So this is an interesting announcement due to the discussion points it brings up about responsible disclosure, it seems like in this case a researcher published his findings about a WordPress critical zero-day vulnerability without informing WordPress before hand.
And they got it fixed REAL quickly, where as in a previous (pretty similar) case – they took 14 months to fix it, leaving their users at risk for that period.
WordPress 4.2.1 was released on Monday to address a critical zero-day vulnerability disclosed on Sunday by Finnish researcher Jouko Pynnönen of Klikki Oy. The expert published the details of the security bug without notifying WordPress because he was displeased with the way developers handled his recent vulnerability reports.
The stored cross-site scripting (XSS) vulnerability disclosed by Pynnonen is similar to a flaw discovered by Belgian researcher Cedric Van Bockhaven, which WordPress fixed last week with the release of version 4.1.2, more than a year after it was reported. The bug, which affects WordPress 4.2 and earlier, can be exploited by an unauthenticated attacker to execute arbitrary code via very long comments that get truncated when they’re saved into the database.
“The attacker is sending fragments of HTML code to the server that contains JavaScript in it. WordPress tries to verify the content, but misses the embedded script. This specific exploit is because the attacker sends very long content – over 64Kb, which is truncated in the database,” Jeff Williams, CTO of Contrast Security, explained via email. “[When] WordPress sends that data back to the browser as part of a webpage, the script executes.”
“That would be enough for an interesting attack, but this particular exploit goes further. When the attack is executed on an administrator, it uses the administrative privilege to install plugins and execute content directly on the server. Most XSS problems are not exploitable in a way that allows a complete remote host takeover,” Williams added.
This is a pretty clever bug, and pretty dangerous too as when a comment is viewed by someone logged in as admin – the site can basically be hijacked totally.
For an XSS attack – this is pretty serious.
The comment truncation flaw reported by Van Bockhaven was addressed by WordPress only after 14 months. However, Pynnonen’s approach forced the WordPress team to release a patch within hours.
Before the fix was released, website owners running a self-hosted version of WordPress were advised to install the Askimet anti-spam plugin in order to protect themselves against potential attacks.
Pynnonen said he decided not to notify WordPress before making the vulnerability public because a different stored XSS flaw that he reported in November is still unpatched. His attempts to obtain information from WordPress on the status of a patch were unsuccessful, even after he tried contacting developers via HackerOne and CERT Finland (CERT-FI).
Furthermore, WordPress last year promised the researcher a minimum bounty of $2,000 for responsibly disclosing a critical bug affecting WordPress versions prior to 4.0, but they only awarded him $100.
“I don’t think it’s my job to spend months begging for the security team to communicate with me about security vulnerabilities. It’s their job and responsibility to communicate with researchers who try to help them and their customers. And if they ‘pro-actively’ and spontaneously offer me a bug bounty, I think it would be appropriate for them to keep their word,” Pynnonen told SecurityWeek. “I’m sure many people think the disclosure was irresponsible. But instead of months or years, the fix was produced in a few hours. During this time users were aware of the threat and could take precautions.”
Williams believes WordPress is to blame for incidents like this one.
Their Bug Bounty payouts seem pretty lame too, which doesn’t really encourage researchers and vulnerability developers to follow the path of responsible disclosure.
Compound that with their tardy reaction to serious bugs, and you get frustrated bug-hunters – like Jouko Pynnönen in this case.
Source: SecurityWeek