Developer Security Advisory

Developer Security Advisory: CodePeople

On February 8 a report of several vulnerabilities in CodePeople’s Booking Calendar Contact Form plugin was released. While reviewing those for inclusion in our data we found that issue 5, a cross-site request forgery (CSRF) vulnerability that permitted the deleting calendar items still existed. That own its own is not major issue since someone would have to want to cause calendars to be deleted and get someone logged in as admin to visit a page that would caused it to happen, so we didn’t find much concern with that. We did notify the developer and several days later it was fixed.

While that on its own seems to be a minimal issue, over the next month vulnerability were reported in two more of the plugins and in each case CodePeople failed to fully resolve the issues, leaving us to believe the security of their plugins should be a concern. [Read more]

Developer Security Advisory: Smackcoders

Recently four of Smackcoders plugins were to found by Rahul Pratap Singh to have reflective cross-site scripting (XSS) vulnerabilities. This type of vulnerability is not something we really see being exploited, probably due in large part due to the fact that all of the major web browsers other than Firefox have filtering that should prevent it from being successful in most cases. But the presence of it does indicate that the developer is not too concerned about security as properly handling user input data is really a basic piece of programming in a secure fashion.

Also of concern was how long it took the developer to respond after the issues were discovered. Here are the timelines given by discoverer of the vulnerabilities for how long it took for the the vulnerabilities to be fixed [Read more]