Re: [Full-disclosure] A question for the list - WordPress plugin inspections
Yes btw you can simply submit by email to osvdb, packetstorm, etc. but I'm pretty sure they will catch it now ;) 2014-02-20 Harry Metcalfe : > Hi Jerome, > > The criteria are here: > > https://security.dxw.com/about/plugin-inspections/ > > Is that what you mean? > > I agree using a common classification would be good. I'll have a look into > that. > > As mentioned before, though - these are not vulnerability reports. We do > those too: > > https://security.dxw.com/advisories/xss-and-csrf-in-user-domain-whitelist-v1-4/ > > and they are more detailed. Inspections are more about code smell, if you > know what I mean. So there aren't specific files, lines, etc. > > Harry > > > > On 20/02/2014 08:39, Jerome Athias wrote: >> >> It is valuable >> I concur (# line of code, file names and CVE submission). >> >> I would also suggest to use common classifications (or a mapping) such >> as OWASP TOP10, WASC, CWE (CAPEC) for your criterias. >> >> Providing details regarding the methodology or/and tools used for the >> assessment would be also valuable. >> (i.e. Checklist, RIPS, >> https://labs.portcullis.co.uk/tools/wordpress-build-review-tool/ ) >> >> Thank you >> Best regards >> >> 2014-02-19 Seth Arnold : >>> >>> On Wed, Feb 19, 2014 at 06:40:51PM +, Harry Metcalfe wrote: We write and publish light-touch inspections of WordPress plugins that we do for our clients. They are just a guide - we conduct some basic checks, not a thorough review. Would plugins which fail this inspection be of general interest to the list and therefore worth posting, as we would a vulnerability? Here's an example report: https://security.dxw.com/plugins/gd-star-rating-1-9-22/ Grateful for a steer... >>> >>> That's a very nice summary view, but it'd be more useful in this medium >>> if you included the lines of code that introduce the vulnerabilities. >>> >>> Most useful would be to coordinate with authors and MITRE for CVE numbers >>> for the issues you find to ensure the issues aren't forgotten about or >>> otherwise ignored. >>> >>> Thanks >>> >>> ___ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A question for the list - WordPress plugin inspections
Hi Jerome, The criteria are here: https://security.dxw.com/about/plugin-inspections/ Is that what you mean? I agree using a common classification would be good. I'll have a look into that. As mentioned before, though - these are not vulnerability reports. We do those too: https://security.dxw.com/advisories/xss-and-csrf-in-user-domain-whitelist-v1-4/ and they are more detailed. Inspections are more about code smell, if you know what I mean. So there aren't specific files, lines, etc. Harry On 20/02/2014 08:39, Jerome Athias wrote: It is valuable I concur (# line of code, file names and CVE submission). I would also suggest to use common classifications (or a mapping) such as OWASP TOP10, WASC, CWE (CAPEC) for your criterias. Providing details regarding the methodology or/and tools used for the assessment would be also valuable. (i.e. Checklist, RIPS, https://labs.portcullis.co.uk/tools/wordpress-build-review-tool/ ) Thank you Best regards 2014-02-19 Seth Arnold : On Wed, Feb 19, 2014 at 06:40:51PM +, Harry Metcalfe wrote: We write and publish light-touch inspections of WordPress plugins that we do for our clients. They are just a guide - we conduct some basic checks, not a thorough review. Would plugins which fail this inspection be of general interest to the list and therefore worth posting, as we would a vulnerability? Here's an example report: https://security.dxw.com/plugins/gd-star-rating-1-9-22/ Grateful for a steer... That's a very nice summary view, but it'd be more useful in this medium if you included the lines of code that introduce the vulnerabilities. Most useful would be to coordinate with authors and MITRE for CVE numbers for the issues you find to ensure the issues aren't forgotten about or otherwise ignored. Thanks ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A question for the list - WordPress plugin inspections
It is valuable I concur (# line of code, file names and CVE submission). I would also suggest to use common classifications (or a mapping) such as OWASP TOP10, WASC, CWE (CAPEC) for your criterias. Providing details regarding the methodology or/and tools used for the assessment would be also valuable. (i.e. Checklist, RIPS, https://labs.portcullis.co.uk/tools/wordpress-build-review-tool/ ) Thank you Best regards 2014-02-19 Seth Arnold : > On Wed, Feb 19, 2014 at 06:40:51PM +, Harry Metcalfe wrote: >> We write and publish light-touch inspections of WordPress plugins >> that we do for our clients. They are just a guide - we conduct some >> basic checks, not a thorough review. >> >> Would plugins which fail this inspection be of general interest to >> the list and therefore worth posting, as we would a vulnerability? >> >> Here's an example report: >> >> https://security.dxw.com/plugins/gd-star-rating-1-9-22/ >> >> Grateful for a steer... > > That's a very nice summary view, but it'd be more useful in this medium > if you included the lines of code that introduce the vulnerabilities. > > Most useful would be to coordinate with authors and MITRE for CVE numbers > for the issues you find to ensure the issues aren't forgotten about or > otherwise ignored. > > Thanks > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A question for the list - WordPress plugin inspections
