2. @about me
• Security Engineer @Flipkart
• Likes to do Bug Hunting!
• Loves coding in Python
• Member of null security community
• Lead vocalist @Sathee
@prajalkulkarni
3. WordPress Security Ecosystem!
100 CVE’s in less than a month!
How we did it?
What Tale?
4. 60 Million Websites Worldwide
Powers 1 in 5 of all the worlds websites in the world
-Matt
Current stable release 3.9.1
Version 3.8 downloads > 20 Million times
-Stats from Wikipedia
14. Vulnerabilities Found!
Full path disclosure
-pma/error.php
-pma/libraries/PMA_List_Database.class.php
PHP info disclosure
-pma/phpinfo.php
Security Bypass Allows direct access.
-pma/server_databases.php - Full access to all features
including SQL window
-pma/main.php – reveals all the details of the database
15. Timeliness
• Author Contacted: 24 July 2013
• No positive response from the author
• Wordpress Security Team contacted: 11 September 2013
• Plugin Disabled in the repository : 21 October 2013
17. Started Project CodeVigilant
• Spot new issues in Plugins/Themes
• Report to the relevant author
• Get the patch released
• Else close the Plugin/Theme
31. Simple Logic!
Find all $_GET parameters
Replace their value with chk_string:
'><script>alert(document.cookie)</script>
Send the request with the appropriate URL structure
Check if the response contains the chk_string
32. Guess What!
• More than 100 valid XSS!
• Testing for XSS we also stumbled upon:
– SSRF
– LFI
– Unvalidated Redirects and Forwards
33. Stats for the next 3 weeks!
A3-Cross-Site Scripting 211
Unvalidated Redirects and
Forwards
4
Local File Inclusion 6
Information Disclosure 1
Direct access & Auth
Bypass
1
Using Components with
Known Vulnerabilities
30
SSRF/XSPA 4
Injection 9
36. Future for codevigilant
Automation frameworks for other vulnerabilities
Explore other platforms like Drupal & Jumla
Encourage External Researchers to contribute.