nitstorm
Forum Replies Created
-
I have mailed you my report at feedback[at]appticles.com after viewing the sticky thread.
Sorry for not noticing that earlier.
Thanks & regards,
Nitin VenkateshForum: Plugins
In reply to: [Analyticator] Discovered security vulnerabilitiesHi Garrett,
This is a CSRF vulnerability. Consider this scenario where the authenticated user visits another site (belonging to an attacker), where a request could be submitted to the above URL using the authenticate user’s session and the action could be performed – even if the user never wanted something like that to happen,(and) without their knowledge too.
Nitin
Forum: Plugins
In reply to: [Social Share Boost] Discovered security vulnerabilitiesHi Noah,
Should I follow the same procedure as done in Google Analyticator and post the vulnerability issue here itself?
Thanks & regards,
Nitin VenkateshForum: Plugins
In reply to: [Analyticator] Discovered security vulnerabilitiesHi Noah,
I found that the cache could be cleared and a reset could be performed by CSRF on this plugin.
## Proof of Concept:
http://localhost/wp-admin/options-general.php?page=google-analyticator.php&pageaction=ga_clear_cache
http://localhost/wp-admin/options-general.php?page=ga_reset
Thanks & regards,
Nitin VenkateshForum: Plugins
In reply to: [Recent Tweets Widget] Discovered security vulnerabilitiesSorry about the thread. I digged deeper and found it was a false alarm. And sorry about the duplicate thread that got created by accident.
Hi,
I’m glad to know that you have received the message resent on the 23rd. I do have all the packages, they were downloaded from the wordpress plugin site itself.
The bugs that I found were all security related which I have told you about in the email along with the Proof-of-Concept code that I had sent as an attachment.
Please do mail me if you need any further information regarding the security vulnerabilities. I appreciate your co-operation.
Thanks & regards,
Nitin VenkateshForum: Plugins
In reply to: [Free counter] No contact informationHi,
I’ve just sent the report across via the contact form.
Thanks & regards,
Nitin VenkateshForum: Plugins
In reply to: [StageShow] Contact Form BrokenHi Malcolm,
I have sent a message using the contact form.
Thanks
Forum: Plugins
In reply to: [Encrypted Contact Form] Discovered Security IssuesThank you for the quick response and fix.
Forum: Plugins
In reply to: [WP Flow Plus] Discovered Possible Security IssueAwesome! Thank you for the super-quick response π
Do I have the permission to write a full disclosure that can be made available on the internet after a week or two?
Forum: Plugins
In reply to: [WP Flow Plus] Discovered Possible Security IssueThank you for your quick response. I’ve sent the mail that I sent to plugins[at]wordpress.org to you using the contact form.