
> Probably you, for not having any information of what actually happened
> and because you totally mixed Secunia advisory with ours decided to
> send such email blaming us.
>
> > And I'd like to ask ALL SECURITY RESEARCHERS (of course including 
> > Rodrigo and Wagner).
>
> > For what do you research security? What is your "security"? To
> > protect people from threat? Or throw people into crisis? Do you
> > recognize effects of your halfway job like this case?
>
> We have a responsibility with the users.   If the user is not aware
> that a vulnerability exists and is ignored by the vendor, he will
> never have the power to decide.
>
> Informing and sharing information is the responsibility of the
> researchers.   I always coordinated vulnerabilities I disclose, but in
> case the developer decides that millions of users never reported and
> thus, the issue is not really a problem, I just go ahead and publish
> so the users can decide what to do.   This is an open-source project,
> so any user that is security-aware could apply a patch themselves.
>
>
> If you have further questions, I'm glad to help.
>
>
>
> Best Regards,
>
>
>
> Rodrigo.
>
>
>
>
>
> On 2/17/12 3:37 AM, Wagner Elias wrote:
> > FYI 
> > --------------------------------------------------------------------------------
>
>
> Wagner Elias, SANS GIAC, CobiTc, ITILc
> > CTO (Chief Technical Officer) +55 41 3095-3986 +55 11 8141-3256 
> > ------------ Blog: http://wagnerelias.com Twitter:
> > http://www.twitter.com/welias Conviso Application Security -
> > http://www.conviso.com.br
>
>
>
> > ---------- Forwarded message ---------- From: *Kousuke Ebihara*
> > <kousuke () co3k org <mailto:kousuke () co3k org>> Date: Fri, Feb 17,
> > 2012 at 2:31 AM Subject: 0-DAY XSS of cforms II is now fixed after
> > a year and four months (was Re: cforms WordPress Plugin Cross Site
> > Scripting Vulnerability - CVE-2010-3977) To: Rodrigo Branco
> > <rbranco () checkpoint com <mailto:rbranco () checkpoint com>> Cc:
> > "full-disclosure () lists grok org uk 
> > <mailto:full-disclosure () lists grok org uk>" 
> > <full-disclosure () lists grok org uk 
> > <mailto:full-disclosure () lists grok org uk>>,
> > "bugtraq () securityfocus com <mailto:bugtraq () securityfocus com>"
> > <bugtraq () securityfocus com <mailto:bugtraq () securityfocus com>>,
> > "Wagner Elias (welias () conviso com br
> > <mailto:welias () conviso com br>)" <welias () conviso com br
> > <mailto:welias () conviso com br>>
>
>
> > I've reported the following XSS vulnerability in cforms II. This 
> > vulnerability has been fixed on February 14, 2012 by its
> > developer.
>
> > WordPress cformsII Plugin "rs" Cross-Site Scripting Vulnerability
> > - Secunia.com http://secunia.com/advisories/47984/
>
> > You might see this is a normal XSS vulnerability, but this isn't.
>
> > Because EXPLOIT CODE IS PUBLISHED AS 0-DAY ON Oct 30, 2010 in this
> > list!
>
> > Are you puzzled?
>
> > Actually, the above vulnerability is the same with CVE-2010-3977,
> > is brought by Rodrigo Branco and Wagner Elias.
>
> > Secunia has published the related advisory on Nov 1, 2010: 
> > http://secunia.com/advisories/42006. According to Secunia, this 
> > vulnerability is fixed in v11.6.1. v11.6.1 is released on Sep 22,
> > 2010.
>
> > So you might image the following story.
>
> > 1. Rodrigo (or Wagner) reported this vulnerability to the
> > developer 2. The developer released new version for fix the XSS 3.
> > Rodrigo (and/or Wagner) confirmed that fix 4. Rodrigo reports this
> > vulnerability to this list
>
> > However, this is not truth. The developer of cforms didn't fix this
> > XSS at this point.
