Wordfence post about responsible disclosure – Vulnerabilities in BulletProof Security

Home Forums BulletProof Security Free Wordfence post about responsible disclosure – Vulnerabilities in BulletProof Security

Tagged: 

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #18918
    Krzysztof
    Participant

    http://www.wordfence.com/blog/2014/11/wordpress-security-bulletproof-security-responsible-disclosure/

    This is a thing I would never expect from BPS – how this cloud hapen? The plugin got some bad PR thanks to this blog post on Wordfence – a security plugin with a security problem 🙁

    #18922
    AITpro Admin
    Keymaster

    Actually this is a great post about reporting bugs/security vulnerabilities in BulletProof Security or Wordfence or any plugin, such as the most recent security vulnerability in Wordfence or any other applications responsibly.  I am also personally very impressed with the professional way that Pietro Oliva handled responsible disclosure of bugs/security vulnerabilities in BulletProof Security.  The focus of the post is about how to report bugs/security vulnerabilities in a responsible way with the end users best interests at heart.

    I want to word this carefully so that I don’t negate or take away from Pietro Oliva’s efforts, reporting, responsible disclosure etc.  Security vulnerability is a broad term, which of course means a “bug” in some code or a coding mistake in some code or a flaw in some code or the code is not sanitized appropriately.  In this particular case a Form used in BulletProof Security was not sanitized appropriately.  In order to exploit this bug you would need to know the WordPress Database Username and Password, but that should not take away from the fact that the bug was a bug/security vulnerability.  A bug is a bug.  😉

    I don’t know how Microsoft, Google, facebook, WordPress or some of the other mega giants feel about bugs/security vulnerabilities being reported in their code, but I would imagine that they are grateful and appreciate that there are people like Pietro Oliva who do what they do.  So the focus should be on the excellent way that Pietro Oliva handled reporting these bugs/security vulnerabilities.  He handled it like a complete Pro and with the end users best interests as his #1 priority.

    In general, the post by Wordfence is a smart SEO move since BulletProof Security is a very popular search topic.  ie get more visitor traffic to your website just by mentioning BulletProof Security.  😉  The other thing to keep in mind is that “sensational news” sells and boring stuff is just boring so the edgier you can make something sound then the more exciting it sounds or if you just have a picture of a half nude woman that works just as well (and no I am not a chauvinist, just stating the obvious).  ha ha ha.  🙂

    #18951
    Krzysztof
    Participant

    Your explanation clarifies the problem for me – ofcourse the way Pietro Oliva reacted is the right way. I just thought that the bug was more serious but as you wrote – a bug is a bug.

    #18953
    AITpro Admin
    Keymaster

    Yeah the word “Security Vulnerability” makes you immediately think of something dangerous, scary and a hacked website and in some cases it actually is.  In this case, since the Form is already protected by current_user_can('manage_options'); then the missing Form sanitization code falls into the category of very minor coding mistake/bug.

    #18954
    AITpro Admin
    Keymaster

    Oops that was a different bug that was reported by someone else (Corrected my original Post above).  The bpsunlock.php Form issue is a plain stand-alone file/Form that allows you to enter you your Database username and password to connect to your WordPress database to unlock user accounts so you would need to know the WordPress Database username and password to exploit that Form.  😉

    #19184
    AITpro Admin
    Keymaster

    Wordfence is pretty popular too so I decided to create a post about the most recent security vulnerability in Wordfence:  http://forum.ait-pro.com/forums/topic/wordfence-security-vulnerability-cross-site-scripting-xss-vulnerability-in-the-wordfence-security/

    Why not right?  😉

    #19191
    Krzysztof
    Participant

    Huh. Spot on!

    #20363
    AITpro Admin
    Keymaster

    hmm just came across this post below. I was not aware that Wordfence is leading the pack for security vulnerabilities (bugs). Makes me wonder about the real goal and intention of the Wordfence post about BulletProof Security vulnerabilites and other plugins security vulnerabilities. ie was it to take some of the heat off of Wordfence security vulnerabilities? The timing of when the latest Wordfence security vulnerabilities were reported and when Wordfence decided to start creating lots of posts about other plugins security vulnerabilities looks like a “cover your ass” move, but I could be wrong of course. 😉

    “Top 10 Most Vulnerable WordPress Plugins”: https://www.wpwhitesecurity.com/wordpress-security/statistics-highlight-main-source-wordpress-vulnerabilities/

    Top 10 Most Vulnerable WordPress Plugins

    Here are some worrying facts about the Top 10 most vulnerable WordPress plugins:

    • 5 of them are commercial plugins
    • These plugins were downloaded around 21 million times
    • 1 of these plugins is a WordPress security plugin

    https://wpvulndb.com/plugins/wordfence
    wordfence security vulnerbilites

    #21532
    AITpro Admin
    Keymaster

    LOL came across this Wordfence post last week – So much for Responsible Disclosure (see Note):  wordfence.com/blog/2015/03/woocommerce-sql-injection-vulnerability/

    Yesterday Matt Barry, one of our researchers at Wordfence discovered a SQL injection vulnerability in WooCommerce version 2.3.5 and older during a code audit of the plugin repository. WooCommerce is installed on over 1 million active WordPress websites.

    So much for Responsible Disclosure when it comes to Wordfence themselves.  They found a security vulnerability in WooCommerce and posted about it the next day.  Not that I thought for a second that the original Wordfence post about Responsible Disclosure for the BulletProof Security vulnerability really had anything to do with Responsible Disclosure. 😉

    Note:  It has been  9 days since the Wordfence post was publicly released so I feel that posting this now is fairly responsible. 😉
    Additional Note:  iThemes Security also posted the WooCommerce security vulnerability the next day too. 😉
    LOL Note: first thought that popped into my head – “People who live in glass houses shouldn’t throw stones.” 😉

Viewing 9 posts - 1 through 9 (of 9 total)
  • You must be logged in to reply to this topic.