WordPress: Lista de plugins no recomendados – Parte 2

Como seguramente saben, Weblog Tools Collection organizó un concurso de plugins para WordPress y hoy, casi un mes después que terminó el concurso, dan a conocer los resultados:

  1. El ganador del gran premio, el primero, de esta competición de Plugins para WordPress es para Anirudh Sanjeev por su plugin OneClick. OneClick es un plugin para WordPress y una extensión para Firefox que permite la instalación rápida y directa de plugins y temas en tu blog, con solo un clic. Ha recibido el premio más cuantioso, con un servidor dedicado básico para 6 meses (valorado en más de 1000 dólares) y un iPod Nano de 8 Gb (valorado en 600 dólares) o el dinero equivalente.
  2. El ganador del segundo premio es para Barry por su plugin MyDashboard. MyDashboard permite la rápida personalización del escritorio de WordPress.
  3. El ganador del tercer premio es para Keith Dsouza por su plugin WordPress Automatic Upgrade el cual permite actualizar de forma automática la instalación de tu WordPress desde la interfaz de administración.
  4. El ganador del premio de consolación ha sido Ozh por su plugin Who Sees Ads. WhoSeesAds es un maravillo e útil módulo que permite a los usuarios de WordPress determinar que anuncios se deben ver en cada momento en su blog.

Fuente

Luego de hacer unas pruebas en una instalación local de WordPress y ver someramente el código de estos plugins, veo que ninguno de ellos toma en cuenta el tema de seguridad, así que haré mi propia lista de plugins tomando como parámetro de ordenación el grado de peligrosidad (de mayor a menor):

  1. WordPress Automatic Upgrade: Permite a cualquier usuario no autenticado:
    • Generar y descargar los archivos de WordPress (incluye wp-config.php).
    • Generar y descargar una copia de seguridad de la base de datos donde está instalado el plugin.
    • Activar/Desactivar todos los plugins.
    • Actualizar la versión de WordPress.
  2. OneClick: Al ser vulnerable a CSRF, permite descargar plugins -- o código malicioso -- desde cualquier URL.
  3. Who Sees Ads: Es vulnerable a CSRF y XSS.
  4. MyDashboard: Es vulnerable a CSRF y XSS.

Si tienen esos plugins instalados (en especial los dos primeros), les sugiero que los desactiven cuanto antes, porque gracias a toda la publicidad que están recibiendo, seguramente pronto van a ser blanco de ataques.

Viendo estos ejemplos, no sé cómo algunos bloggers se quejan de la cantidad de fallos del código principal de WordPress y no dicen nada al respecto de los plugins, cuando muchas veces éstos últimos provocan problemas de seguridad aún más graves.

28 thoughts on “WordPress: Lista de plugins no recomendados – Parte 2”

  1. Releasing such an announcement is :
    - irresponsible because you didn't even bother contacting plugin authors first
    - unusable because it's in spanish
    - doubtful because you're not showing any proof of concept

    Overall this is something very lame that will be probably very overlooked. I suggest you read http://www.google.com/search?q=define:FUD&defl=es to learn more.

  2. huh sorry since this is all in Spanish I assumed you already sent a mail to the developers of the plugins ... I agree with OZH this is kind of very irresponsible. I think you are doing a good job but this is kinda scary way to do this.

  3. Sent you an email Alex, I am wondering when you will have the courtesy of informing the plugin authors of the vulnerabilities, your testing platform and your results across browsers as you seem to have been particularly quiet.

  4. Ozh:

    - irresponsible because you didn’t even bother contacting plugin authors first
    - doubtful because you’re not showing any proof of concept

    I don't think the "announcement" is too irresponsible because I only commented what are the problems and I'm sure that everyone with a security background doesn't need this kind of posts to determine if those plugins are vulnerable or not.

    The second point sounds a bit contradictory to me.

    - unusable because it’s in spanish

    It is a Spanish blog for (usually) Spanish readers, so does not make sense posting in English here.

    Overall this is something very lame that will be probably very overlooked. I suggest you read http://www.google.com/search?q=define:FUD&defl=es to learn more.

    I also suggest you read [1] to protect your plugin from CSRF attacks and use attribute_escape/wp_specialchars to avoid XSS.

    [1] http://markjaquith.wordpress.com/2006/06/02/wordpress-203-nonces/

  5. Any coder on earth knows that before publishing a security warning you first contact authors about the issue, but that just doesn't apply to you I guess. Publish, then "take some time to prepare security reports". How lame.

    Cool for you if you don't think it's irresponsible to generate FUD posting something without even trying to tell plugin authors first, and without even making sure plugin authors will understand a word of your "security notice" (yeah sorry, I don't understand a word of spanish except cerveza). I personnaly find this very regrettable and completely irresponsible (not adding completely rude as well)

    As for nonces, thanks, I know them. Using wp_nonce in all my plugins has been something I've meant for long now, but there's no emergency to make it on top of my todo list. Potential XSS are nothing near a critical security threat to me.

    Have fun with such "security notices": about 90% of plugins released dont use nonces (because most of them were released before wp_nonce was implemented) so you can go ahead and publish an infinite list of "OMG INSECURE DONT USE THEM" plugins.

