WordPress.org

Ready to get started?Download WordPress

Forums

ballast-security-securing-hashing
[resolved] Security issue (8 posts)

  1. Julio Potier
    Member
    Posted 2 years ago #

    Hello

    Your plugin contains a XSRF vunerability, please use nonce token when validating/updating options values.

    http://codex.wordpress.org/Writing_a_Plugin

    See you

    ps : You can add my name "Julio Potier from boiteaweb.fr" into the changelog if you want

    http://wordpress.org/extend/plugins/ballast-security-securing-hashing/

  2. BallastSecurity
    Member
    Plugin Author

    Posted 2 years ago #

    Can you supply a proof of concept?
    I understand the what section you are referencing, but code should only be run there if in the admin dashboard.

    curl -d "hashtype=1" http://localhost/wordpress/wp-content/plugins/BallastSecurityHasher/BallastSecurityHasher.php and curl -d "hashtype=1" http://localhost/wordpress/wp-admin/admin.php?page=bssh_config failed to change the hashtype.

  3. BallastSecurity
    Member
    Plugin Author

    Posted 2 years ago #

    I'm marking this as resolved until I'm shown otherwise. A nonce is not needed there, and I would prefer if supposed vulnerabilities contained a proof of concept.

  4. Julio Potier
    Member
    Posted 2 years ago #

    Why do you think each WordPress page and action actually using a nonce token ?
    Do you know what is a CSRF flaw ?
    Please read this : http://codex.wordpress.org/WordPress_Nonces
    You HAVE to add a nonce token.
    Because of CSRF, a hacker/evil visitor can force the admin to perform a authorised action but not intended.
    The hacker can not change himself the value, because like you said, you have to be admin and connected to the admin dashboard.
    But he can create a kind of fake form, with all your fields, and when you visit this page containing this form (it can be hidden and sent in background) YOU will send the form, YOU are admin, options are changed.
    Trust me, you need to add a nonce here, every form in WordPress have one, every action got one, you need one.
    I won't give you a PoC, just trust me, read the codex, learn how to do this and do it, just do it.
    Nest step : i'll warn plugins@wordpress.org, admins will tell you the same as me.
    Next step : plugin delete from repo because cause vuln issue.

    See you.

  5. BallastSecurity
    Member
    Plugin Author

    Posted 2 years ago #

    Just say phishing then ffs.
    Its nice of you to act like a mature adult like this.

  6. Julio Potier
    Member
    Posted 2 years ago #

    This is called CSRF vulnerability, not Phishing, this is not the same.
    If i exploit the CSRF, you will never know it.
    Wiht a phishing, i'll try to force you fo manually type some password, bank card number, personal infos etc

    http://codex.wordpress.org/WordPress_Nonces
    Bottom of page :
    "Cross-site request forgery article on WikiPedia"
    => Cross-site request forgery
    C.S.R.F

    'Its nice of you to act like a mature adult like this. '
    Was it ironic ? ^^
    It's my job, i'm web sec consultant and WP Expert, i do this every day ;)

  7. BallastSecurity
    Member
    Plugin Author

    Posted 2 years ago #

    Its fixed. I would credit you, but your hostile attitude and lack of cooperation leave without the desire to.

    Have a nice day.

  8. Julio Potier
    Member
    Posted 2 years ago #

    Sorry, i did not want to be hostile. Have a nice day!
    Credit is not mandatory, but thanks anyway i appreciate :)

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.