New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle falsley claimed security issues on patchstack #237
Comments
@heiglandreas Is this the same as https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/authldap/authldap-258-cross-site-request-forgery ? Per the description "This is due to missing or incorrect nonce validation on the authLdap_options_panel() function" |
Yeah. Looks like it's the same. At least a bit more information is provided there as to what someone thinks the issue is... Thanks for pointing that out |
And as the funktion is only handled via the WordPress internal functions for settings ( So there is no need to do those checks on the plugin level again... If that general check is not done, I would consider that a general issue in WordPress and not in every single plugin that is out there... |
hello there , Do you still need further explanation about this CVE? I have
sent a POC video to Patchstack. whether the proof of concept is not up to
you
…On Wed, 6 Sep 2023 at 15.21 Andreas Heigl ***@***.***> wrote:
And as the funktion is only handled via the WordPress internal functions
for settings (add_optios_page or add_submenu_page) that access level
checking is already done before that code is reached.
So there is no need to do those checks on the plugin level again...
If that general check is not done, I would consider that a general issue
in WordPress and not in every single plugin that is out there...
—
Reply to this email directly, view it on GitHub
<#237 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AKDLZY4BZFQIPFCPHWGEBM3XZAXBHANCNFSM6AAAAAA4KEQ3FY>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Well. Some explanation or information at all before going public would be nice in the first place. One of the issues you have raised (CVE-2023-41655) is not an issue at all as you have disclosed to WordFence:
Someone that is authenticated and has administrator level access is an Administrator. Whether that person has ill intentions is not up to code to check. Regarding (CVE-2023-41654) it is fine that you sent a video of a proof of concept to someone else before disclosing this with the maintainers of the affected software. This is not a sensible disclosure at all. Would I not assume best intent this would look very much like publishing a 0-day exploit with malicious intentions. I would advise you to open a security advisory here on this repository for each of those issues that you supposedly have found, so that we can discuss the impact and how to handle them. Feel free to also link the video of your PoC there so that I can analyze what is happening and how to mitigate that. Thank you |
patchstack staff said they already sent you a message maybe you check on
wordpress slack messenger. already sent on February 9th
…On Thu, 7 Sep 2023 at 13.55 Andreas Heigl ***@***.***> wrote:
Well. Some explanation or information at all before going public would be
nice in the first place.
One of the issues you have raised (CVE-2023-41655
<https://www.cve.org/CVERecord?id=CVE-2023-41655>) is not an issue at all
as you have disclosed to WordFence
<https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/authldap/authldap-258-authenticated-administrator-stored-cross-site-scripting>
:
This makes it possible for authenticated attackers, with
administrator-level access and above, to inject arbitrary web scripts in
pages that will execute whenever a user accesses an injected page.
Someone that is authenticated and has administrator level access is an
Administrator. Whether that person has ill intentions is not up to code to
check.
Regarding (CVE-2023-41654
<https://www.cve.org/CVERecord?id=CVE-2023-41654>) it is fine that you
sent a video of a proof of concept to someone else before disclosing this
with the maintainers of the affected software. This is not a sensible
disclosure at all.
Would I not assume best intent this would look very much like publishing a
0-day exploit with malicious intentions.
I would advise you to open a security advisory here on this repository for
each of those issues that you supposedly have found, so that we can discuss
the impact and how to handle them. Feel free to also link the video of your
PoC there so that I can analyze what is happening and how to mitigate that.
Thank you
—
Reply to this email directly, view it on GitHub
<#237 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AKDLZYZXULDPLCZELNFARCDXZFVUTANCNFSM6AAAAAA4KEQ3FY>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
CVE-2023-41654 has been adressed. Thanks @riodrwn for mentioning that! CVE-2023-41655 still is not an issue in my opinion as that allows someone that can manage who can log into the WordPress site to also break the interface to edit those options. The first part is much more of an issue there. |
Just wanted to check in on this. It looks like the nonce was added (#240) which should clear the CSRF reported in Patchstack & Wordfence. https://github.com/heiglandreas/authLdap/blob/2.6.0/authLdap.php#L71-L82. For the XSS one... Patchstack believes this exists still in the current 2.6.0 release. https://patchstack.com/database/vulnerability/authldap/wordpress-authldap-plugin-2-5-8-cross-site-scripting-xss-vulnerability?_s_id=cve -- "WordPress authLdap Plugin <= 2.6.0 is vulnerable to Cross Site Scripting (XSS)". Is there any update on this one in particular... is this a legitimate vulnerability or not? It seems the author feels this isn't legitimate and is more of a WordPress issue than a plugin issue, so wanted to make sure I understood correctly. I came across this with a manual scan by Wordfence today. |
The XSS is only relevant in very special circumstances in multisite installations where site-admins are allowed to edit LDAP settings and by doing so might inject code that can then be executed with increased privileges when a super-admin also has access to those same settings. By doing so the site-admin will also break the authentication as the XSS code will cause the ldap features to break. Circumventing this is almost impossible as the informarion entered is required to be kept as entered to allow propper usage in normal proceeding so encoding isn't possible as it would break the intended behaviour. As that is not relevant in the usual cases (in default setups there is no super-admin and in multi-sites usualy only the super-admin has access to the ldap config) I have so far not invested time into fixing an esoteric edge case that some "security researcher" thinks is relevant when solving it most probably will break a valid use-case. |
Today I was informed by the plugin team that the plugin has been "temporarily withdrawn from the Plugin Directory due to a security bug".