>
> > So what he has "fixed"? See the following diff::
>
> > --- cforms-v11.5/lib_ajax.php       2009-09-18 10:29:06.000000000
> > +0900 +++ cforms-v11.6.1/lib_ajax.php     2010-09-22
> > 07:41:54.000000000 +0900 @@ -627,16 +627,16 @@ ###  always
> > modified header ("Cache-Control: no-cache, must-revalidate");  ### 
> > HTTP/1.1 header ("Pragma: no-cache");                          ### 
> > HTTP/1.0 -                   $func_name = $_GET["rs"]; +
> > $func_name = sajax_sanitize( $_GET["rs"] ); if (!
> > empty($_GET["rsargs"])) -                           $args =
> > $_GET["rsargs"]; +                           $args =
> > sajax_sanitize( $_GET["rsargs"] ); else $args = array(); } else { -
> > $func_name = $_POST["rs"]; +                   $func_name =
> > sajax_sanitize( $_POST["rs"] ); if (! empty($_POST["rsargs"])) -
> > $args = $_POST["rsargs"]; +                           $args =
> > sajax_sanitize( $_POST["rsargs"] ); else $args = array(); } @@
> > -651,6 +651,14 @@ exit; }
>
> > +   ### sanitize +   function sajax_sanitize($t) { +           //$t
> > = preg_replace('/\s/', '', $t); +           $t =
> > str_replace('<php', '', $t); +           $t = str_replace('<?', '',
> > $t); +           return $t; +   } + ###  javascript escape a value 
> > function sajax_esc($val) {
>
> > WTF!? This looks like fix for PHP code execution vulnerability,
> > but there are no such vulnerabilities!
>
> > Hey, Rodrigo and Wagner, do YOU see the above as fix for XSS?
> > Really?
>
> > So, the XSS was not fixed in v11.6.1. Of course the exploit code
> > that was posted by Rodrigo, was available in many site until
> > February 14, 2012.
>
> > XSS vulnerability in WordPress and its plugin is too dangerous
> > because if attacker gets full privileges of admin user by that
> > vulnerability, he can write and execute any PHP code by using theme
> > editing feature (if the target file is writable).
>
> > As you can see, Rodrigo has done is throwing every cforms users
> > into crisis and nothing more.
>
> > Since exploit code is published before fix, there should be
> > attacker who focuses this vulnerability. If so, many sites may be
> > attacked by this vulnerability even if the admin never failed to
> > apply security fix.
>
>
> > Rodrigo and Wagner, I have some questions to you.
>
> > First, you must have reported to the developer, but in what way? 
> > Confusing the XSS vulnerability with PHP code execution
> > vulnerability is so funny. I can't help feeling that you told it
> > sloppily. Second, why didn't you confirm the fix before publishing
> > exploit?
>
>
> > And I'd like to ask ALL SECURITY RESEARCHERS (of course including 
> > Rodrigo and Wagner).
>
> > For what do you research security? What is your "security"? To
> > protect people from threat? Or throw people into crisis? Do you
> > recognize effects of your halfway job like this case?
>
> > Please reconsider this.
>
>
> > Thanks, Kousuke
>
> > (10/10/31 0:13), Rodrigo Branco wrote:
> > > Dear List,
> > >
> > > I'm writing on behalf of the Check Point Vulnerability Discovery
> > > Team
> > to publish the following vulnerability.
> > > Check Point Software Technologies - Vulnerability Discovery Team
> > > (VDT) http://www.checkpoint.com/defense/
> > >
> > > cforms WordPress Plugin Cross Site Scripting Vulnerability 
> > > CVE-2010-3977
> > >
> > >
> > > INTRODUCTION
> > >
> > > According to Delicious Days, "cforms is a powerful and feature
> > > rich
> > form plugin for WordPress, offering convenient deployment of
> > multiple Ajax
> > > driven contact forms throughout your blog or even on the same
> > > page."
> > >
> > > This problem was confirmed in the following versions of the
> > > cforms
> > WordPress Plugin, other versions
> > > maybe also affected.
