Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 22 Jun 2015 15:46:54 +0530
From: Abhishek Ghosh <dr.abhishek_ghosh@...mail.com>
To: 0pc0deFR <0pc0defr@...il.com>
CC: OSS Securty <oss-security@...ts.openwall.com>,
 cve-assign@...re.org
Subject: Re: Wordpress Plugin: FTP To Zip 1.8

Hello,

I am the developer of the Plugin. The plugin's intended function is to create zip without any password prompt which OP in this public mail thinking as flaw!

The person's report is baseless and proves the fact that he/she has not read the README file - http://plugins.svn.wordpress.org/ftp-to-zip/tags/1.8/readme.txt <http://plugins.svn.wordpress.org/ftp-to-zip/tags/1.8/readme.txt>  Even if a new user installs the plugin WITHOUT reading the long description, the script of the plugin even if ran by a just an ordinary person, it will only zip the wp-content directory. wp-content directory holds only themes, plugins and uploads. wp-content directory is NOT intended for keeping personal data or sensitive data related to WordPress installation (with default settings). WordPress configuration file holding the database details resides one level up from wp-content directory. Usage direction is written in "Installation" part, which the person who created this public mail has not read. It is clearly written in the readme file :


This Plugin is intended for the advanced users - either block the downloadable zip file via .htaccess or take an alternative measure.


In shared hosting environments, aPaaS and PaaS, in case of hack on an installation get hacked and ways are not great even to login and there is no compression option is offered by the host; the user will have the capability to take a faster file level backup of the whole FTP content and wget it from different provider. The description clearly says the intention :


FTP to Zip takes browser based FTP backup of WordPress plus other folders.


It is not for keeping unsecured, it is clearly written :


This Plugin is intended for the advanced users - either block the downloadable zip file via .htaccess or take an alternative measure.


The person has not manually checked the code :

http://plugins.svn.wordpress.org/ftp-to-zip/tags/1.8/backup.php <http://plugins.svn.wordpress.org/ftp-to-zip/tags/1.8/backup.php>

http://plugins.svn.wordpress.org/ftp-to-zip/tags/1.8/run.php <http://plugins.svn.wordpress.org/ftp-to-zip/tags/1.8/run.php>


These are normal PHP functions. There absolutely no security issue in the code themselves.
It holds true for all the WordPress Plugins - if there is any major flaw, reporting to WordPress dot ORG or personally contacting the plugin developer is always better.

Most importantly, if I discover a real security flaw, the first work is to preserve the secrecy still the bug is fixed. None of us open a public mail and describe the flaw. If it was a genuine security risk - the users would be targeted by some script kiddies.

In the same way, HyperDB needs manual installation, this is not for the ordinary users : https://wordpress.org/plugins/hyperdb/ <https://wordpress.org/plugins/hyperdb/>

wget —ing WordPress tar ball, uncompressing it also dangerous in one sense. Quite practical fact - if the server admin wget WordPress here http://www.openwall.com/Owl/ <http://www.openwall.com/Owl/> and left it for public, I can run the installer file with a database on HP Cloud!  Without prior contacting anyone shouting "Open CVE" can prove to be fatal for your freelancing. WordPress offers an official support forum for each plugin - https://wordpress.org/support/plugin/ftp-to-zip <https://wordpress.org/support/plugin/ftp-to-zip>


Without stepwise prior works, OP's opening a public mail is appearing like as if WordPress Plugin curators are careless. Which is quite pathetic and not true.

If "automatic control" was required, I could put the PHP snippet inside any one these example wordpress plugin https://github.com/Abhishek-Ghosh/Basic-WordPress-Plugin-Frameworks <https://github.com/Abhishek-Ghosh/Basic-WordPress-Plugin-Frameworks> - what would demand login to WordPress to execute the script. For that work, there are many plugins.

Even if someone keeps the plugin like OP without understanding, actually the outsider will never know the credentials related to WordPress. From WordPress, if serious security flaw is present, official email is sent. In extreme, they are removed. You are welcome to WordPress development, but kindly do not insult the core WordPress developers who are maintaining the plugin repository via another Free Software project. For Free Software projects we do not need to use a Third Party Free Software project for reporting bug. At least read the lines :


The Plugin is fail proof and is powerful, but usage must be judicial.



Regards,

Dr. Abhishek Ghosh; M.S., PhD (PDT)

Contact website - https://thecustomizewindows.com/ <https://thecustomizewindows.com/>

[ further public mails will not be answered ]


> On 21-Jun-2015, at 5:20 pm, 0pc0deFR <0pc0defr@...il.com> wrote:
> 
> Hello,
> 
> The FTP To Zip 1.8 wordpress plugin is vulnerable to unauthenticated execution. With vulnerability, you can create a zip archive for Wordpress install and you can download this archive (http://domain.tld/wp-content/plugins/ftp-to-zip/backup.php <http://domain.tld/wp-content/plugins/ftp-to-zip/backup.php>).
> A need CVE please.
> 
> Download plugin: https://downloads.wordpress.org/plugin/ftp-to-zip.1.8.zip
>  <https://downloads.wordpress.org/plugin/ftp-to-zip.1.8.zip>
> --
> Cordialement,
> 
> Kévin FALCOZ alias 0pc0deFR - Consultant Expert WordPress - http://wordpress-expertise.fr <http://wordpress-expertise.fr/>
> 
> --
> Regards,
> 
> Kévin FALCOZ aka 0pc0deFR - WordPress Expert Consultant - http://wordpress-expertise.fr <http://wordpress-expertise.fr/>


Content of type "text/html" skipped

Download attachment "signature.asc" of type "application/pgp-signature" (843 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.