TALE OF FORGOTTEN DISCLOSURE BY ANANT SHRIVASTAVA

ANANT SHRIVASTAVA Information Security Consultant Admin - Dev - Security null + OWASP + G4H http://anantshri.info and @anantshri Co-Author OWASP Testing Guide 4.0 Projects

SCENARIO 1. 2. 3. 4. A vulnerability present in code (last updated March 2013) Public disclosure in aug 2014. Interestingly someone posted a pull request in Jan 2013 Till may 2015 it was not patched even though there was a new release after the pull request was in place.

INFORMATION RECIEVED

INVESTIGATION RESULT 1. 2. 3. 4. 5. Javascript Based DOM-XSS Culprit identified as facebook-page-photo-gallery wordpress plugin. Remove the plugin XSS Fixed; Issue closed End of Story

EMAIL TO PLUGINS TEAM

RESPONSE FROM PLUGIN TEAM

MEANWHILE DISCOVERY REQUIRES EXPERIMENTATION

REPOSITORY

CRUX OF THE ISSUE function getHashtag(){ var url = location.href; hashtag = (url.indexOf(‘#prettyPhoto’) !== -1) ? decodeURI(url.substring(url.indexOf(‘#pretty Photo’)+1,url.length)) : false; return hashtag; };

GOOGLE AHOY

INTERESTING FACT

CONTACTING AUTHOR

SPREAD THE WORD

SPREAD THE WORD

SPREAD THE WORD

FINALLY SOME ACTION

SOME ACTION

RELIEVED LET THE WORLD BE IN PEACE AND LETS GET BACK TO WORK

AFTER 7 DAYS

WHY YOU NO FIX

WORDPRESS PLUGIN INFO 1. Total 35 Plugins Found Total Plugin Downloads Active Install 2882520 3,37,780

NERDY DATA

WHAT IS VULNERABLE 1. Any application / website which has jquery.prettyphoto.js 2. Version 3.1.4 and 3.1.5 are confirmed vulnerable older versions not checked.

WHAT IS A FIX 1. Upgrade to 3.1.6

ENOUGH OF THE PAST WHAT’S IN IT FOR ME.

LESSONS TO BE LEARNED

FOR DEVELOPER 1. Never ignore pull requests and security issue bug report. 2. Proactively test software and at-least if a fix is released publicly accept security issue.

FOR DEVELOPERS / SYSADMIN / DEVOPS 1. never ignore update from shared library 2. Keep an eye on how shared resources are holding up. 3. Monitor your Dependencies

HOW

HOW

HOW

IS THIS ENOUGH 1. Not yet 2. We still lack method to track it for every third party library. 3. Manual tracking is still required.

REFERENCES 1. A9 - Using Components with Known Vulnerabilities 2. https://www.owasp.org/index.php/Top_10_2013-A9Using_Components_with_Known_Vulnerabilities

THANKS