Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Full Disclosure: Full-Disclosure

Day of bugs in WordPress 2

  

 
Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded


mustlive at websecurity

Jul 29, 2010, 1:56 PM

Post #1 of 12 (514 views)
Permalink
Day of bugs in WordPress 2
Hello Full-Disclosure!

I want to inform readers of the list about new project - Day of bugs in
WordPress 2 - which I'll conduct at 30.07.2010, which I already announced
today at my site.

After conducting of Month of Search Engines Bugs
(http://websecurity.com.ua/category/moseb/) in June 2007 and Month of Bugs
in Captchas (http://websecurity.com.ua/category/mobic/) in November 2007, I
switched to smaller and less time-consuming, but still very interesting
projects, which I called "Day of Bugs". Such as Day of bugs in WordPress in
December 2007, Day of bugs in Google Chrome (which was going for three days)
in September 2008, Day of bugs in browsers in September 2008 and Day of
bugs in browsers 2: reloaded in October 2008. And now the time has come for
new project.

I conducted the project Day of bugs in WordPress
(http://websecurity.com.ua/1685/) at 30.12.2007 and already long time ago
planned to conduct new project, but only now found the time. In that project
I disclosed 81 vulnerabilities - these are Arbitrary file edit
(http://websecurity.com.ua/1686/), Local File Include, Directory Traversal
and Full path disclosure (http://websecurity.com.ua/1687/) vulnerabilities.
Among them there are 49 Full path disclosure, 1 Arbitrary file edit and 31
Local File Include and Directory Traversal (CVE-2008-0195, CVE-2008-0196).
If I'd decided to make not "day of bugs" but "month of bugs" (with
publishing one by one hole), then these vulnerabilities were enough for
almost three projects :-).

In project Day of bugs in WordPress 2 I'll disclose many interesting
vulnerabilities in WordPress, which I found in 2007, 2009 and 2010 (and to
which different versions of engine are affected).

Similarly to first Day of bugs in WordPress, this project will be
interesting for every user of WordPress, for developers of WordPress, for
every web developer who is using WordPress, for every one who is interesting
in WP and for security community, who can find something interesting in
these vulnerabilities and attacks on them. Like in case of first Day of bugs
in WordPress project, new project designed not only to draw attention of
WordPress community to security, but to draw attention of all web developers
to security of web applications.

After they will be published, I'll write detailed descriptions of
vulnerabilities to the mailing list.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


coderman at gmail

Jul 29, 2010, 3:02 PM

Post #2 of 12 (497 views)
Permalink
Re: Day of bugs in WordPress 2 [In reply to]
On Thu, Jul 29, 2010 at 1:56 PM, MustLive <mustlive [at] websecurity> wrote:
> ...
> I want to inform readers of the list about new project - Day of bugs in
> WordPress...

Hewlett Packard has a soul mate! anyone who cares uses Drupal or other
decent [0] and the wp people keep patching vulns via one-off escapes
and parameter renaming.

my condolences if diligence deems more than a few hours requisite for
such audit amusement. ;)



0. of course, Real (TM) women/men/earth-human hackers code their own
python gevent based publishing pipe...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


uuf6429 at gmail

Jul 29, 2010, 3:05 PM

Post #3 of 12 (497 views)
Permalink
Re: Day of bugs in WordPress 2 [In reply to]
Drupal or other decent [0]


Please! Don't put "Drupal" and "decent" in the same sentence!



On Fri, Jul 30, 2010 at 12:02 AM, coderman <coderman [at] gmail> wrote:

> On Thu, Jul 29, 2010 at 1:56 PM, MustLive <mustlive [at] websecurity>
> wrote:
> > ...
> > I want to inform readers of the list about new project - Day of bugs in
> > WordPress...
>
> Hewlett Packard has a soul mate! anyone who cares uses Drupal or other
> decent [0] and the wp people keep patching vulns via one-off escapes
> and parameter renaming.
>
> my condolences if diligence deems more than a few hours requisite for
> such audit amusement. ;)
>
>
>
> 0. of course, Real (TM) women/men/earth-human hackers code their own
> python gevent based publishing pipe...
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


coderman at gmail

Jul 29, 2010, 4:16 PM

Post #4 of 12 (497 views)
Permalink
Re: Day of bugs in WordPress 2 [In reply to]
On Thu, Jul 29, 2010 at 3:05 PM, Christian Sciberras <uuf6429 [at] gmail> wrote:
> ...
> Please! Don't put "Drupal" and "decent" in the same sentence!

when the bar is wordpress, .. well, you get the picture.

(those modules though, most could use regular scrubbing)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


fxchip at gmail

Jul 29, 2010, 5:18 PM

Post #5 of 12 (494 views)
Permalink
Re: Day of bugs in WordPress 2 [In reply to]
So if Drupal and WordPress, etc. are so terrible, what would you all recommend?

