search

HongPong / broken-link-checker

This plugin will check your posts, comments and other content for broken links and missing images, and notify you if any are found. (non-commercial community fork of broken-link-checker)
10 stars 4 forks source link

Vulnerability CVE-2019-16521 #44

Closed almendron closed 4 years ago

almendron commented 4 years ago

https://github.com/sbaresearch/advisories/tree/public/2019/SBA-ADV-20190913-02_WordPress_Plugin_Broken_Link_Checker

HongPong commented 4 years ago

wow thanks for eagle eye I will hop on this as soon as feasible. interesting they say no longer maintaining. if you want to do a PR that would also be, extremely good!

mundschenk-at commented 4 years ago

Quite disappointing, yes.

HongPong commented 4 years ago

well i am inclined to take a shot at this tonight and submit it to plugins@wordpress.org - it should not be that hard to simply apply sanitization as the well written report specifies. combined with the fix on the table underscores on this branch. who would not want that

mundschenk-at commented 4 years ago

Definitely. (I just notified them that the vulnerability has been publicly disclosed and that you are still working on this repository.)

HongPong commented 4 years ago

excellent thank you! now i really gotta do it :) ... i checked and there is a CVE page on MITRE now, this is certainly logged in the annals of the interwebs as a serious problem now

HongPong commented 4 years ago

I just submitted the patch (and I included as a separate link the database prefix bug patch, since that one generates so many issues). let's see what they do! I pushed both branches to this repo, the CVE and CVE+database fix branches. Those branches are based strictly off of the official HEAD, and does not incude the other patches we have added onto master here.

lets see what happens!

HongPong commented 4 years ago

I cherrypicked the fix onto the master branch in this repo.

the security team did answer me within half an hour of my email and appreciated receiving a fix, but seemed not to yet have decided what to do about the plugin.

( for submitting the patch to them - no other modifications from current dist https://github.com/HongPong/broken-link-checker/tree/cve-2019-16521 https://github.com/HongPong/broken-link-checker/tree/database-prefix-error }

patch on the already modified-from-dist master:

https://github.com/HongPong/broken-link-checker/commit/75a473a23e44d64751b701b0a18a991eadcbfdae

HongPong commented 4 years ago

After hearing nothing lately from them. It did finally come up on the forum. I submitted this to a semi-locked thread. hopefully it will be approved.

https://wordpress.org/support/topic/is-it-true-wpmanage-is-no-longer-supporting-this-plugin/

Hi, I submitted a fix for the vulnerability to the security team on the Saturday following the disclosure, and once again requested to manage this plugin. If I had been assigned the plugin after I asked the first time, I definitely would have patched the unsanitized query string vuln in September! (out of discretion I didn’t mention anything here until now, but the discussion has now ramped up regardless…)

Our community fork has my patch for CVE-2019-16521 applied (as well as some other patches for serious issues with the plugin).

You can download the plugin with security fix, and other patches which improve stability, applied here: https://github.com/HongPong/broken-link-checker/archive/master.zip

If you would like the CVE fix plus the database prefix fixes only (no other changes from current plugin) https://github.com/HongPong/broken-link-checker/archive/database-prefix-error.zip

If you would like the CVE fix with NO other patches applied: https://github.com/HongPong/broken-link-checker/archive/cve-2019-16521.zip

Best regards and I hope this can be addressed since it is widely used!! ..Dan

HongPong commented 4 years ago

they scratched my comment above, it appears. honestly this is weird

mundschenk-at commented 4 years ago

they scratched my comment above, it appears. honestly this is weird

No, that's standard operating procedure for these kinds of things. (Not that it's a great way to moderate things, but that's how they always do it.)

From what little I've heard, the plugin team is working with ManageWP to get a fix out without causing widespread panic (700.000 active installs is a lot). They won't handover the plugin without ManageWP's consent, though, so this might lead to a fork after all.

HongPong commented 4 years ago

WPMU DEV are managing the plugin now and seem to have released a CVE fix. Let's see how it goes.

The new canonical repo is here https://github.com/wpmudev/broken-link-checker .. I don't think the database prefix fix is in yet.

there are a couple more sanitizations they added here ; https://github.com/wpmudev/broken-link-checker/commit/c6ee7f2b86c0b8824c582e969600e1b832a3667e .. should add these to this fork as well!