1. Abstract
There is and a XSRF under Dean's Permalinks Migration Plugin version
1.0 which allow any attacker to conduct the user to do and a
unsolicited action this combined within a XSS bug (also found) in the
plugin allows and attacker to gain valid credentials for the WordPress
based CMS.
2. Explanation
Since the variable $dean_pm_config['oldstructure'] its not correctly
sanitized (when retrieving), this allow any user to store/save
"malicious code" inside the database and later be injected this
"malicious code" when the data is retrieved.
Using the XSRF as a "combo" we can create crafted pages that will
force users to conduct this injection and steal some valid credentials
to the WordPress based CMS.
3. Proof-Of-Concept
This is a very innocent and short PoC...
You can download this PoC here: http://g30rg3x.com/wp-files/PoC_dpm_10.zip
4. Solution
Since i couldn't contact the plugin author by any of the public ways
that he left on his website this force me to make and release and a
special sub-version for the plugin, version which i call 1.1-gx...
This version adds the need protection against the vulnerability and
uses some of the WordPress coding standards suggest by the WordPress
Developers.
You can download this version here: http://g30rg3x.com/wp-files/dpm_11gx.zip
5. Timeline
Bug Found: 11/01/2008
Vendor Contact: 12/01/2008
Vendor Response: --/--/--
Public Disclosure: 21/01/2008
Copy: http://g30rg3x.com/xsrf-bajo-deans-permalinks-migration-10/ (Spanish Only)
_________________________
g30rg3_x