New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Contact to report security vulnerabilities #128

Closed
PluginVulnerabilities opened this Issue Oct 6, 2017 · 2 comments

Comments

2 participants
@PluginVulnerabilities

PluginVulnerabilities commented Oct 6, 2017

We haven't been able to find an email address or some other way we can privately report a couple of security vulnerabilities we found in this plugin. Is there something like that available or should we just submit those here?

@mibuthu

This comment has been minimized.

Show comment
Hide comment
@mibuthu

mibuthu Oct 6, 2017

Owner

Yes, you can place it here.

Owner

mibuthu commented Oct 6, 2017

Yes, you can place it here.

@PluginVulnerabilities

This comment has been minimized.

Show comment
Hide comment
@PluginVulnerabilities

PluginVulnerabilities Oct 6, 2017

During our monitoring of changes made to WordPress plugins we found a PHP object injection vulnerability and a related cross-site request forgery (CSRF) vulnerability in the plugin.

In the file /admin/includes/admin-import.php the function import_events() passes the value of the POST input "reviewed_events" through the unserialize() function:

$reviewed_events = unserialize(stripslashes($_POST['reviewed_events']));

An attacker can abuse that to cause PHP object injection to occur, https://www.owasp.org/index.php/PHP_Object_Injection

Using JSON encoding and decoding is one alternative method to accomplish the same thing while avoiding this type of vulnerability.

When doing an import in the plugin there is no protection against cross-site request forgery (CSRF). You can find information on preventing cross-site request forgery (CSRF) in WordPress plugins at http://codex.wordpress.org/WordPress_Nonces.

PluginVulnerabilities commented Oct 6, 2017

During our monitoring of changes made to WordPress plugins we found a PHP object injection vulnerability and a related cross-site request forgery (CSRF) vulnerability in the plugin.

In the file /admin/includes/admin-import.php the function import_events() passes the value of the POST input "reviewed_events" through the unserialize() function:

$reviewed_events = unserialize(stripslashes($_POST['reviewed_events']));

An attacker can abuse that to cause PHP object injection to occur, https://www.owasp.org/index.php/PHP_Object_Injection

Using JSON encoding and decoding is one alternative method to accomplish the same thing while avoiding this type of vulnerability.

When doing an import in the plugin there is no protection against cross-site request forgery (CSRF). You can find information on preventing cross-site request forgery (CSRF) in WordPress plugins at http://codex.wordpress.org/WordPress_Nonces.

@mibuthu mibuthu self-assigned this Oct 7, 2017

@mibuthu mibuthu added the bug label Oct 7, 2017

@mibuthu mibuthu modified the milestones: Version 0.8.0, Version 0.7.11 Oct 7, 2017

@mibuthu mibuthu closed this Oct 8, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment