Technosailor - Latest Comments in Democracy Plugin XSS Vulnerability ALERT

Re: Democracy Plugin XSS Vulnerability ALERT

MustLive — Tue, 26 Sep 2006 18:30:31 -0000

Aaron. You have already validated my message and then I retrieved my "key" (it need for your version of wp-subscription-manager.php). And after looking to one of the vulnerable scripts (in this case - wp-subscription-manager.php), I can tell you that your site is <strong>vulnerable</strong> (via Subscribe To Comments plugin)!

You need to update plugin. You can take Subscribe To Comments 2.0.5 from my MustLive Security Pack v.1.0.4 or download last version (Subscribe To Comments 2.0.8) from developer's site.

Re: Democracy Plugin XSS Vulnerability ALERT

MustLive — Tue, 26 Sep 2006 18:03:42 -0000

Aaron. As I wrote at my site http://websecurity.com.ua/187/ two weeks ago, I was found a vulnerability in Subscribe To Comments WordPress plugin (and already released the path and plugin developer also worked on next version of plugin). So there are many other cases (among WordPress plugins) with plugin's vulnerabilities, not only in Democracy plugin. And as I see, you also use Subscribe To Comments at your site, so you need to draw attention to this information (and check your plugin).

Re: Democracy Plugin XSS Vulnerability ALERT

Leroy Brown — Mon, 25 Sep 2006 13:25:40 -0000

Aaron,
I may feel differently if one of my sites had been hacked - that'll certainly give you a different perspective on the matter. Either way, it's necessary to post the expoit so that a fix can be produced, whether by the author or someone else. Good to see that the author did come up with a fix, so that people had a solution instead of a freak-out period of waiting.

Re: Democracy Plugin XSS Vulnerability ALERT

Aaron Brazell — Mon, 25 Sep 2006 09:40:14 -0000

Leroy: Technically, no you can't hold an author liable. In reality though, he's liable. That's how anyone who would get exploited would feel. That's how I would feel if I was hacked as a result. Fortunately, I was able to post the exploit with a link to a new version, so I'd like to think that I worked <em>with</em> Andrew to find a solution before it blew up.

Re: Democracy Plugin XSS Vulnerability ALERT

Leroy Brown — Mon, 25 Sep 2006 08:58:26 -0000

It's a shame that it always takes the public posting of the exploit for the author to fix the problem. Although I can't be too hard on someone who creates a plugin at no cost, so I don't know. Mixed feelings as usual.
Can you hold the author liable for any problems, even though his software is free? I'm not sure that it's fair to do so.

Re: Democracy Plugin XSS Vulnerability ALERT

podz — Sat, 23 Sep 2006 10:46:51 -0000

drmike - I wasn't saying they were safe. I'm talking about people who can code saying that other code is unsafe.

<a href="http://www.tamba2.org.uk/T2..." rel="nofollow">I've a challenge</a>. If it will be accepted.

Re: Democracy Plugin XSS Vulnerability ALERT

drmike — Sat, 23 Sep 2006 10:34:32 -0000

Podz: Don't forget all those people over on the wp.com forums who keep saying that javascripts, embed, and object tags are safe as well. :)

Re: Democracy Plugin XSS Vulnerability ALERT

Aaron Brazell — Fri, 22 Sep 2006 21:43:15 -0000

Sure, <a href="http://www.technosailor.com..." rel="nofollow">over here</a>. ;)

Re: Democracy Plugin XSS Vulnerability ALERT

Duncan — Fri, 22 Sep 2006 21:41:17 -0000

No link love for the person who actually discovered it? :-)

Re: Democracy Plugin XSS Vulnerability ALERT

Aaron Brazell — Fri, 22 Sep 2006 19:50:49 -0000

Sure. And you could also subscribe to bugtraq and find this same kind of information numerous times a day. Secrecy is not always the best policy. I don't make a habit of reporting exploits but I read blogs everyday that do. It's quite the same thing.

Re: Democracy Plugin XSS Vulnerability ALERT

Jeremy Wright — Fri, 22 Sep 2006 19:50:23 -0000

pods: posting the exploit is standard practice, whether it's Microsoft or Apache.

Re: Democracy Plugin XSS Vulnerability ALERT

Darren McLaughlin — Fri, 22 Sep 2006 19:49:18 -0000

These plugins can be very dangerous. I think the Wordpress culture is to install as many plugins as possible without doing a ton of research.

This one is a very insidious exploit.

Re: Democracy Plugin XSS Vulnerability ALERT

podz — Fri, 22 Sep 2006 19:36:35 -0000

But I could now google enough to find that plugin and hit those sites in a couple of clicks.
Surely just saying what you have and omitting the actual exploit would be the way to go?

Re: Democracy Plugin XSS Vulnerability ALERT

Aaron Brazell — Fri, 22 Sep 2006 19:22:21 -0000

Hey podz-

Most people tend to think, "Aww, a hack will never happen to me". The point of this exercise was to demonstrate how very simple it is. Maybe demonstration will cause folks to be cautious regarding plugins they use.

Re: Democracy Plugin XSS Vulnerability ALERT

podz — Fri, 22 Sep 2006 19:17:03 -0000

I'm curious - why post the actual exploit?
Is it to prove it's existence?