-Zach

On Jul 29, 2010, at 4:16 PM, coderman <coderman [at] gmail> wrote:

> On Thu, Jul 29, 2010 at 3:05 PM, Christian Sciberras <uuf6429 [at] gmail> wrote:
>> ...
>> Please! Don't put "Drupal" and "decent" in the same sentence!
>
> when the bar is wordpress, .. well, you get the picture.
>
> (those modules though, most could use regular scrubbing)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Valdis.Kletnieks at vt

Jul 29, 2010, 5:47 PM

Post #6 of 12 (485 views)
Permalink
Re: Day of bugs in WordPress 2 [In reply to]
On Thu, 29 Jul 2010 17:18:28 PDT, Zach C said:
> So if Drupal and WordPress, etc. are so terrible, what would you all recommend?

vi or emacs. Take your pick, I'm not starting an editor war. ;)


elazar at hushmail

Jul 29, 2010, 9:13 PM

Post #7 of 12 (481 views)
Permalink
Re: Day of bugs in WordPress 2 [In reply to]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ed or nano? :)

On Thu, 29 Jul 2010 20:47:19 -0400 Valdis.Kletnieks [at] vt wrote:
>On Thu, 29 Jul 2010 17:18:28 PDT, Zach C said:
>> So if Drupal and WordPress, etc. are so terrible, what would you
>all recommend?
>
>vi or emacs. Take your pick, I'm not starting an editor war. ;)
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkxSUVcACgkQi04xwClgpZgH2AP+MIN2ShokOCNPpUhwX1OH4SxzatZk
xbuu0eRzzmjGFarJ+O6xv/aRzSlbzHok3mIckL9qKPYk9mAE7G3uoe0ASbo2HtVnVHrY
BsxxPAIYrYjK4em7J89MvsTETTO68UsV687QmDLkeC8B8A8dCAeYPhHPyt+tb7t3AMqT
3WQOlEU=
=z8+c
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


uuf6429 at gmail

Jul 29, 2010, 11:37 PM

Post #8 of 12 (480 views)
Permalink
Re: Day of bugs in WordPress 2 [In reply to]
How does writing your site/project from scratch, (I presume that's what you
mean when you suggest a text editor as a replacement for a CMS), result in
"higher" security?
I agree only a few percentage of the average CMS development care for half
of it's security, but if they can't get it right, what makes you think you
can?

Besides, writing bad code with the excuse of an evangelic editor seems to me
like the number one cause of leaving faults (seriously, does anyone believe
that the writers of WP never used or heard about VIM?).

That said, I'm comfortable with a high-level editor, where at the click of a
button, I get full statistics reports on my program's performance, whereas
the conventional asks for a couple of commands in the console.

If you truly want to write something as much secure as it can be, forget the
security hype and crap out there and get seriously knowledgeable on a target
language. The use of the editor does no practical difference - I've been
tasked to fix server code via windows cmd FTP and MS Notepad, big deal.

Cheers.




On Fri, Jul 30, 2010 at 6:13 AM, Elazar Broad <elazar [at] hushmail> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> ed or nano? :)
>
> On Thu, 29 Jul 2010 20:47:19 -0400 Valdis.Kletnieks [at] vt wrote:
> >On Thu, 29 Jul 2010 17:18:28 PDT, Zach C said:
> >> So if Drupal and WordPress, etc. are so terrible, what would you
> >all recommend?
> >
> >vi or emacs. Take your pick, I'm not starting an editor war. ;)
> -----BEGIN PGP SIGNATURE-----
> Charset: UTF8
> Note: This signature can be verified at https://www.hushtools.com/verify
> Version: Hush 3.0
>
> wpwEAQECAAYFAkxSUVcACgkQi04xwClgpZgH2AP+MIN2ShokOCNPpUhwX1OH4SxzatZk
> xbuu0eRzzmjGFarJ+O6xv/aRzSlbzHok3mIckL9qKPYk9mAE7G3uoe0ASbo2HtVnVHrY
> BsxxPAIYrYjK4em7J89MvsTETTO68UsV687QmDLkeC8B8A8dCAeYPhHPyt+tb7t3AMqT
> 3WQOlEU=
> =z8+c
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


taser3000 at yahoo

Jul 30, 2010, 12:18 AM

Post #9 of 12 (441 views)
Permalink
Re: Day of bugs in WordPress 2 [In reply to]
Ed is the standard text editor.


