Login

Tag Archives: DefenseCode

1 Jun 2017

DefenseCode and WPScan Vulnerability Database Falsely Label Unfixed Vulnerability as Being Fixed

A little over a month ago we put out a warning to be wary advisories from the company DefenseCode after our interaction with them regarding an issue with one of their advisories. In that instance their report claimed that they had contacted the developer of a plugin about a vulnerability that had been fixed in the plugin before they claim to have even first contacted the developer about it, which was odd. There was also this odd line:

Vendor did not respond to our repeated attempts to send this advisory. All users are strongly advised to update WordPress AccessPress Social Icons plugin to the latest available version. [Read more]

5 May 2017

Be Aware That the Claimed Impact of Vulnerabilities is Not Always Accurate in Vulnerability Reports

When it comes to the many problems with the security industry, one of them that we see very often due to our work for this service is overstating the impact of vulnerabilities and claiming that issues that are probably not vulnerabilities are in fact ones.

The latest example of this we have come across is from DefenseCode, a company whose advisories we warned to be wary of last week. Earlier this week they put out a report (PDF) of claimed SQL injection vulnerability in the plugin Photo Gallery. The problems with it is that they are claiming an issue that we wouldn’t consider to be a vulnerability as being one, along with it looking like they overstated the potential impact, if it truly was one. [Read more]

25 Apr 2017

Be Wary of DefenseCode’s Advisories

In contacting developers about vulnerabilities in their WordPress plugins, whether they are ones we discovered or ones discovered by others where the discoverer didn’t contact the developer, we have fairly regularly had responses that we must be wrong about there being a vulnerability in the plugin. We have found that a bit odd, why would someone take the time to notify someone of a vulnerability that doesn’t exist? But as we have had more interactions with companies and individuals putting out reports of vulnerabilities that we have identified problems with, it has become clear that others are not always as careful as we are (we have also found that they are just as assured that issues we raise about their reports must be wrong, so both sides have something in common at least).

The latest example involves a company named DefenseCode, which we previously mentioned as we had both independently discovered a number of vulnerabilities in plugins by BestWebSoft. They also put out a report of a vulnerability in Magento recently that received a fair amount of coverage, despite the fact that the report could charitably be described as misleading (as part of the claimed issue didn’t exist unless you intentionally disabled Magento’s protection against it). [Read more]