Downloaded 13 times
Uploaded byAnant Shrivastava
Tale of Forgotten Disclosure and Lesson learned
The document discusses a vulnerability found in the Facebook-page-photo-gallery WordPress plugin, which was not patched for over two years despite a pull request being submitted. It highlights the importance of not ignoring pull requests related to security issues and recommends upgrading to version 3.1.6 as a fix. Additionally, it emphasizes the need for developers to proactively monitor dependencies and track third-party libraries for vulnerabilities.
More Related Content
![[Wroclaw #5] OWASP Projects: beyond Top 10](https://cdn.slidesharecdn.com/ss_thumbnails/owaspfinal-170218114136-thumbnail.jpg?width=640&height=640&fit=bounds)
![[Wroclaw #2] Web Application Security Headers](https://cdn.slidesharecdn.com/ss_thumbnails/owaspwebapplicationsecurityheaders1-160429210343-thumbnail.jpg?width=640&height=640&fit=bounds)
![[Wroclaw #7] Why So Serial?](https://cdn.slidesharecdn.com/ss_thumbnails/whysoserialv1-171206133328-thumbnail.jpg?width=640&height=640&fit=bounds)
![[Php Camp]Owasp Php Top5+Csrf](https://cdn.slidesharecdn.com/ss_thumbnails/phpcampowasp-php-top5csrf-1222281675014347-9-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Tale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learned
- 1. TALE OF FORGOTTEN DISCLOSURE BY ANANTSHRIVASTAVA
- 2. ANANT SHRIVASTAVA Information SecurityConsultant Admin - Dev - Security null + OWASP + G4H and @anantshri Co-Author OWASP Testing Guide 4.0 Projects http://anantshri.info
- 3. SCENARIO 1. A vulnerabilitypresent in code (last updated March 2013) 2. Public disclosure in aug 2014. 3. Interestingly someone posted a pull request in Jan 2013 4. Till may 2015 it was not patched even though there was a new release after the pull request was in place.
- 4.
- 5. INVESTIGATION RESULT 1. JavascriptBased DOM-XSS 2. Culprit identified as facebook-page-photo-gallery wordpress plugin. 3. Remove the plugin 4. XSS Fixed; Issue closed 5. End of Story
- 6. EMAIL TO PLUGINSTEAM
- 7.
- 8.
- 9.
- 10. CRUX OF THEISSUE function getHashtag(){ var url = location.href; hashtag = (url.indexOf('#prettyPhoto') !== -1) ? decodeURI(url.substring(url.indexOf('#pretty Photo')+1,url.length)) : false; return hashtag; };
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19. RELIEVED LET THE WORLDBE IN PEACE AND LETS GET BACK TO WORK
- 20.
- 21. WHY YOU NOFIX
- 22. WORDPRESS PLUGIN INFO 1.Total 35 Plugins Found Total Plugin Downloads Active Install 2882520 3,37,780
- 23.
- 24. WHAT IS VULNERABLE 1.Any application / website which has jquery.prettyphoto.js 2. Version 3.1.4 and 3.1.5 are confirmed vulnerable older versions not checked.
- 25. WHAT IS AFIX 1. Upgrade to 3.1.6
- 26. ENOUGH OF THEPAST WHAT'S IN IT FOR ME.
- 27. LESSONS TO BELEARNED
- 28. FOR DEVELOPER 1. Neverignore pull requests and security issue bug report. 2. Proactively test software and at-least if a fix is released publicly accept security issue.
- 29. FOR DEVELOPERS /SYSADMIN / DEVOPS 1. never ignore update from shared library 2. Keep an eye on how shared resources are holding up. 3. Monitor your Dependencies
- 30.
- 31.
- 32.
- 33. IS THIS ENOUGH 1.Not yet 2. We still lack method to track it for every third party library. 3. Manual tracking is still required.
- 34. REFERENCES 1. A9 -Using Components with Known Vulnerabilities 2. https://www.owasp.org/index.php/Top_10_2013-A9- Using_Components_with_Known_Vulnerabilities
- 35.