BulletProof Security – Security Vulnerability, Security Vulnerabilities, WordPress Plugin Security Vulnerabilities

Home Forums BulletProof Security Pro BulletProof Security – Security Vulnerability, Security Vulnerabilities, WordPress Plugin Security Vulnerabilities

Viewing 1 post (of 1 total)
  • Author
    Posts
  • #27036
    AITpro Admin
    Keymaster

    Security Vulnerability is a very misunderstood phrase/term/word by the average person/website owner.  The phrase Security Vulnerability has a very wide range of usage and meaning.  A security vulnerability can mean that a plugin contains a critical serious bug/flaw that can lead to a website being hacked or it can mean simply that a bug/flaw exists in some code that needs to be fixed, such as Form sanitization or validation, but that bug/flaw cannot be exploited/used to hack a website.  The average person assumes that all security vulnerabilities mean the same thing – that a plugin is not safe to use if it has or had a security vulnerability and that a website can be hacked if a security vulnerability exists in a plugin.  That is of course completely false.

    Case in point: The average person misunderstands the usage of the phrase “Security Vulnerability”

    The user responses in this blog post here:  https://www.wordfence.com/blog/2015/11/plugin-vulnerabilities-nov/ show that the majority of average users believe that a security vulnerability means that a plugin is not safe to use and will get their website hacked if they use a plugin that has or had a security vulnerability.

    Thomas November 29, 2015 at 8:55 am
    Thanks for this update ! it’s really useful to know wich plugins are not safe for my blogs. Kudos to Sathish and Wordfence , well done guys !

    lomokev November 11, 2015 at 10:18 am
    I always like reading these posts and relisesing that use none of the plugins! Must be a little embarrassing for Bulletproof Security! Not a Bulletproof as they should be.

    Imran November 11, 2015 at 9:56 am
    Luckily I do not have any of these plugins on my site but kudos to Sathish and Wordfence for alerting everyone and doing a wonderful job.

    usman November 11, 2015 at 10:17 am
    The last four out of the six are hardly popular wordpress plugins. But still thank you for the alert. It only takes one install to compromise a site.

    Daniel Lo Nigro November 11, 2015 at 11:18 am
    “Bulletproof Security (100,000+ active installs) version .52.4 contains a XSS vulnerability”
    I guess it’s not bulletproof after all 😀

    Rhonda Chapman November 11, 2015 at 3:24 pm
    Phew! I don’t have any of these plugins installed. It’s great to know what to watch for.

    Ghulam Mustafa November 11, 2015 at 3:27 pm
    Thanks for the update. I am not using any plugin mentioned above but I will keep in mind while working on the security projects for my clients.

    Ankush Das November 11, 2015 at 9:03 pm
    Thanks for the news! Well, I don’t use any of these. But, I stay updated with the list posted by your team. By the way, thank you WordFence for providing great security to my site 🙂

    Graham November 12, 2015 at 12:08 am
    You guys are awesome. I don’t personally use any of the plugins you mentioned, but it certainly is reassuring to know you are very much on the ball.
    Thanks very much.

    Case in point: BulletProof Security .52.4 XSS security vulnerability

    BPS Changelog info for .52.5:
    http://forum.ait-pro.com/forums/topic/bps-changelog/

    BugFix|Correction: DB Table Prefix Changer: Only allow entering numbers, lowercase letters and underscores in the Randomly Generated DB Table Prefix Form text box. Special thanks to Sathish from: Cyber Security Works Pvt Ltd for reporting a bug/security vulnerability in the DB Table Prefix Changer tool Form. Notes: You MUST be an Administrator and logged into the site as an Administrator in order to enter/test XSS html testing code in the Randomly Generated DB Table Prefix Form text box. Please do NOT actually try this test if you are using a version of BPS that is below .52.5. BPS .52.5 and above versions will only allow entering numbers, lowercase letters, and underscores for the DB Table Prefix name. If you have a BPS version below .52.5 then entering an invalid DB Table Prefix name will crash your website.

    We sincerely appreciate anyone taking the time to find and report any bugs/flaws/improvements/suggestions/ideas for the BulletProof Security plugin since in the long run this makes the BulletProof Security better overall for everyone that uses BulletProof Security.

