Yeah, I am looking for it too for documentation and it isn’t even showing up on the developers website… I am not far into my project so if I need to remove it, I am going to. Hopefully an answer comes soon.
A colleagues has pointed me to this which may provide the explanation: http://packetstormsecurity.org/files/view/103773/registerplus373-xss.txt
I’m guessing people just kept complaining about that until someone in charge at the plugin repository removed Register Plus Redux. Which is ironic since the same XSS exists in Pie Register and Register Plus, the two plugins RPR replaces… The XSS exploit as I see it, could be executed on any of the vanilla registration fields, so there’s nothing I’ve done to make a hole, it’s a hold that’s there with or without Register Plus Redux, so I’m a bit miffed that it’s come to this.
Yeah it is strange that it’s only gone now. Just found this from November ’10: http://www.livehacking.com/tag/register-plus-plugin/
I’m guessing it’s just a case of someone getting round to it…
@radiok Do you have any plans to get the holes patch and re-submitted to .org at all?
It’s hard to say, I’m getting frustrated and disappointed with developing for WordPress. I enjoy contributing but find it to be a bit overwhelming, so I guess it’s just wait and see for now.
Oh wow, I really was relying on this plugin! It was exactly what I needed, radiok!
Well, on to the next thing – does anyone know if Cimy User Extra Fields has the same XSS problems?
I’d like to offer my encouragement to radiok to continue to support Register Plus Redux — it’s really a great plugin.
Hi radiok – I have a client who wants to use Redux if the security is sorted. We have had a look and think its not too big of a job. Perhaps we can help? BTW Register Plus was removed a while back but the Pie one is still on here but has no contact for the author & some notes say it has been abandoned.
Ok, just so I am not misunderstanding this; @radiok you are stating that this vulnerability has nothing to do with your plugin and exists on a vanilla WP registration page? If this is so, shouldn’t this be addressed/fixed within WP itself?
I’m not trying to dispute what you’re saying, I just want to make sure I am not misreading/misinterpreting this issue.
Also, the sites which report this vulnerability in RPR say that it can be remedied by editing the source to properly sanitize the user input. Has anyone investigated and/or done this yet?
I hope this can be resolved as this plugin is fantastic and has served me very well.
I also have the same as dialogcrm status. We have a client and wish to encourage RadioK to continue on development of the plugin. And if interested we are welling to adopt the plugin and take it to the next commercial level.
@radiok Please consider addressing the input sensitization issue, even though it’s consistent with the default WP login/registration (as I understand it to be). Then you could advertise your plugin as being “more secure than WordPress” and become an essential plugin for everyone. Just a thought. Best wishes.
I’d just like to echo the sentiments expressed here and add my support and encouragement for @radiok to continue development. I’d even be willing to contribute/donate in some way.
Although i can’t seem to find to much about what this plugin does exactly it sounds like what i really need! Numerous blogs around the net all point to you!
So while i can’t contribute code-wise im happy to donate! And i do hope the security thing gets sorted out because infact i used to not care about security until i got hit 😀
Radiok, more encouragement to keep up the good work and to see this issue resolved. Your plugin is excellent and very valuable to the WP community. We at Computer Courage are interested in helping you, you can contact us at email@example.com. Let’s keep this alive.
- The topic ‘Removed?’ is closed to new replies.