Clazh
Aug 27
13

Security alert: WordPress Competition Winning Plugins Vulnerable

Posted By Arpit Jacob

Update: My sincere apologies to all the plugin developers. I usually try to keep track of WordPress security. and buyacrop has been very good at finding exploits and providing patches. In my hurry to warn users I forgot to check if patches were available or if the developers were informed. I think its pretty irresponsible on buyacrop part.

The winners of the WordPress Plugin Competition has been announced. congratulation to all the winners. I am really sorry to spoil the party but I am doing this to inform readers, I would really hate it if someone hacked your site. Unfortunately all the Plugins are vulnerable to security flaws. They are listed here in order of danger.

1. WordPress Automatic Upgrade: It allows any non authenticated user to.
* To generate and to unload the archives of WordPress (including wp-config.php with your data of data base).
* To generate and to unload backups of your data base with which this represents.
* To activate and To deactivate all plugins.
* To update the version of WordPress without your authorization.
2. OneClick: Is vulnerable CSRF (Cross-site request forgery) it allows you to unload plugins - or malicious code - from any URL.
3. Who Sees Ads: Is vulnerable to CSRF and XSS (Cross-site scripting).
4. MyDashboard: Is vulnerable to CSRF and XSS.

Please deactivate these plugins immediately till the authors update the plug-in. A mail has been sent to each of these authors so expect them to patch them quickly.

Thank you carrero for tipping me off.

Original source. buayacorp

Tags:, ,
Category: Blogging, Coding, Wordpress
Get RSS Feed
This entry was posted on Monday, August 27th, 2007 at 12:01 pm and is filed under Blogging, Coding, Wordpress.
  • You can follow any responses to this entry through the RSS 2.0 feed.
    • You can skip to the end and leave a response. Pinging is currently not allowed.

12 Comments

Gravatar 1

thanks for your fast reply, I write to buayacorp because i need more details for this bugs, i want fix for use :)

David Carrero Fdez-Baillo Posted on Monday, August 27th, 2007 at 12:10 pm
avatar 2

@david I am having second thoughts about publishing this, since it is all in Spanish I assumed a mail was sent to the developers of the plugins … I just saw OZH comment on buayacrop and I agree this is kind of very irresponsible. I think he is doing a good job but this is kinda scary way to do this.

Arpit Jacob Posted on Monday, August 27th, 2007 at 12:19 pm
Gravatar 3

No emails have been sent, and no details of exploits are available other than generic titles I’m afraid.

Barry Posted on Monday, August 27th, 2007 at 12:56 pm
Gravatar 4

I write alex from buayacorp. I request more information about this bugs for plugin authors.

David Carrero Fdez-Baillo Posted on Monday, August 27th, 2007 at 2:43 pm
Gravatar 5

@David - Why can’t you let us know the details. You obviously know what they are otherwise you wouldn’t be running around posting that there are vulnerabilities everywhere?
If you haven’t seen them, or know about them, then do you really think you are helping?

Barry Posted on Monday, August 27th, 2007 at 5:31 pm
Gravatar 6

The 2 plugins flagged as vulnerable to XSS&CSRF are, I think, just lacking nonce fields in their forms. Which does make them vulnerable to some XSS & CSRF attacks. Which is, IMO, nothing near a critical vulnerability. There’s no reason not to implement nonces, really, and adding this WP built-in protection in all my plugins has been sitting on my todo-list for quite a while now. I’ve just been too lazy, but there’s no reason why this should go on top of my todo list.

So, unless the smart ass behind this original announcement replies with some details and proves me wrong with more serious issues, I’ll keep this on my todo-list and update some day, for instance when I add features.

Ozh Posted on Monday, August 27th, 2007 at 6:25 pm
Gravatar 7

The said bugs have been fixed and i have released the latest version http://techie-buzz.com/wordpress-plugins/wpau-wins-third-at-weblog-tools-plugin-competition.html

Thanks
Keith

Keith Dsouza Posted on Tuesday, August 28th, 2007 at 2:41 am
Gravatar 8

Has an email been sent to the author of OneClick with this info? I don’t see an update yet nor an acknowledgment of a comment about this left by David in Spanish of all things. Either way, since I’ve worked with Anirudh on a couple of bugs early on, I’m sending one myself.

Kirk M Posted on Tuesday, August 28th, 2007 at 4:47 am
Gravatar 9

There’s no real proof that it can be done and virtually every script is vunerable to csrf and XSS, anyways, this minor problem is fixed. Please read this:
http://anirudhsanjeev.org/on-oneclick-security/

thanks.

Anirudh Posted on Tuesday, August 28th, 2007 at 4:47 pm
Gravatar 10

How much damage can be done on a vulnerable plugin? It seems it can be a doorway to attacks?

David Posted on Thursday, August 30th, 2007 at 3:10 am
Gravatar 11

Personally, I think I would have a few people check my plugin before I went submitting it as a finished product. Then again, I can’t make them so nevermind. :P

Congrats to the winner, but it’s kinda lame that he was the way he was about the hosting prize.

Amy Posted on Friday, August 31st, 2007 at 2:32 am
Gravatar 12

Mistakes happen? :)

Jan Posted on Monday, September 3rd, 2007 at 6:03 pm

1 Trackbacks/Pingbacks

Catch up ! - Online Diary
Pingback on August 28, 2007

[…] security flaws in each of these plug-ins. […]

Leave a comment

- Why ask? This confirms you are a human user!

All Rights Reserved Copyright © 2008, and Design by Arpit Jacob. XML SiteMap, XHTML Sitemap, RSS Entries and Comments