|
The video doesn't show anything new. When someone is able to enter XSS sruff in the configuration, they can do far worse things. And the only place where the XSS is executed is the administration interface that can only be accessed with administrative (resp. Super-Admin in case of a multisite install) rights. An XSS is the least of your problems in case an attacker has access to that interface. Yes! There is a possibility to inject JavaScript! I'm not denying it. But the impact is completely irrelevant. This JS-injection is not a security issue. It can not he used for privilege escalation as one already has the highest privilege available to be able to add the JS-injection. |
@heiglandreas right, I agree that once you are already in admin, the whole test is a bit moot :-) After all, one can do whatever. It does highlight though that somewhere data (the input) is treated as code. Is this because of a missing escape of data somewhere? What makes the 'alert' entered in the input fields get executed? As simple input validation, maybe we should check that there are no double quotes and back slash in input. Then, we just make sure we quote all the data values. |
The data is put back into the input fields. With carefully crafted information one can prematurely end the input field and the rest is then added as HTML. My main problem is that the input fields contain information that needs to be passed into LDAP- And that can have these weird informations. (They will then be properly escaped). So I need people to be able to enter them in the fields. And so far I was not able to always retrieve the data unescaped from the fields after adding them escaped... It's a dilemma of having to handle non-HTML values in a HTML way with broken browsers. And as mentioned at other places:
|
But without fixing it, doesn’t this mean your plugin won’t ever be able to be back in the Wordpress.org plugin repository? Not a biggie I guess since we can still pull from GitHub, but a lot less exposure in that case to new users. |
Yeah. That might happen. The trouble is that there is nothing to "fix". As there is nothing "broken". |
I received a message from the WordPress plugin-team:
|
And my answer to them:
|
I have just (again) tried using the WordPress preferred way to escape HTML-Attributes like A And when you store that again it becomes And after a further storage it becomes ... and so on. So the value that I require is modified in a way that I do not want. So now I have to apply code that reverses this. and removes backslashes. Which is not something I want to do as that backslash might actually be required in the LDAP-context that these values are used in and entered for. |
After some more consideration I decided that escaping single and double quotes and backslashes is fine. They should not appear unencoded in any of the provided configuration settings. In Passwords they need to be URL-encoded anyhow, when used via an env-variable the escaping is irrelevant. and in all other cases quotes and backslashes should not be needed. So while it escalates in the amount of backslashes, it seems to be a valid way of removing the possibility to inject JS. This might break BC in some edge-cases though. Please get into contact in those cases and we will find a solution ASAP. |
This should eliminate the risk of injecting JS into form field values. Adding backslashes or quotes in any of the fields will result in a backslash-escaped value. SHould these values be stored more than once the amount of backslashes will exponentially grow. This is a sideeffect of these values not being expected in the fields in the first place. This should also fix CVE-2023-41655 as now injecting JS will no longer result in that being executed in the UI. For more discussion around this CVE see #237
@riodrwn of @zerobyte-id has reported 2 issues on patchstack. One XSS issue and one CSRF issue.
Both issues contain no information about what was actually found.
Also both issues contain the information that the issue was reported to the plugin developer - sadly neither here in the github issue-tracker nor in the plugins Support-channel was either of the issues reported.
The linked CVEs CVE-2023-41655 and CVE-2023-41654 have so far only been reserved and contain no further information.
Currently we do not have any information about those "security issues" what so ever. As the plugin works purely in the background and does not display any customer provided information during the login process it is highly unlikely that the claims are actually valid - nevertheless will we do our best to get hold of the report, analyze it and mitigate any possible issues.
The text was updated successfully, but these errors were encountered: