[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] A question for the list - WordPress plugin inspections

To: Harry Metcalfe <harry@xxxxxxx>
Subject: Re: [Full-disclosure] A question for the list - WordPress plugin inspections
From: Thomas MacKenzie <thomas@xxxxxxxxxxxx>
Date: Wed, 19 Feb 2014 21:01:38 +0000

<html><head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
</head><body bgcolor="#FFFFFF" text="#000000">It might be worth speaking
 with the WPScan team over at <a class="moz-txt-link-freetext" 
href="http://wpscan.org/";>http://wpscan.org/</a><br>
<br>
Maybe they can do the hard work for you?<br>
<br>
Thanks,<br>
Thomas<br>
<br>
<blockquote style="border: 0px none;" 
cite="mid:53051B09.5000900@xxxxxxx" type="cite">
  <div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div 
style="display:table;width:100%;border-top:1px solid 
#EDEEF0;padding-top:5px">       <div 
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
 photoaddress="harry@xxxxxxx" photoname="Harry Metcalfe" 
src="cid:part1.01030709.03070607@tmacuk.co.uk" 
name="postbox-contact.jpg" height="25px" width="25px"></div>   <div 
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
        <a moz-do-not-send="true" href="mailto:harry@xxxxxxx"; 
style="color:#737F92 
!important;padding-right:6px;font-weight:bold;text-decoration:none 
!important;">Harry Metcalfe</a></div>   <div 
style="display:table-cell;white-space:nowrap;vertical-align:middle;">   
  <font color="#9FA2A5"><span style="padding-left:6px">19 February 2014 
20:58</span></font></div></div></div>
  <div style="color:#888888;margin-left:24px;margin-right:24px;" 
__pbrmquotes="true" class="__pbConvBody">
  
    <meta http-equiv="Content-Type" content="text/html; 
charset=ISO-8859-1">
  
    Hi Seth,<br>
    <br>
    There really isn't time for us to do that, in the context of an
    inspection. It's a very light-touch assessment. <br>
    <br>
    When we find vulnerabilities we do also report those, after working
    with the vendor. And they are more detailed. For example: <br>
    <br>
    &nbsp;
<a moz-do-not-send="true" 
href="https://security.dxw.com/advisories/moving-any-file-php-user-has-access-to-in-bp-group-documents-1-2-1/";
 
class="moz-txt-link-freetext">https://security.dxw.com/advisories/moving-any-file-php-user-has-access-to-in-bp-group-documents-1-2-1/</a><br>
    <br>
    Harry<br>
    <div class="moz-cite-prefix"><br>
      On 19/02/2014 19:27, Seth Arnold wrote:<br>
    </div>
    
    <br>
  <div>_______________________________________________<br>Full-Disclosure
 - We believe in it.<br>Charter: 
<a class="moz-txt-link-freetext" 
href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted
 and 
sponsored by Secunia - <a class="moz-txt-link-freetext" 
href="http://secunia.com/";>http://secunia.com/</a></div></div>
  <div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div 
style="display:table;width:100%;border-top:1px solid 
#EDEEF0;padding-top:5px">       <div 
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
 photoaddress="seth.arnold@xxxxxxxxxxxxx" photoname="Seth Arnold" 
src="cid:part2.03040109.02030808@tmacuk.co.uk" 
name="compose-unknown-contact.jpg" height="25px" width="25px"></div>   <div
 
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
        <a moz-do-not-send="true" href="mailto:seth.arnold@xxxxxxxxxxxxx"; 
style="color:#737F92 
!important;padding-right:6px;font-weight:bold;text-decoration:none 
!important;">Seth Arnold</a></div>   <div 
style="display:table-cell;white-space:nowrap;vertical-align:middle;">   
  <font color="#9FA2A5"><span style="padding-left:6px">19 February 2014 
19:27</span></font></div></div></div>
  <div style="color:#888888;margin-left:24px;margin-right:24px;" 
__pbrmquotes="true" class="__pbConvBody"><div><!----><br>That's a very 
nice summary view, but it'd be more useful in this medium<br>if you 
included the lines of code that introduce the vulnerabilities.<br><br>Most
 useful would be to coordinate with authors and MITRE for CVE numbers<br>for
 the issues you find to ensure the issues aren't forgotten about or<br>otherwise
 
ignored.<br><br>Thanks<br></div><div>_______________________________________________<br>Full-Disclosure
 - We believe in it.<br>Charter: 
<a class="moz-txt-link-freetext" 
href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted
 and 
sponsored by Secunia - <a class="moz-txt-link-freetext" 
href="http://secunia.com/";>http://secunia.com/</a></div></div>
  <div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div 
style="display:table;width:100%;border-top:1px solid 
#EDEEF0;padding-top:5px">       <div 
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
 photoaddress="harry@xxxxxxx" photoname="Harry Metcalfe" 
src="cid:part1.01030709.03070607@tmacuk.co.uk" 
name="postbox-contact.jpg" height="25px" width="25px"></div>   <div 
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
        <a moz-do-not-send="true" href="mailto:harry@xxxxxxx"; 
style="color:#737F92 
!important;padding-right:6px;font-weight:bold;text-decoration:none 
!important;">Harry Metcalfe</a></div>   <div 
style="display:table-cell;white-space:nowrap;vertical-align:middle;">   
  <font color="#9FA2A5"><span style="padding-left:6px">19 February 2014 
18:40</span></font></div></div></div>
  <div style="color:#888888;margin-left:24px;margin-right:24px;" 
__pbrmquotes="true" class="__pbConvBody">Hello list,
<br>
<br>We write and publish light-touch inspections of WordPress plugins 
that 
we do for our clients. They are just a guide - we conduct some basic 
checks, not a thorough review.
<br>
<br>Would plugins which fail this inspection be of general interest to 
the 
list and therefore worth posting, as we would a vulnerability?
<br>
<br>Here's an example report:
<br>
<br>&nbsp; <a class="moz-txt-link-freetext" 
href="https://security.dxw.com/plugins/gd-star-rating-1-9-22/";>https://security.dxw.com/plugins/gd-star-rating-1-9-22/</a>
<br>
<br>Grateful for a steer...
<br>
<br>Harry
<br>
<br></div>
</blockquote>
</body></html>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] A question for the list - WordPress plugin inspections
  - From: Harry Metcalfe
- Re: [Full-disclosure] A question for the list - WordPress plugin inspections
  - From: Seth Arnold
- Re: [Full-disclosure] A question for the list - WordPress plugin inspections
  - From: Harry Metcalfe

Prev by Date: [Full-disclosure] GrrCON 2014 CFP
Next by Date: [Full-disclosure] CVE-2014-0053 Information Disclosure when using Grails
Previous by thread: Re: [Full-disclosure] A question for the list - WordPress plugin inspections
Next by thread: Re: [Full-disclosure] A question for the list - WordPress plugin inspections
Index(es):
- Date
- Thread