The Summer of Pwnage (SOP) event that's going on in Amsterdam this month is turning out to be a huge success, for both the organizers and the WordPress community, who is now reaping the rewards as bug reports are helping the WordPress core team and plugin authors secure their code.
The event was advertised as an opportunity for the Dutch infosec and programming community to get together and learn about Web security, either via workshops or by getting coders together in hackathons aimed at discovering new security flaws.
Securify, the company that organized the event, decided to focus only on one technology at a time, something they plan to do for future editions of SOP. This year, they chose WordPress, due to the CMS' broad use and familiarity among all of today's coders and security experts.
The event, scheduled to take place during the entire month of July, has currently yielded 64 security bugs, discovered not only in the WordPress CMS core but also in many of its most popular plugins.
Securify and the researchers who found the issues have reported and helped fix 18 of these vulnerabilities. The other 46 issues have been reported as well, and the projects responsible for fixing the problems are busy preparing new patches.
We, here at Softpedia, took notice of two of the biggest issues discovered by the researchers engaged in this event, two wide-reaching persistent XSS issues in two very popular WordPress plugins: All in One SEO and WooCommerce.
Other issues still in the "reporting" stage include a DoS (Denial of Service), persistent XSS (cross-site-scripting), and CSRF bug in none other than the WordPress core. Knowing the WordPress security team, no doubt they'll be fixed in upcoming versions of the CMS.
Softpedia reached out to Securify's team, who was kind enough to answer some of our questions regarding the event and their plans for the future.
Besides Securify, are there other people involved in the project?
Securify: The event is organized & run by Securify. Participants of the event are actively searching for vulnerabilities in WordPress & WordPress Plugins. Some already submitted some of their findings.
The main target of the event are (IT) students, to help them get started and to teach them more about software security. We have two/three talks per meetup. These talks are currently given by Securify employees, but we hope to attract outside speakers for future events.
How was the turnout?
Securify: We started organizing the event in mid-June, so we did not really know what to expect. We're quite happy with the turnout. A lot more have subscribed through our website, but so far did not show up.
Why did you choose WordPress for this year? Is it because of the bad reputation WordPress has among the cyber-security industry?
Securify: Summer of Pwnage started out as a joke after one of our colleagues found a vulnerability in a WordPress Plugin. One thing led to another, and all of the sudden, we're distributing flyers at Universities & Technical Colleges.
There is no real plan here, but given the large number of WordPress Plugins out there, it is to be expected that a lot of issues were to be found.
Seeing that the event was a success, will WordPress remain on the menu, or are you planning to choose a different technology every year?
Securify: We'll probably target another project next year. Could be anything, we still want to remain the knowledge sharing element, so it should be something people can pick up easily.
How did communications with the WordPress team go? Did they know in advance of what you were planning?
Securify: The WordPress team seems to know what they are doing, which helps communicate the issues and get them resolved. Communication with Plugin authors is a lot harder. We did not inform them in advance.
What was the feedback from the plugin authors?
Securify: Some reports are still waiting for confirmation / a reply. Finding a proper way to contact the authors is not always trivial. With enough persistence, I expect that most issues will be fixed eventually.
Also, the WordPress team has a policy to remove plugins with known vulnerabilities from their site until they are resolved. I think this also helps get issues fixed.
What's your favorite or most creative bug report from SOP so far?
Securify: That is hard to say as everybody favors their own findings. Personally, I like the issues found by participants that previously had no experience with searching for security vulnerabilities.
Has anyone approached you for future sponsorships?
Securify: This idea was mentioned once, but so far, we've not received any concrete offers yet.