Welcome back to the Patchstack Weekly security update! This update is for week 17 of 2022.
This week I have a handful of vulnerabilities to share with you. Including 3 unauthenticated SQL injection security bugs that were patched, and 3 security bugs that could lead to files being uploaded to websites running these affected plugins.
In this week’s weekly knowledge share, I’m going to be talking about Egoless programming. A concept, introduced over 50 years ago, and an extremely helpful topic to cover when it comes to handling security bug reports.
Vulnerability news
Unauthenticated SQL Injection Patches
VikBooking Hotel Booking Engine & PMS – Arbitrary File Upload
The VikBooking Hotel Booking Engine developers released a patch for this file upload vulnerability, and I strongly recommend site owners update their plugin as soon as possible.
Advanced Uploader – Arbitrary File Upload
Unfortunately, the advanced-uploader plugin developers have not supplied a patch at this time. Hopefully, a patch may come out soon, but it may be a good idea to remove or disable this plugin especially if your WordPress website allows anyone to sign up for a subscriber account.
Rara One Click Demo Import – (CSRF) leads to Arbitrary File Upload vulnerability
Finally, users of the Rara one-click demo import plugin should check that the plugin is disabled if not in use. It appears this plugin’s purpose is to import demo data for use with Rara themes, which is useful but only for design or demo purposes. Any plugin with the purpose of importing demo data, should not be left active on a production website.
Weekly knowledge
Squashing ego squashes bugs
This week, I will be talking about a soft skill that software developers and security researchers can benefit from. It is a term known as Egoless Programming, and it was first introduced in a perennial book from 1971, “The Psychology of Computer Programming” by Gerald Weinberg.
The concepts of Egoless Programming have less to do with writing the code, and more with the interactions between individuals when discussing the code.
It can be applied any time more than one person is engaged with reviewing, submitting, patching, etc.. a codebase. More specifically, it can and should be applied, when someone reports a security bug in code, and it applies to everyone involved in the interaction. Both the person responsible for developing and the person reporting the issue.
Egoless Programming is an interpersonal communication skill, and like any skill, can be improved on with practice.
You can, of course, can read “The Psychology of Computer Programming” but I would like to share some highlights and examples for you here now:
Egoless programming will help your project in the following ways:
- Improving communication.
- Reducing wasted time and/or needless negativity.
- Minimizes constraints to contribute to the project.
Bug reports and security bug reports are inevitable, and most are well written, in an Egoless manner … but sometimes … they’re the opposite of Egoless, you could even call the Egofull. So, how about I show some examples?
An Egoless bug report would look like this:
“I am reporting a security bug was found in project version XYZ.
The issue can be reproduced using the following process: 1, 2, 3.
The severity of this issue is very high, as it could lead to site compromise without authentication. (Or the severity of the issue is low to medium, as it is could be used in a targeted attack, but requires a high-privilege account to perform.)
If you have any questions or need clarifications about this report, please feel free to reply.”
- Criticizes the code, not the developer.
- Encourages clear communication using facts and context.
- Encourages discussion, to craft the best solution.
An Egofull bug report would look like this:
“Your plugin is insecure and users should know not to trust you as a developer.
Here is the PoC: 1, 2, 3. All security bugs are high severity and you need to fix it right away.
I have already publicly released the PoC and shared it widely to promote myself as the best security researcher ever!”
- Criticizes the developer, not the code.
- Typically opinion-based, or uses facts without context.
- Declares a solution that does not take into account the complexity of the project.
I wish I could say Egofull bug reports are rare, but I know they happen. I have handled security bug reports long enough to have seen a few firsthand.
I have even acted as a moderator in a few cases when an Egofull report causes a problem and from that experience, I would like to share one important bit of advice:
How to handle Egofull bug reports
It is inevitable, everyone has an ego. Eventually, you’re going to receive an Egofull bug report in a project.
Hopefully not as bad as my example, but when someone does not follow the rules of Egoless discourse what should you do?
My recommendation, focus on the code, focus on the problem, and figure out the solution. Do not get sucked into the negative commentary, and even though the reporter has no control of their ego, it is not permitted to lose control of yours.
Separate all the ego out of the Egofull report and just focus on understanding the problem in the code itself.
Can you reproduce the bug with the information provided? Can you start working on a solution? Can you fix the problem?
If you need to ask for more details (and this is pretty common – the reporter’s ego got in the way of actually communicating the issue) then you will have to Egolessly ask for clarification or more details, either from the reporter, or from a trusted friend, or someone in the community
If you’re reading this now, consider me a friend you can ask for help in these situations.
If you need to reply, resist the temptation of getting your own ego involved. I know this may be hard since they started it, and you may think they deserve an emotionally charged response, but that will not help solve the problem, you can’t change the person, you can change your code.
It is also OK, to not address the issue right away. Use that time to calm down. If you’re having trouble replying in a calm way, then that is a sign you could use the help of a third party to act as a mediator. It is 100% OK to ask for help in these situations.
This is also, something Patchstack can help you with. We are mediators in the security reporting process and are well experienced in de-ego-fying security bug reports.
The worst-case scenario is two Egofull people arguing about each other and not about the problem or bug in the code. When two egos clash like this, and I have seen it happen, no progress gets made, people’s days are ruined and the bug goes unfixed.
Thanks and appreciation
This week’s thanks go out to the developers behind Personal Dictionary, UbiGEO de Peru, MapSVG premium, and the VikBooking Hotel Booking Engine plugin. Thank you for supplying those security patches!
Another special thank you is extended in memory of Gerald Weinberg, author of “The Psychology of Computer Programming” for inspiring developers to practice Egoless programming. Thank you for helping developers get more done, and waste less time when confronted with Egofull commentary on their project(s).
I will be back next week with more security tips, tricks, opinions, and news on the Patchstack Weekly security update!