WordPress.org

Support

Support » Plugins and Hacks » [Resolved] [Plugin: ballast-security-securing-hashing] Security issue

[Resolved] [Plugin: ballast-security-securing-hashing] Security issue

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author BallastSecurity

    @ballastsecurity

    Can you supply a proof of concept?
    I understand the what section you are referencing, but code should only be run there if in the admin dashboard.

    curl -d "hashtype=1" http://localhost/wordpress/wp-content/plugins/BallastSecurityHasher/BallastSecurityHasher.php and curl -d "hashtype=1" http://localhost/wordpress/wp-admin/admin.php?page=bssh_config failed to change the hashtype.

    Plugin Author BallastSecurity

    @ballastsecurity

    I’m marking this as resolved until I’m shown otherwise. A nonce is not needed there, and I would prefer if supposed vulnerabilities contained a proof of concept.

    Why do you think each WordPress page and action actually using a nonce token ?
    Do you know what is a CSRF flaw ?
    Please read this : http://codex.wordpress.org/WordPress_Nonces
    You HAVE to add a nonce token.
    Because of CSRF, a hacker/evil visitor can force the admin to perform a authorised action but not intended.
    The hacker can not change himself the value, because like you said, you have to be admin and connected to the admin dashboard.
    But he can create a kind of fake form, with all your fields, and when you visit this page containing this form (it can be hidden and sent in background) YOU will send the form, YOU are admin, options are changed.
    Trust me, you need to add a nonce here, every form in WordPress have one, every action got one, you need one.
    I won’t give you a PoC, just trust me, read the codex, learn how to do this and do it, just do it.
    Nest step : i’ll warn plugins@wordpress.org, admins will tell you the same as me.
    Next step : plugin delete from repo because cause vuln issue.

    See you.

    Plugin Author BallastSecurity

    @ballastsecurity

    Just say phishing then ffs.
    Its nice of you to act like a mature adult like this.

    This is called CSRF vulnerability, not Phishing, this is not the same.
    If i exploit the CSRF, you will never know it.
    Wiht a phishing, i’ll try to force you fo manually type some password, bank card number, personal infos etc

    http://codex.wordpress.org/WordPress_Nonces
    Bottom of page :
    “Cross-site request forgery article on WikiPedia”
    => Cross-site request forgery
    C.S.R.F

    ‘Its nice of you to act like a mature adult like this. ‘
    Was it ironic ? ^^
    It’s my job, i’m web sec consultant and WP Expert, i do this every day 😉

    Plugin Author BallastSecurity

    @ballastsecurity

    Its fixed. I would credit you, but your hostile attitude and lack of cooperation leave without the desire to.

    Have a nice day.

    Sorry, i did not want to be hostile. Have a nice day!
    Credit is not mandatory, but thanks anyway i appreciate 🙂

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘[Resolved] [Plugin: ballast-security-securing-hashing] Security issue’ is closed to new replies.