On Wed, Feb 19, 2014 at 08:58:49PM +, Harry Metcalfe wrote: > Hi Seth, > > There really isn't time for us to do that, in the context of an > inspection. It's a very light-touch assessment. > > When we find vulnerabilities we do also report those, after working > with the vendor. And they are more detailed. For example: > > https://security.dxw.com/advisories/moving-any-file-php-user-has-access-to-in-bp-group-documents-1-2-1/ > > Harry People behind plug...@wordpress.org can help you with coordination. They can also disable plugins so that there won't be new installations before maintainer fixes issues. Note that security@ address should not be contacted when dealing with plugin issues. It is important to get vulnerabilities fixed in upstream codebase. I can also help you with communication, verification and such in my own time. --- Henri Salo signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A question for the list - WordPress plugin inspections
It might be worth speaking with the WPScan team over at http://wpscan.org/ Maybe they can do the hard work for you? Thanks, Thomas Harry Metcalfe 19 February 2014 20:58 Hi Seth, There really isn't time for us to do that, in the context of an inspection. It's a very light-touch assessment. When we find vulnerabilities we do also report those, after working with the vendor. And they are more detailed. For example: https://security.dxw.com/advisories/moving-any-file-php-user-has-access-to-in-bp-group-documents-1-2-1/ Harry On 19/02/2014 19:27, Seth Arnold wrote: ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ Seth Arnold 19 February 2014 19:27 That's a very nice summary view, but it'd be more useful in this mediumif you included the lines of code that introduce the vulnerabilities.Most useful would be to coordinate with authors and MITRE for CVE numbersfor the issues you find to ensure the issues aren't forgotten about orotherwise ignored.Thanks___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ Harry Metcalfe 19 February 2014 18:40 Hello list, We write and publish light-touch inspections of WordPress plugins that we do for our clients. They are just a guide - we conduct some basic checks, not a thorough review. Would plugins which fail this inspection be of general interest to the list and therefore worth posting, as we would a vulnerability? Here's an example report: https://security.dxw.com/plugins/gd-star-rating-1-9-22/ Grateful for a steer... Harry ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A question for the list - WordPress plugin inspections
Hi Seth, There really isn't time for us to do that, in the context of an inspection. It's a very light-touch assessment. When we find vulnerabilities we do also report those, after working with the vendor. And they are more detailed. For example: https://security.dxw.com/advisories/moving-any-file-php-user-has-access-to-in-bp-group-documents-1-2-1/ Harry On 19/02/2014 19:27, Seth Arnold wrote: On Wed, Feb 19, 2014 at 06:40:51PM +, Harry Metcalfe wrote: We write and publish light-touch inspections of WordPress plugins that we do for our clients. They are just a guide - we conduct some basic checks, not a thorough review. Would plugins which fail this inspection be of general interest to the list and therefore worth posting, as we would a vulnerability? Here's an example report: https://security.dxw.com/plugins/gd-star-rating-1-9-22/ Grateful for a steer... That's a very nice summary view, but it'd be more useful in this medium if you included the lines of code that introduce the vulnerabilities. Most useful would be to coordinate with authors and MITRE for CVE numbers for the issues you find to ensure the issues aren't forgotten about or otherwise ignored. Thanks ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A question for the list - WordPress plugin inspections
On Wed, Feb 19, 2014 at 06:40:51PM +, Harry Metcalfe wrote: > We write and publish light-touch inspections of WordPress plugins > that we do for our clients. They are just a guide - we conduct some > basic checks, not a thorough review. > > Would plugins which fail this inspection be of general interest to > the list and therefore worth posting, as we would a vulnerability? > > Here's an example report: > > https://security.dxw.com/plugins/gd-star-rating-1-9-22/ > > Grateful for a steer... That's a very nice summary view, but it'd be more useful in this medium if you included the lines of code that introduce the vulnerabilities. Most useful would be to coordinate with authors and MITRE for CVE numbers for the issues you find to ensure the issues aren't forgotten about or otherwise ignored. Thanks signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] A question for the list - WordPress plugin inspections
Hello list, We write and publish light-touch inspections of WordPress plugins that we do for our clients. They are just a guide - we conduct some basic checks, not a thorough review. Would plugins which fail this inspection be of general interest to the list and therefore worth posting, as we would a vulnerability? Here's an example report: https://security.dxw.com/plugins/gd-star-rating-1-9-22/ Grateful for a steer... Harry -- Harry Metcalfe 07790 559 876 @harrym ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/