Comments on: Security alert: WordPress Competition Winning Plugins Vulnerable

By: Jan

Jan — Mon, 03 Sep 2007 13:03:35 +0000

Mistakes happen? :)

By: Amy

Amy — Thu, 30 Aug 2007 21:32:12 +0000

Personally, I think I would have a few people check my plugin before I went submitting it as a finished product. Then again, I can’t make them so nevermind. :P

Congrats to the winner, but it’s kinda lame that he was the way he was about the hosting prize.

By: David

David — Wed, 29 Aug 2007 22:10:39 +0000

How much damage can be done on a vulnerable plugin? It seems it can be a doorway to attacks?

By: Anirudh

Anirudh — Tue, 28 Aug 2007 11:47:12 +0000

There’s no real proof that it can be done and virtually every script is vunerable to csrf and XSS, anyways, this minor problem is fixed. Please read this:
http://anirudhsanjeev.org/on-oneclick-security/

thanks.

By: Kirk M

Kirk M — Mon, 27 Aug 2007 23:47:40 +0000

Has an email been sent to the author of OneClick with this info? I don’t see an update yet nor an acknowledgment of a comment about this left by David in Spanish of all things. Either way, since I’ve worked with Anirudh on a couple of bugs early on, I’m sending one myself.

By: Keith Dsouza

Keith Dsouza — Mon, 27 Aug 2007 21:41:43 +0000

The said bugs have been fixed and i have released the latest version http://techie-buzz.com/wordpress-plugins/wpau-wins-third-at-weblog-tools-plugin-competition.html

Thanks
Keith

By: Catch up ! - Online Diary

Catch up ! - Online Diary — Mon, 27 Aug 2007 19:37:47 +0000

[...] security flaws in each of these plug-ins. [...]

By: Ozh

Ozh — Mon, 27 Aug 2007 13:25:02 +0000

The 2 plugins flagged as vulnerable to XSS&CSRF are, I think, just lacking nonce fields in their forms. Which does make them vulnerable to some XSS & CSRF attacks. Which is, IMO, nothing near a critical vulnerability. There’s no reason not to implement nonces, really, and adding this WP built-in protection in all my plugins has been sitting on my todo-list for quite a while now. I’ve just been too lazy, but there’s no reason why this should go on top of my todo list.

So, unless the smart ass behind this original announcement replies with some details and proves me wrong with more serious issues, I’ll keep this on my todo-list and update some day, for instance when I add features.

By: Barry

Barry — Mon, 27 Aug 2007 12:31:05 +0000

@David – Why can’t you let us know the details. You obviously know what they are otherwise you wouldn’t be running around posting that there are vulnerabilities everywhere?
If you haven’t seen them, or know about them, then do you really think you are helping?

By: David Carrero Fdez-Baillo

David Carrero Fdez-Baillo — Mon, 27 Aug 2007 09:43:48 +0000

I write alex from buayacorp. I request more information about this bugs for plugin authors.