771050 - WP Plugin: simple-embed-code

Status: VERIFIED FIXED

(mozilla.org :: Security Assurance: Review Request, task)

Description

[Jake Maul [:jakem]]

Who is/are the point of contact(s) for this review?
Janet Swisher and :jakem

    Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.):
Wordpress plugin for hacks.mozilla.org to allow easy embedding of video, audio, and iframes.

    Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description:
http://wordpress.org/extend/plugins/simple-embed-code/

    Does this request block another bug? If so, please indicate the bug number
Blocks bug 742146

    This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?
Don't know

    To help prioritize this work request, does this project support a goal specifically listed on this quarter's goal list? If so, which goal?
Don't know

    Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.)
        Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users?
No
        Are there any portions of the project that interact with 3rd party services?
No
        Will your application/service collect user data? If so, please describe
No
    If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size):
    Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite. 
This is 3rd party code... no need to schedule a review with us.

Comment 1

[Adam Muntner [:adamm] (use NEEDINFO)]

I am willing to take this one on if it can be put on ice for a couple of weeks.

Comment 2

[Janet Swisher]

No hurry, bug 742146 has been waiting 3 months already :-)

Because WordPress allows only Administrators to post privileged elements, over time, we've made more users into admins than we otherwise would. They're all trusted users, but it increases the exposure. This plug-in enables ordinary authors to post privileged elements, so we don't have to make them admins to do that.

Comment 3

[Matt Fuller :mfuller]

Adam, I can take this bug and start on it today. If that's okay with you, feel free to assign it to me.

Matt

Comment 4

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

good enough for me, assigned to :mfuller

Comment 5

[Matt Fuller :mfuller]

During the security review of this plugin, an XSS vulnerability was found. I will be contacting the developer of the plugin for an update, or I can provide a recommended fix to someone who will be installing this plugin, but until the issue is corrected, I cannot approve its installation.

Comment 6

[Matt Fuller :mfuller]

My security review is complete but the bug won't be resolved until 771315 is fixed via the developer.

I've attached my full set of notes, but the main points are:

- Fix XSS issue in admin search page.
- Realize that this plugin allows the insertion of additional content types such as scripts, iframes, etc. as well as full inclusions of remote pages. All authors should be instructed not to load scripts or pages from offsite resources unless it is trusted (i.e. a YouTube video would be fine, a JavaScript link from a random third-party would not be).

Comment 7

[Matt Fuller :mfuller]

Attachment: Security Review Report

Comment 8

[Matt Fuller :mfuller]

Removing due date since this relies on a third-party dev to fix.

Comment 9

[Matt Fuller :mfuller]

Bug 771315 is now resolved due to the developer's fixed update. I am marking this review complete as that was the only outstanding concern I had with this plugin. Please proceed to installation.