Vulnerability in BulletProof Security fixed?

Resolved marcinia
(@marcinia)

11 years, 8 months ago

Hello,

Has this issue been fixed in .50.9?
BulletProof Security WordPress v50.8 – POST Inject Vulnerability

I cannot see any reference about it in the changelog.

Thank you

https://ww.wp.xz.cn/plugins/bulletproof-security/

Viewing 4 replies - 1 through 4 (of 4 total)

Plugin Author AITpro
(@aitpro)

11 years, 8 months ago

We don’t believe that a valid vulnerability exists, but will look into this some more by doing the PoC steps to either confirm or negate this claim.

Note: we were contacted about this possible vulnerability a while back and testing proved that a vulnerability does not actually exist. We will test again and post the results of those tests here.
Plugin Author AITpro
(@aitpro)

11 years, 8 months ago
Testing is completed. A vulnerability does not exist, but what does need to happen is the form input needs to be sanitized.

The forms require that you have Administrator priviledges in order to process these forms.
```
if ( isset( $_POST['Submit-Headers-Check-Get'] ) && current_user_can('manage_options') ) {
	check_admin_referer( 'bpsHeaderCheckGet' );

if ( isset( $_POST['Submit-Headers-Check-Head'] ) && current_user_can('manage_options') ) {
	check_admin_referer( 'bpsHeaderCheckHead' );
```
False/Not Valid:
“Proof of Concept (PoC):
=======================
The POST inject web vulnerability can be exploited by local attackers and by remote attackers without privileged application user account
with low or medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information
and steps below to continue.”

Summary: We appreciate that bug testers and pen testers have good intentions and do what they do to help protect the public and make things safer/better on the Internet. Everyone/Anyone is capable of making a mistake that can create a vulnerability and it is great that there are bug testers and pen testers who like doing what they do and report these things, but of course they can make mistakes as well.

In this particular case what Mr. Mejri has found is not a vulnerability, but are form input fields that needs to be sanitized. We appreciate the heads up about this, but of course do not agree with the PoC vulnerability findings since only an Administrator can input unsafe coding characters into these forms on the System Info page. An Administrator can remotely or locally input unsafe code characters into the forms. Anyone without a priviledged user account (Administrator) cannot input unsafe code characters into the forms since they are protected by current_user_can('manage_options') which means ONLY an Administrator can use/process these forms. Anyone without Administrator priviledges CANNOT process these forms.
Thread Starter marcinia
(@marcinia)

11 years, 8 months ago

Ok, thanks!

Plugin Author AITpro
(@aitpro)

11 years, 8 months ago

We will release a new version of BPS tomorrow with these form input fields sanitized, which will make this issue a moot point. Credit/Kudos will be given to Mr. Mejri in the Changelog for this helpful info.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Vulnerability in BulletProof Security fixed?’ is closed to new replies.