  6. Any coder on earth knows that before publishing a security warning you first contact authors about the issue, but that just doesn’t apply to you I guess. Publish, then “take some time to prepare security reports”. How lame.

    I'm aware about disclosure policies, but in this post I haven't disclosed any vulnerability details -- like you suggested in your previous comment.

    Cool for you if you don’t think it’s irresponsible to generate FUD posting something without even trying to tell plugin authors first, and without even making sure plugin authors will understand a word of your “security notice” (yeah sorry, I don’t understand a word of spanish except cerveza). I personnaly find this very regrettable and completely irresponsible (not adding completely rude as well).

    I sincerely don't get your point nor I think this post is a "security notice". Why on the earth would be irresponsible to say X plugin has bugs that could allow Y? If I had posted exploits then you would definitely be right.

    As for nonces, thanks, I know them. Using wp_nonce in all my plugins has been something I’ve meant for long now, but there’s no emergency to make it on top of my todo list. Potential XSS are nothing near a critical security threat to me.

    Cool for you if you don't consider XSS/CSRF an issue and are too lazy to implement a few lines of code to make your plugins XSS/CSRF safe.

    Have fun with such “security notices”: about 90% of plugins released dont use nonces (because most of them were released before wp_nonce was implemented) so you can go ahead and publish an infinite list of “OMG INSECURE DONT USE THEM” plugins.

    Sure, but I see many like you blaming me, so it won't be so funny as you say.

    PS. I'm sorry for my bad English.

  7. The problem Alex is that you did not write about, as you say, "a bug X that could allow Y". Like, "a bug that could allow a logged in user to be tricked into posting stuff in their own blog admin from a malicious third party site". Instead of that, you're telling your readers "XSS vulnerability, you could be hacked, don't install" (more or less, can't understand spanish). That's exactly the point of my 1st comment: FUD. Spread some fear, but don't mind any explanations. XSS is a potential security breach, it's true. Yet it's minor. A lot different to "seguramente pronto van a ser blanco de ataques" as far as I understand.

    My last word, because you just seem not to understand: 4 plugins here, 4 coders, and 4 people upset & disappointed that you didn't contact them first. Maybe your attitude has something wrong? Yes, you didn't publish any exploit, does that make you anything near wise or respectable? Seems not.

    (don't bother replying to me, I'm not checking back here)

  8. Just in case you come back :) : I didn't elaborate 4 and 5 because they where less critical compared to the others and -- as some of my few blog readers can confirm -- I have explained many times how XSS and CSRF vulnerabilties are exploited. OTOH, my recomendation was mainly for the first two plugins.

  9. Pingback: meneame.net
  10. Pingback: SigT
  11. Bueno voy a meter mi "cuchara" (comentar) en el tema, no pienso hablar en español por que estamos en un sitio de habla hispana y hubiera sido mejor que el pleito se hubiera quedado por correo y no por comentarios...

    Primero tengo que darle PARCIALMENTE la razon a Ozh y los otros desarrolladores de los plugins ya mencionados, fue muy irresponsable de tu parte alex no haberlos contactado antes de hablar y es muy inapropiado el titulo de la nota...
    ¿Por que?:
    Contactor a los desarrolladores es la manera normal de proceder ante un hallazgo de seguridad, OK no diste ningún detalle y el post ni siquiera tiene la pinta de ser un "advisory" en forma, pero si cuando menos hiciste que mas de uno volteara a verlos, yo no he visto esos plugins -por que ninguno de ellos me llama la atención- pero si me pongo a buscar seguro encontrare las vulnerabilidades que hablas así como una manera de explotarlas, ahora el titulo es sumamente inapropiado y de ahi es la mayoria de la molestia de Ozh, ya que no solo señalas un error sino que tampoco lo recomiendas haciendo que mucha gente pasa la voz y finalmente nadie use por miedo esos plugins.

    Segundo como dije es parcialmente que le doy la razon a Ozh y de Ozh no se de que se queja si rapidamente hizo una version pequeña donde hace "a prueba de todo" su plugin y si como dice alex es de los que menor provecho podrias sacar, aparte otra cosa es que el comportamiento del mismo parece de un niño menor de 17 años que se siente ofendido por que practicamente le dijieron "codeas pesimo"...

    Espero no causar polemico y que por meter mi "cuchara" donde no debo no salga flameado :P

    Saludos

  12. Es vergonzoso. De que sirve si el código de WP es seguro si los plugins no extienden también la seguridad. Buen trabajo.

  13. g30rg3_x, ya expresé mi punto de vista al respecto y creo que ya no es necesario darle más vueltas al asunto... :)

    Saludos

  14. El que se pica ajos come, se dice por aquí todavía. Los ingleses deben tener un refrán parecido pero yo no lo conozco. Sorry. Estoy contigo Alex. Tal vez no al ciento por ciento (en este caso) pero, desde luego, estoy contigo mucho más que con nuestro amigo inglés ofendido que ha prometido no volver por aquí. Good bye Lenin!

Comments are closed.