04 Nov

You Now Decide What Plugins We Will Be Doing Security Reviews Of

As part of the work we have been doing for the service we have been steadily increasing our ability to spot security vulnerabilities and lesser security issues in plugins. That is due to a variety of different activity that we do, from our reviewing reports of vulnerabilities discovered by others, when adding them to our data, to finding vulnerabilities that hackers would target in plugin that we see hackers are probing for usage of. In the past we have used some of the knowledge we have gained through that to check for specific issues vulnerabilities in wider sets of plugins and found a number of vulnerabilities. That knowledge could also be used to more thoroughly review a single plugin and check it for a number of security issues, which is something we have decided to start doing.

In doing that though the question is what plugins should we review and what we came up with was allowing our customers to decide that. This provides additional value to service, beyond letting you know what vulnerabilities exist and previously existed in the plugins you use (as well as helping you to best handle it if a vulnerability in the plugin you use hasn’t been fixed). To accomplish that we have set up a new page where customers can suggest plugins to be reviewed and they can vote in favor of plugins already suggested by others.

The process is pretty simple, log in to your account and then visit the voting page. From there you can submit any plugin currently in the Plugin Directory:

plugin-vulnerabilities-submit-wordpress-plugin-for-security-review

For plugins that others have already submitted you get a brief listing of their details and if you want that plugin reviewed, you can add your vote for that to happen:

plugin-vulnerabilities-vote-for-wordpress-plugin-for-security-review

(If you are wondering what we use to power that, it is the Idea Factory plugin, with a significant amount of fixes (due to support for being lacking at this time) and customizations.)

We are currently planning to do a review of a plugin with the highest vote count every two weeks (based on the time commitment and interest we may increase the number of reviews going forward).

What is Included in the Review?

We are referring to the reviews that we do as basic reviews, as it isn’t a line by line review of the plugin and we are not guaranteeing that the plugin is completely secure after the review. But that doesn’t mean that the review can’t find big issues. One of the items we are going to be looking for is security issues with file upload capabilities, which in some cases can lead to arbitrary file upload vulnerability. That type of vulnerability allows an attacker to upload any type of file to a website, which is frequently exploited by hackers to upload .php files that gives the hacker nearly complete access to the website.

Even in cases we don’t find major security issues, security improvements that we identify, if implemented by the developer could prevent a future security vulnerability. To give you one example of where this could have made a big difference, earlier this week a vulnerability was discovered being exploited in a plugin (the plugin is in the process of being fixed so we won’t mention its name here). In addition to a more obscure security issue that lead to this, it was situation where a recently added function that should have only accessible to Administrator level users was accessible to anyone logged in or logged out, and allowed a hacker to gain full access to the website. While that function was recently added, numerous other function had the same problem, with one of the others allowing any file on the website to be deleted. Once we notified the developer of that larger issue they quickly restricted access. As our basic review would have identified the lack of proper restrictions, it could have prevented the more serious vulnerability from being exploited by anyone other than an Administrator level user (who would normally already have the ability to do the equivalent of what the vulnerability permitted).

Here is the full list of items we are checking for at this time:

  • Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
  • Security issues with functions accessible through WordPress’ AJAX functionality (those are a common source of disclosed vulnerabilities these days)
  • Persistent cross-site scripting (XSS) vulnerabilities in publicly accessible portions of the plugin
  • Cross-site request forgery (CSRF) vulnerabilities in the admin portion of plugins
  • SQL injection vulnerabilities (the code that handles requests to the database)
  • Reflected cross-site scripting (XSS) vulnerabilities
  • Lack of protection against unintended direct access of PHP files

We also have some additional items that we will be taken a look to see if it would make sense to check during the reviews.

If you have question or comments about this new feature feel to get touch with us or leave a comment on this post.

Leave a Reply

Your email address will not be published. Required fields are marked *