On Fri, Jul 30, 2010 at 6:13 AM, Elazar Broad <elazar [at] hushmail> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>ed or nano? :)
>
>
>On Thu, 29 Jul 2010 20:47:19 -0400 Valdis.Kletnieks [at] vt wrote:
>>On Thu, 29 Jul 2010 17:18:28 PDT, Zach C said:
>>> So if Drupal and WordPress, etc. are so terrible, what would you
>>all recommend?
>>
>>vi or emacs. Take your pick, I'm not starting an editor war. ;)
>-----BEGIN PGP SIGNATURE-----
>Charset: UTF8
>Note: This signature can be verified at https://www.hushtools.com/verify
>Version: Hush 3.0
>
>wpwEAQECAAYFAkxSUVcACgkQi04xwClgpZgH2AP+MIN2ShokOCNPpUhwX1OH4SxzatZk
>xbuu0eRzzmjGFarJ+O6xv/aRzSlbzHok3mIckL9qKPYk9mAE7G3uoe0ASbo2HtVnVHrY
>BsxxPAIYrYjK4em7J89MvsTETTO68UsV687QmDLkeC8B8A8dCAeYPhHPyt+tb7t3AMqT
>3WQOlEU=
>=z8+c
>-----END PGP SIGNATURE-----
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>


Valdis.Kletnieks at vt

Jul 30, 2010, 5:04 AM

Post #10 of 12 (464 views)
Permalink
Re: Day of bugs in WordPress 2 [In reply to]
On Fri, 30 Jul 2010 08:37:25 +0200, Christian Sciberras said:

> How does writing your site/project from scratch, (I presume that's what you
> mean when you suggest a text editor as a replacement for a CMS), result in
> "higher" security?

It may not help security *directly*, but there's several indirect benefits:

1) If the person posting has to know how the damned thing works, they might
actually *notice* when they get pwned and not let it fester for weeks on end.

2) Smaller attack surface - if I'm running *just* an Apache instance without a
lot of complicated mod_* bells and whistles, and using stuff like vi to compose
new pages, that's a lot harder to attack than a site that has some 8 million
line of code monstrosity on the front end.

And there's a side benefit - if it was harder to post, fewer idiots would
figure out how, and people would think twice before posting. So we'd have
percentage wise more well thought out and researched postings and less total
crap to wade through. Admittedly, we'd probably lose a number of blogs that
are worth reading for amusement just for the total Fail quotient. ;)


l0rdch0de1m0rt at gmail

Jul 30, 2010, 9:16 AM

Post #11 of 12 (445 views)
Permalink
Re: Day of bugs in WordPress 2 [In reply to]
Hello. Joomla is a popular secure CMS you can use instead of
WordPress/Drupal. I recommend using an older version since all the new
bells and whistles just slow it down. Much better than vi.

Thanks.

-L0rd Ch0de1m0rt


mustlive at websecurity

Aug 1, 2010, 1:30 PM

Post #12 of 12 (417 views)
Permalink
Re: Day of bugs in WordPress 2 [In reply to]
Hello guys!

I'm glad that I gave you such occasion for discussion. Even it was just an
announcement :-).

As I already told Canberk (from Full-disclosure), at 30.07.2010 I've already
conducted my new project. And if in first Day of bugs in WordPress I
published 81 vulnerabilities, then in second project I published 8
vulnerabilities, but all of them are interesting (especially the
more complex holes). Soon I'll publish English descriptions of these
vulnerabilities (one by one the three advisories which I made in the
project) to Bugtraq and Full-disclosure mailing lists.

Concerning using text editors in context of security. As you can understand
using text editors doesn't influence directly on improving security. And
Christian wrote arguments about that. It's one thing to write webapps for
the site from scratch, and other thing to use existent software (and in both
cases webapps can be vulnerable) - e.g. people can use text editors for
editing scripts in WordPress or Drupal. From other side, if people are using
text editors for developing their sites (even on CMS), then it's require
higher level of knowledge for them, so they need to be more advanced web
developers (which in result leads to improving of security of their sites).

Valdis also wrote good arguments on this topic. So there are indirect
benefits of using text editors (aka advanced web developing approach), as
concerning security, as concerning quality of content in Internet.

Summarizing, not using of text editor itself leads to improving of security,
but it's about attitude to security. If people attend to security of their
webapps and web sites (regardless of what plain text editor or WYSIWYG
editor they are using), then it'll lead to improving of security.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message -----
From: "coderman" <coderman [at] gmail>
To: "MustLive" <mustlive [at] websecurity>
Cc: <full-disclosure [at] lists>
Sent: Friday, July 30, 2010 1:02 AM
Subject: Re: [Full-disclosure] Day of bugs in WordPress 2


> On Thu, Jul 29, 2010 at 1:56 PM, MustLive <mustlive [at] websecurity>
> wrote:
>> ...
>> I want to inform readers of the list about new project - Day of bugs in
>> WordPress...
>
> Hewlett Packard has a soul mate! anyone who cares uses Drupal or other
> decent [0] and the wp people keep patching vulns via one-off escapes
> and parameter renaming.
>
> my condolences if diligence deems more than a few hours requisite for
> such audit amusement. ;)
>
>
>
> 0. of course, Real (TM) women/men/earth-human hackers code their own
> python gevent based publishing pipe...


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.