XSRF under Dean's Permalinks Migration 1.0

2008.01.31
Credit: g30rg3_x
Risk: Low
Local: Yes
Remote: Yes
CWE: CWE-352


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

1. Abstract There is and a XSRF under Dean's Permalinks Migration Plugin version 1.0 which allow any attacker to conduct the user to do and a unsolicited action this combined within a XSS bug (also found) in the plugin allows and attacker to gain valid credentials for the WordPress based CMS. 2. Explanation Since the variable $dean_pm_config['oldstructure'] its not correctly sanitized (when retrieving), this allow any user to store/save "malicious code" inside the database and later be injected this "malicious code" when the data is retrieved. Using the XSRF as a "combo" we can create crafted pages that will force users to conduct this injection and steal some valid credentials to the WordPress based CMS. 3. Proof-Of-Concept This is a very innocent and short PoC... You can download this PoC here: http://g30rg3x.com/wp-files/PoC_dpm_10.zip 4. Solution Since i couldn't contact the plugin author by any of the public ways that he left on his website this force me to make and release and a special sub-version for the plugin, version which i call 1.1-gx... This version adds the need protection against the vulnerability and uses some of the WordPress coding standards suggest by the WordPress Developers. You can download this version here: http://g30rg3x.com/wp-files/dpm_11gx.zip 5. Timeline Bug Found: 11/01/2008 Vendor Contact: 12/01/2008 Vendor Response: --/--/-- Public Disclosure: 21/01/2008 Copy: http://g30rg3x.com/xsrf-bajo-deans-permalinks-migration-10/ (Spanish Only) _________________________ g30rg3_x


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top