Login

Tag Archives: False Vulnerability Report

29 Jul 2016

False Vulnerability Report: Reflected XSS Vulnerability in WP-Polls 2.73

As part of our cataloging the vulnerabilities in WordPress plugins for our service we come across false reports of vulnerabilities from time to time. So that others don’t spend their time looking over these as well, we post our findings on them.

If you are going to promote your “web application security scanner” as being “False positive free” as Netsparker does, it would probably be a good not to release advisories for vulnerabilities that don’t actually exist, using data from that tool. But that is what Netsparker did with several recent advisories for WordPress plugins, including a claim of a reflected cross-site scripting (XSS) vulnerability in WP-Polls. [Read more]

28 Jul 2016

False Vulnerability Report: Stored XSS in XCloner

As part of our cataloging the vulnerabilities in WordPress plugins for our service we come across false reports of vulnerabilities from time to time. So that others don’t spend their time looking over these as well, we post our findings on them.

One of the problems in determining if a report of a vulnerability in a plugin is real or not, is that sometimes a developer will make changes to the plugin based on a report even if there is not a vulnerability. In one past case that involved this the developer added duplicative sanitization to a plugin. In the case of a report of a stored XSS (or what we refer to a persistent cross-site scripting (XSS)) vulnerability in the plugin XCloner, the developer added sanitization code that isn’t duplicative, but doesn’t fix a security vulnerability. [Read more]

12 Jul 2016

False Vulnerability Report: WP-DownloadManager Arbitrary File Upload Vulnerability

As part of our cataloging the vulnerabilities in WordPress plugins for our service we come across false reports of vulnerabilities from time to time. So that others don’t spend their time looking over these as well, we post our findings on them.

One thing we frequently see coming up with false reports of vulnerabilities is people not understanding that certain activities are not always a vulnerability. One serious type of vulnerability is an arbitrary file upload vulnerability, which allows someone to upload any file. That could be used to upload a .php file with malicious code and then do basically anything with the website. In WordPress an Administrator level user would normally have the equivalent capability since the can upload new plugins and themes, so it wouldn’t be a vulnerability for a plugin to allow them to do the same. [Read more]

23 May 2016

False Vulnerability Report: CKEditor 4.0 Arbitrary File Upload Exploit

As part of our cataloging the vulnerabilities in WordPress plugins for our service we come across false reports of vulnerabilities from time to time. So that others don’t spend their time looking over these as well, we post our findings on them.

We have recently had requests for a file in the plugin CKEditor for WordPress on one of our websites as part of a series of requests that seem to be looking for use of plugins, likely to then try to exploit them. We couldn’t find any valid reports of vulnerabilities in this plugin, but we did find one false report of a vulnerability that clearly has continued to confuse some people into believing it was real long after its release. [Read more]

19 Apr 2016

False Vulnerability Report: jQuery Html5 File Upload Vulnerability

As part of our cataloging the vulnerabilities in WordPress plugins for our service we come across false reports of vulnerabilities from time to time. So that others don’t spend their time looking over these as well, we post our findings on them.

Recently a report claiming there a vulnerability that allowed the uploading of .php files through the  jQuery Html5 File Upload plugin was released. The validity of this report seemed suspect based on the proof of concept provided: [Read more]

12 Apr 2016

When A False Vulnerability Report Leads To a Real Security Vulnerability

Today a report claiming that there was remote code execution vulnerability in version 2.0.14 of the Robo Gallery plugin was released. With such a serious vulnerability and one that was claimed to be in the most recent version of the plugin, we quickly started checking on the report to include the vulnerability in our service’s data. What we quickly noticed was the claimed vulnerability didn’t actually exist, but that that a less serious vulnerability in code mentioned in the false report does exist in the plugin. We have notified the developer that there apparent attempt to fix that vulnerability in the subsequently released version 2.0.15 was not successful. All of this highlights the importance the kind of the testing we do before adding vulnerabilities to our service’s data (and highlights the limited value of other services that don’t do that testing).

The threat of the claimed vulnerability is describe as [Read more]

1 Mar 2016

False Vulnerability Report: User Submitted Posts [Persistent XSS]

As part of our cataloging the vulnerabilities in WordPress plugins for our service we come across false reports of vulnerabilities from time to time. So that others don’t spend their time looking over these as well we post our findings on them.

The explanation of how the claim of a persistent cross-site scripting (XSS) vulnerability in the User Submitted Posts plugin ended up being false is good reminder that people trying to discover security vulnerabilities should make sure that they use a clean WordPress install during testing, so they don’t contaminate their testing environment. [Read more]

17 Feb 2016

False Vulnerability Report: Beaver Builder Lite Security Issue

As part of our cataloging the vulnerabilities in WordPress plugins for our service we come across false reports of vulnerabilities from time to time. So that others don’t spend their time looking over these as well we post our findings on them.

Unlike the last few false reports of vulnerabilities we discussed, this vulnerability would appear to exist, but just not in one of the pieces of software it was claimed to be in. A privilege escalation vulnerability was claimed to exist in Beaver Builder Lite and Pro versions prior to 1.7.1. [Read more]

10 Feb 2016

False Vulnerability Report: eShop Reflected XSS Vulnerability

As part of our cataloging the vulnerabilities in WordPress plugins for our service we come across false reports of vulnerabilities from time to time. So that others don’t spend their time looking over these as well we post our findings on them.

Last week a reflected cross-site scripting (XSS) vulnerability was claimed to be in the eShop plugin. In a sign that the claimed vulnerability was not properly reviewed before the report was published, the Exploit Code section of the reporty simply contains a vulnerability identifier instead of actual exploit code. If the discoverer had tried to create exploit code for the vulnerability they thought existed they would have seen that it didn’t actually exist. [Read more]

5 Jan 2016

False Vulnerability Report: FormCraft – Form Builder File Upload Vulnerability

As part of our cataloging the vulnerabilities in WordPress plugins for our service we come across false reports of vulnerabilities from time to time. So that others don’t spend their time looking over these as well we post our findings on them.

On Saturday a report of a file upload vulnerability in the FormCraft – Form Builder plugin was added to milw00rm.  Right off the bat something looked wrong with this report as the URL for the plugin is https://wordpress.org/plugins/formcraft-form-builder/, but the path listed for the exploit would be a for plugin named “formcraft” instead of “formcraft-form-builder”: [Read more]