nitstorm
Forum Replies Created
-
Forum: Plugins
In reply to: [Analyticator] Discovered security vulnerabilitiesHi Noah, Garrett,
Could you please give us an update on the issue? You have also not replied or given any guidance regarding the post on Social Share Boost.
I once again urge you to give an update on both the issues as soon as possible.
Nitin
Forum: Plugins
In reply to: [Contact Form DB] Discovered security vulnerabilitiesHi,
I have just mailed you the report. Please let me know if you have not received it so that I can resend it.
Thanks & regards,
Nitin VenkateshForum: Plugins
In reply to: [Free counter] No contact informationHi,
Thank you. I’m sorry I didn’t receive your email. I double-checked my spam folder and everything. Maybe a glitch somewhere. Since the update was made on 28 May, could I publish a disclosure on this July 12 (45 days from fix) and work on getting a CVE assigned for this issue?
Thanks & regards,
Nitin VenkateshForum: Plugins
In reply to: [Global Gateway e4 | Payeezy Gateway |] Discovered security vulnerabilitiesThat is good to hear. Please do keep me updated on the issue and its resolution.
Thanks!
Forum: Plugins
In reply to: [Users to CSV] Discovered potential security vulnerabilitiesThank you.
Forum: Plugins
In reply to: [Social Share Boost] Discovered security vulnerabilities@vasu: That is definitely not the issue I am referring to in my case.
Thank you. Hoping to hear back from you soon.
Thanks & regards,
Nitin VenkateshForum: Plugins
In reply to: [Social Share Boost] Discovered security vulnerabilities@vasu: Nope, that does not seem to be the issue from my guess.
Forum: Plugins
In reply to: [Social Share Boost] Discovered security vulnerabilitiesHi,
Could I get an acknowledgement please? Is there an email ID I could send my report to?
Thanks & regards,
Nitin VenkateshHi,
Could you please update me on the situation? Have any of the issues been addressed in the recent updates to some of your plugins?
Thanks & regards,
Nitin VenkateshHi,
Could you please acknowledge if you have received my report?
Thanks & regards,
Nitin VenkateshForum: Plugins
In reply to: [Free counter] No contact informationHi,
I still haven’t heard back from you. Has the issue been resolved? Could you please update me on the situation? Preferably by writing back an email to me?
Thanks & regards,
Nitin VenkateshForum: Plugins
In reply to: [Global Gateway e4 | Payeezy Gateway |] Discovered security vulnerabilitiesHi,
Vulnerability Description:
The issue is CSRF wherein any values could be modified and submitted. Additionally, there is provision to load any 3 JS libraries and a CSS file if one copies the generated code and creates a form as directed in the plugin’s instructions.Proof of Concept:
Here’s the link to the PoC as you wished – https://gist.github.com/nitstorm/66e5bb4e1c643ea7a771It’s been shared a secret gist so that it’s not crawlable by search engines.
Disclosure Timeline:
2015-06-03 – Discovered. Contacted developer on forums
2015-06-05 – Posting the PoC on the forum as per the developer’s wish.Disclaimer:
This vulnerability report and PoC is purely meant for educational purposes. I will in no way be responsible as to how the information in this disclosure is used.Forum: Plugins
In reply to: [Social Share Boost] Discovered security vulnerabilitiesI don’t know what WhytoShy is, so probably not…
Forum: Plugins
In reply to: [Global Gateway e4 | Payeezy Gateway |] Discovered security vulnerabilitiesThe thing is, most developers do not want to discuss security issues in the public forum. Hence I had requested for an email address to submit the report to. The issue in your case is CSRF. Do you want me to post the Proof of Concept code here as well?