> > >
> > > cforms v11.5
> > >
> > >
> > > CVSS Scoring System
> > >
> > > The CVSS score is: 5.5 Base Score: 6.7 Temporal Score: 5.5 We
> > > used the following values to calculate the scores: Base score is:
> > > AV:N/AC:L/Au:N/C:C/I:C/A:N Temporal score is: E:F/RL:OF/RC:C
> > >
> > >
> > > DETAILS
> > >
> > > A data array is created in lib_ajax.php using values from a form
> > > field
> > in a POST request.  The parameters rs and rsargs are not validated
> > and thus
> > > it is possible to inject code.
> > >
> > > Request: http://<server>/wp-content/plugins/cforms/lib_ajax.php 
> > > POST /wp-content/plugins/cforms/lib_ajax.php HTTP/1.1 Host:
> > > <server> User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X
> > > 10.6; en-US; rv: 1.9.2.10) Gecko/20100914 Firefox/3.6.10 Accept:
> > > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
> > > Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate 
> > > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 
> > > Connection: keep-alive Content-Type:
> > > application/x-www-form-urlencoded; charset=UTF-8 Content-Length:
> > > 219 Cookie:
> > > wp-settings-1=m0%3Do%26m1%3Do%26m2%3Do%26m3%3Do%26m4%3Do%26m5%3Do
> %26m6%3Do%26m7%3Do%26m8%3Do%26urlbutton%3Dnone%26editor%3Dtinymce
> > > %26imgsize%3Dfull%26align%3Dcenter%26hidetb%3D1%26m9%3Dc%26m10%3Do
> %26uploader%3D1%26m11%3Do; wp-settings-time-1=1285758765;
> > > c o m m e n t _ a u t h o r _ 9 3 f 4 1 b a 0 b 1 6 f 3 4 6 7 6 f
> > > 8 0
> > 2 0 5 8 e 8 2 3 8 8 f 6 = t e s t  ;
> > > comment_author_email_93f41ba0b16f34676f802058e82388f6=rbranco_nospam
> %40checkpoint.com <http://40checkpoint.com>
> > > Pragma: no-cache Cache-Control: no-cache 
> > > rs=<script>alert(1)</script>&rst=&rsrnd=1287506634854&rsargs[]=1$#
> $<script>alert(1)</script>$#$rbranco_nospam () checkpoint com
> > <mailto:rbranco_nospam () checkpoint com>$#$http://
> > > www.checkpoint.com
> > > <http://www.checkpoint.com>$#$<script>alert(1)</script>
> > >
> > >
> > >
> > > CREDITS
> > >
> > > This vulnerability has been brought to our attention by Wagner
> > > Elias
> > from Conviso IT Security company (http://www.conviso.com.br) and 
> > researched internally by Rodrigo Rubira Branco from the Check
> > Point Vulnerability Discovery Team (VDT).
> > > Best Regards,
> > >
> > > Rodrigo.
> > >
> > > -- Rodrigo Rubira Branco Senior Security Researcher Vulnerability
> > > Discovery Team (VDT) Check Point Software Technologies
>
>
> > -- Kousuke Ebihara <kousuke () co3k org <mailto:kousuke () co3k org>> 
> > http://co3k.org/

- -- 
Kousuke Ebihara <kousuke () co3k org>
http://co3k.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPPn8oAAoJECNvap7T8JfF9PIIAI94J9x4yENYDDe/CmQLF58e
x8GxmxnmBRk3jukLHQM9gBbPfEqjVDfmnNR5xCWcG/4u9mT5jbEKgga6mOwp09w5
bbOPmJ7vxH0YMEli1pCiMvbDzrAi84fht70BvucdS2doX9gEPm6HN5g15LlOij0Y
jtAuAa45pD3WE2eFGtOCvRjZspOANVOx7viBD8SCCj3pvw3c1KEPlCcQJu6rpsrw
lNuXdZF0Tx0p7aU9UfI0wPrF7aFGRQTexlu5uTlpzI1dLqTEFdS0TrkOE3sEtFQ0
NnuvSxVu/htx9q2onZDJRpEvtAvqpJ1QBnuneKO7na9mHXWR6eA8+cOSvy6OLsE=
=SxeG
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/