Tale of Forgotten Disclosure and Lesson learned
0 likes13,521 views
The document discusses a vulnerability found in the Facebook-page-photo-gallery WordPress plugin, which was not patched for over two years despite a pull request being submitted. It highlights the importance of not ignoring pull requests related to security issues and recommends upgrading to version 3.1.6 as a fix. Additionally, it emphasizes the need for developers to proactively monitor dependencies and track third-party libraries for vulnerabilities.
Tale of Forgotten Disclosure and Lesson learned
- 1. TALE OF FORGOTTEN DISCLOSURE BY ANANT SHRIVASTAVA
- 2. ANANT SHRIVASTAVA Information Security Consultant Admin - Dev - Security null + OWASP + G4H and @anantshri Co-Author OWASP Testing Guide 4.0 Projects http://anantshri.info
- 3. SCENARIO 1. A vulnerability present in code (last updated March 2013) 2. Public disclosure in aug 2014. 3. Interestingly someone posted a pull request in Jan 2013 4. Till may 2015 it was not patched even though there was a new release after the pull request was in place.
- 5. INVESTIGATION RESULT 1. Javascript Based DOM-XSS 2. Culprit identified as facebook-page-photo-gallery wordpress plugin. 3. Remove the plugin 4. XSS Fixed; Issue closed 5. End of Story
- 6. EMAIL TO PLUGINS TEAM
- 7. RESPONSE FROM PLUGIN TEAM
- 9. REPOSITORY
- 10. CRUX OF THE ISSUE function getHashtag(){ var url = location.href; hashtag = (url.indexOf('#prettyPhoto') !== -1) ? decodeURI(url.substring(url.indexOf('#pretty Photo')+1,url.length)) : false; return hashtag; };
- 11. GOOGLE AHOY
- 12. INTERESTING FACT
- 14. SPREAD THE WORD
- 15. SPREAD THE WORD
- 16. SPREAD THE WORD
- 18. SOME ACTION
- 19. RELIEVED LET THE WORLD BE IN PEACE AND LETS GET BACK TO WORK
- 20. AFTER 7 DAYS
- 21. WHY YOU NO FIX
- 22. WORDPRESS PLUGIN INFO 1. Total 35 Plugins Found Total Plugin Downloads Active Install 2882520 3,37,780
- 23. NERDY DATA
- 24. WHAT IS VULNERABLE 1. Any application / website which has jquery.prettyphoto.js 2. Version 3.1.4 and 3.1.5 are confirmed vulnerable older versions not checked.
- 25. WHAT IS A FIX 1. Upgrade to 3.1.6
- 26. ENOUGH OF THE PAST WHAT'S IN IT FOR ME.
- 27. LESSONS TO BE LEARNED
- 28. FOR DEVELOPER 1. Never ignore pull requests and security issue bug report. 2. Proactively test software and at-least if a fix is released publicly accept security issue.
- 29. FOR DEVELOPERS / SYSADMIN / DEVOPS 1. never ignore update from shared library 2. Keep an eye on how shared resources are holding up. 3. Monitor your Dependencies
- 30. HOW
- 31. HOW
- 32. HOW
- 33. IS THIS ENOUGH 1. Not yet 2. We still lack method to track it for every third party library. 3. Manual tracking is still required.
- 34. REFERENCES 1. A9 - Using Components with Known Vulnerabilities 2. https://www.owasp.org/index.php/Top_10_2013-A9- Using_Components_with_Known_Vulnerabilities
- 35. THANKS