One day, we got a weird email from Dexter (not his real name).
Am I allowed to release my POC in an hour? It was reported and my report was given n/a. No one is taking any notice to it so I assume it is safe to share and help others.
That was, literally, the first email we got.
We replied and asked “What PoC?” (PoC means “Proof of Concept” in this case, and it’s expected that if you report an issue, you explain how you found it and how to reproduce it as … proof … of the concept of the issue). We stressed that we had not received any other emails from him, so could he please explain.
We also mentioned that asking for a reply in an hour is not acceptable for anyone, especially when you don’t know what time-zone people are in. The rest of the email was the boilerplate “Here’s how you file a security report for WP and here’s how you do it for a plugin.”
My Bad, I was Helping
Dexter…
You see my actions as wrong. Sorry. I was trying to help. Has been a few weeks. Not making excuses but now you explained I understand, on the other side of the fence things are not as clear as that. I also have a thing where if I do not write things down I will eventually forget them. This is extra tough as I try not to keep information of vulnerabilities. However, it is my intent to do right.
Believe it or not but, you are one of the only people who actually try to help educate me. Even though you did not have to.
I was trying to get a CVE but I do not know the relevance of the issue. I originally thought it was WordPress then was told about plugins. The website owner is unresponsive. Trust me, I submit about 500 reports a day. They always unresponsive.
I am not sure if you still want me to communicate with you or if you prefer me to leave you alone.
Thank you for reducing my ignorance, either way.
While I’m sure he submits a lot of reports, this was (again) the first time he’d ever emailed Plugins. And notice that he still isn’t saying anything about this report?
So we asked again, what freakin PoC?!?! (nicely) and he replied in four emails with screenshots and this was the PoC:
It is for this
https://developer.wordpress.org/plugins/javascript/ajax/https://codex.wordpress.org/AJAX_in_Plugins
It was not on wordpress.org.
Since the issue is down to the php code, I am not sure who is responsible for it.
None of that is a PoC, for the record.
That email looks like a comment about a security issue with WordPress, right? But via the screenshot of the webpage (not a link, he sent a fucking screenshot!), I was able to figure out this was from a CVE about the Ajax Load More plugin and looking at the CVE … it was already closed.
Per [URL], the issue is resolved.
This means there’s nothing for you to report, unless you’ve found something else. And if you have, you need to unpack what’s in your head and tell us what you found.
If you’re just telling us that the vuldb site reported on an issue, then please make sure their site is NOT saying the issue was resolved. We don’t need to know about those, as they’ve already been handled.
Oh and there was no issue with the codex, it was just documentation.
Dexter replied “One of the targets I tested on says they are using version 5.1.9.” and frankly that sucks but it’s not our responsibility. The plugin was fixed, the fix was released, and if some dingleberries didn’t update, that’s on them.
He then claimed the fix wasn’t in the 5.3.1 version. You know, the version known to be vulnerable? Yeah, it didn’t have the fix. The next version has the fix. As documented.
If a PoC Falls in the Forest…
Next, Dexter sent a report and here’s what his PoC looked like:
7B227073704964223A2239373943394538343346343131343044463144313834343232393232313734313034353044314339464446394437384337313531303944334643463542433731222C2276657273696F6E223A312C22637265617465644F6E223A313536363233343735303036312C227369676E6174757265223A2233303830303630393261383634383836663730643031303730326130383033303830303230313031333130663330306430363039363038363438303136353033303430323031303530303330383030363039326138363438383666373064303130373031303030306130383033303832303365333330383230333838613030333032303130323032303834633330343134393531396435343336333030613036303832613836343863653364303430333032333037613331326533303263303630333535303430333063323534313730373036633635323034313730373036633639363336313734363936663665323034393665373436353637373236313734363936663665323034333431323032643230343733333331323633303234303630333535303430623063316434313730373036633635323034
Not a joke.
The text file was just that.
We asked if he sent the wrong file or it was encrypted, and he claimed we were idiots for not understanding that. Again, we asked him to give us an actual proof of concept, where he walked through how he found the bug and identified it. Instead, he linked to more and more sites that had been hacked, as if that proved anything.
Since he’d linked to sites with the parameters used to ‘hack,’ I was able to track down the actual plugin with the issue and … drum roll … it was already fixed!
Two years ago.
So Dexter decided to ‘prove’ it was a problem by finding people with the old versions of the plugins (bear in mind, every single plugin he reported had already been fixed) and attacking their sites and crashing them.
That’s how someone sues your ass, by the way. NEVER ever try to test a hack on someone else’s site! Besides being bad-form, if you break the wrong site you can find yourself at the bad end of a legal mess.
Proof of Concept Means You PROVE how it works
We tried to explain again:
The issue is you handed us an incomplete PoC without the explanations and expected US to do the hours of work to try and guess what you meant.
Just by looking at that URL:
example.com/wp-admin/admin-ajax.php?action=formcraft3_get&URL=http://127.0.0.1:8080
We see how it says
formcraft3_get
— That means a specific plugin is required to even make this possible.That issue has already been resolved and was confirmed here: https://wpscan.com/vulnerability/b5303e63-d640-4178-9237-d0f524b13d47
If you’re not testing the latest versions of WP (which you already mentioned) and the plugin, then it is an invalid report. If you are not updating WP and the plugins, of course you have a high risk of vulnerabilities, but it’s incorrect to claim these are ‘new’ (other people have already reported), and since they have all been fixed then you just have to update your site.
Since literally every single report you claim to be an issue has been fixed, we have nothing to do here.
He replied ‘okay’ but then kept attacking sites to prove it.
After he replied this:
I don’t know what you have to do but I am convinced something needs to be done. I am genuinely trying to help you. You just have to accept that you may be wrong here and need to do something about it.
There are a vast amount of people looking to use the exploit. You have not advised your customers from any of the links you showed. No offence but, your work around sucks too. It is like you do not assume an attack will do any recon.
I gave up, and flagged him as ‘quarantined’ which is where we put people who are well meaning, but cannot be helped.
He’s right in that people are looking to attack sites, but if the fix is available and people don’t use it, the only think the plugins team might be able to do would be force an upgrade. We only do those under exceptional circumstances, which none of these were.
Dexter’s still running around, being a serial ‘hacker,’ and I’ve no doubt one day he’ll really get himself into trouble.