Register Plus Redux was removed after the following vulnerabilities disclosed to packetstormsecurity.org were forwarded to firstname.lastname@example.org.
At the time, I didn’t think much of these vulnerabilities. To be honest, I still don’t. I couldn’t figure out how to replicate them. To be honest, I still can’t. Maybe that makes me a buffoon, I don’t know. The fact that they are in Ukrainian, certainly didn’t help. On top of that, I just don’t get it.
My knowledge of XSS is limited to the following. When you take information from HTTP GET or POST, you need to validate it because anyone can spoof that data. OK, cool. I try to keep that in mind, I think I do OK in that regard, although I did find a couple oversights following this whole debacle.
My problem, I think, might be philosophical. Honestly, being that I am a self-taught programmer, words escape me trying to explain my “philosophy”, for lack of a better word. On the Settings page, I allow HTML to be entered in custom messages. Such as when someone goes to the Registration page and you want it to say, “You will need a confirmation number to register, <click here> for more information.” In the code I received from MustLive that is prohibited. And here is where his report and my knowledge diverge.
Is there a potential for the HTTP POST information to be modified, thus setting that message to something malicious that… I don’t know, yanks cookies and sends them to some far off bad guy, for example. Sure. But, I use a nonce and check_admin_referer as recommended my WordPress, and, as far as I know, as used by WordPress core. Whenever possible, I have referred to WordPress core files and used the same syntax and functions used on core pages. So, how is Redux any more vulnerable? I just don’t understand and I scratched my head for a while, and then gave up.
But from time to time, I think, maybe I just didn’t look at it hard enough, maybe I’ll see something new. Still nothing. So last week, I turned to the internet.
This is a more specific problem that MustLive pointed out. However, I figured it was one of the easier ones to recreate without getting into WordPress as a whole.
Surprisingly, to me, no true replies. Not to attack the only person who responded at all, Jonathan Rowny, but his response to me, just sounds more of paranoia. This “problem” was big enough to get Redux yanked, but yet the only solution is to prohibit any HTML and reduce functionality, for what?
Anyway, I don’t want to dismiss MustLive, Jonathan Rowny, or anyone else that ever asked me about this or sent me a message. Nevertheless, I still don’t know what to do to make them happy, and you, constant user, secure. I would run this plugin on my page. I do. Not for any reason, there’s no point in registering here, just so I can test it myself.
Long story short, I just don’t know what to do, and we are still where we were a year ago.