    I do not want to take away from the Sathish’s credit/kudos for finding and reporting a bug/flaw in BulletProof Security, which is very much appreciated by us, but I feel it is very important to educate the average person about what the phrase/term Security Vulnerability actually means and the wide range of usage for the Security Vulnerability phrase/term.  So I will reiterate this statement and explain the statement in more detail:  A security vulnerability can mean that a plugin contains a critical serious bug/flaw that can lead to a website being hacked or it can mean simply that a bug/flaw exists in some code that needs to be fixed, such as Form sanitization or validation, but that bug/flaw cannot be exploited/used to hack a website.

    In the specific case of the security vulnerability for the BulletProof Security .52.4 XSS vulnerability, what “Security Vulnerability” simply meant is that the DB Table Prefix Changer tool Form needed to have some Form validation coding work added so that someone would not cause a problem for their own website.  It was not a security threat that could be exploited to hack a website.  A website owner would have to be logged into their website as a WordPress Administrator in order to enter invalid data into the DB Table Prefix Changer tool Form, which would then cause the website to crash.  The solution was to create new code to only allow valid data to be entered into the DB Table Prefix Changer tool Form text box to prevent a website crash problem.  So the real question about what a security vulnerability means in each specific case and how to tell the difference about severity of a security vulnerability is below.

    How do you tell if a Security Vulnerability is critical/serious and can lead to a website being hacked or is simply just a bug/flaw that needs to be fixed and that cannot be used to hack a website?

    I am reiterating this statement again since it is the most misunderstood thing about the phrase “Security Vulnerability”:  A security vulnerability can mean that a plugin contains a critical serious bug/flaw that can lead to a website being hacked or it can mean simply that a bug/flaw exists in some code that needs to be fixed, such as Form sanitization or validation, but that bug/flaw cannot be exploited/used to hack a website.

    If you do Google searches using these search strings:  “the plugin name security vulnerability” or “the plugin name security vulnerabilities”, you will find several websites that have information about security vulnerabilities in WordPress Plugins and other software.  Unfortunately, for the average person the security vulnerability information on these sites usually leads to further belief by the average person that a particular plugin or software is not safe to use.  The primary reason for that would probably be the way the security vulnerability data is reported.  It is not reported for the average person to understand and is reported in a way that only a Developer or Coder would understand.  Example:  When I am checking one of these sites to see the severity of a particular security vulnerability reported in a particular plugin or other software, I can clearly see and understand the severity or insignificance of that security vulnerability, but I am a Software Engineer that understands what all that information actually means.  The average person only sees information that makes the plugin or other software actually appear dangerous to use and cannot tell if the security vulnerability is just a minor coding bug/flaw that is not actually dangerous or a security threat.

    So if the average person cannot find whether or not a plugin or other software security vulnerability is actually critical/serious/dangerous or insignificant from websites that report security vulnerabilities then how does the average person find that information?

    1.  Contact the plugin, theme or other software creator and ask about the security vulnerability.  Specifically ask about the severity of the security vulnerability.  Ie is it a simple bug/flaw that is not actually a security threat or exploit that can lead to a website getting hacked or is it a very serious/critical bug/flaw that can lead to a website getting hacked.

    2.  Check other reliable sources around the Internet that focus on accurately reporting the severity of a security vulnerability in laymans terms that the average person can understand.

    Summary:

    A security vulnerability can mean that a plugin contains a critical serious bug/flaw that can lead to a website being hacked or it can mean simply that a bug/flaw exists in some code that needs to be fixed, such as Form sanitization or validation, but that bug/flaw cannot be exploited/used to hack a website.  Websites that report security vulnerabilities are not “average person friendly” and can lead to further confusion about the severity or insignificance of a particular reported security vulnerability.  Contacting the creator of a plugin, theme or other software to get more information about the severity of the security vulnerability is the first step in finding out exactly how serious/critical a reported security vulnerability actually really is.  Search the Internet and cross reference reliable websites that report security vulnerabilities in a plugin, theme or other software in an accurate way and in an average person friendly way.  What you want to avoid are “sensationalistic” sites that report all security vulnerabilities in a one size fits all or irresponsible way.  Being a security expert, I question everything I read on the Internet and always ask myself these questions anytime I am reading anything on the Internet:  Is there a motive or hidden agenda?  What are the possible motives and agendas?

Viewing 1 post (of 1 total)
  • You must be logged in to reply to this topic.