HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

XSS security vulnerabilities in many plugins and core!

edited June 2012 in Feedback

Looks like the guy who discovered the Poll plugin exploit found a whole lot more than that. Did he post them here? This seems fairly urgent, now that they are published.

http://www.exploit-db.com/author/?a=3659
http://www.henryhoggard.co.uk/

One of them even describes a somewhat convoluted XSS exploit to the core Tagging plugin: http://www.exploit-db.com/exploits/18980/

I would only assume there are more exploits among the other addons as well...

Tagged:

Best Answer

  • x00x00 MVP
    Answer ✓

    This is the problem with amateurs making plugins when they don't really understand what they are doing. It is a nice idea to have a go, becuase you have to learn somewhere, but just getting something that work isn't conducive with good design.

    Having said that it is really easy to forget to do something, even if you know better. It is easier to tare things down than to make them.

    I'm on the fence on how to announce vulnerabilities, given that in my youth I pointed out some xss to major companies, but with more hacking involved, and not all of them were very responsive. One well known company didn't close the vulnerability for a year.

    On the other hand they are much more cordial here, you should always let the people responsible know first.

    I don't think Henry Hoggard is goign to be winning any hacking awards this is pretty simple stuff, but he has done a service in a round about way.

    grep is your friend.

Answers

  • I wouldn't mind subscribing to a newsletter or something that announces important stuff like this, if other people think it'd be worth setting up.

    We should all be a lot more cautious about the code we run on our servers...

  • edited June 2012

    @Mark @Todd @Lincoln @UnderDog if you think there is a more prudent way to announce these vulnerabilities, please modify or delete this thread.

  • x00x00 MVP
    Answer ✓

    This is the problem with amateurs making plugins when they don't really understand what they are doing. It is a nice idea to have a go, becuase you have to learn somewhere, but just getting something that work isn't conducive with good design.

    Having said that it is really easy to forget to do something, even if you know better. It is easier to tare things down than to make them.

    I'm on the fence on how to announce vulnerabilities, given that in my youth I pointed out some xss to major companies, but with more hacking involved, and not all of them were very responsive. One well known company didn't close the vulnerability for a year.

    On the other hand they are much more cordial here, you should always let the people responsible know first.

    I don't think Henry Hoggard is goign to be winning any hacking awards this is pretty simple stuff, but he has done a service in a round about way.

    grep is your friend.

  • mcu_hqmcu_hq yippie ki-yay ✭✭✭
    edited June 2012

    All of those are unapproved plugins. "Use at your own risk" means "This author may not know anything about htmlspecialchars or how to escape user input at that matter."

  • True but I suppose through a script kiddie trying to impress his superiors at Cardiff university it has highlighted some complacency. This kind of vulnerability testing could be automated.

    grep is your friend.

  • Yeah, my exclamation point wasn't really meant to suggest surprise that these vulnerabilities exist, but more to suggest urgency that people patch their sites.

    @x00: Can vulnerability testing really be automated? Talk about inspiring complacency ;-)

  • You can automate simple stuff, as a tool, it is not a substitute for good practice.

    grep is your friend.

  • I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • SheilaSheila ✭✭

    Here's a another vulnerability from same author. Haven't seen it posted here on forums but maybe it has.

    Vanilla Moderator Edit Account XSS Vulnerability

    bot24.blogspot.fi/2012/05/vanilla-vulnerabilities-hosted-and.html

  • similar problem when editing the title of a discussion.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • fh111fh111 Vanilla Padawan ✭✭

    peregrine said:
    similar problem when editing the title of a discussion.

    @Todd, @Tim
    is edit-discussion-title-xxs-vulnerability being looked at?

  • these are scary exploits...

Sign In or Register to comment.