In a couple of them I discovered XSS and other vulnerabilities. So far so good… but then the interesting part starts: The coordinated, responsible disclosure.
First problem is to get in touch with the developers. Smaller vendors often don’t have official disclosure guidelines, bug bounty programs or even security contacts on their websites. They sometimes even don’t respond to emails or tweets.
For plentymarkets the hardest part was to get in contact with someone taking my request seriously. They have a discussion board for their customers but obviously not open for the public. I’ve sent emails, DM on twitter, sent tweets to them. Finally after a while I got first contact with some PR responsible. But the contact was pretty much one-way and got stuck every few emails. I’ve contacted a bunch of website owners to discuss the vulnerabilities, and to bring more pressure to plentymarkets. I felt not really much happened. I’ve asked for status updates again and again… Sometimes they responded, sometimes not. In the meantime I found three XSS on their own website which is a pretty bad testimonial for a web shop vendor, at least in my opinion. Two of them were even technically the same, they just did not manage to patch it on all corners.
Reports OBB-572632 OBB-528032 OBB-437657
Update 2018-04-10: Plentymarket contacted me again, CEO in person and was really very honest that the process was not good enough for security reports. They’ve implemented a new escalation process, better internal communication and a security.txt now.
xt:commerce, where I found XSS vulnerabilities in 4.2 and 5.0 release, was quite different: the contact was friendly, they were willing to co-operate and updated me on a more or less regular base. It took some time but they managed to fix the issues and to inform the public about the issues. You can find the patch changelogs here:
xt:commerce 4.2 patch information
xt:commerce 5.0 patch information
In Redaxo I thought I’ve found a vulnerability, but it wasn’t one within the framework itself. But they replied within hours to a tweet, brought me in touch with the core developer who then confirmed it’s not a bug in their system. Perfect awareness of the social media team, great response time!
There are some more CMS which I’m waiting for response. Should they ever contact me of fix their issues (or even if not) I’ll update this article.
Decide on your own which CMS would be a candidate for you but it seems like this time the bigger players showing the security state of the art.