'[FD] CSRF/XSS vulnerability in Private Only could allow an attacker to do almost anything an admin u'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] CSRF/XSS vulnerability in Private Only could allow an attacker to do almost anything an admin u
From:       dxw Security <security () dxw ! com>
Date:       2015-08-26 11:10:29
Message-ID: a6939f51f672ef7fe2fda43e8bc2a0c4 () security ! dxw ! com
[Download RAW message or body]

Details
================
Software: Private Only
Version: 3.5.1
Homepage: http://wordpress.org/plugins/private-only/
Advisory report: https://security.dxw.com/advisories/csrfxss-vulnerability-in-private-only-could-allow-an-attacker-to-do-almost-anything-an-admin-user-can/

CVE: CVE-2015-5483
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)

Description
================
CSRF/XSS vulnerability in Private Only could allow an attacker to do almost anything an admin user can

Vulnerability
================
This plugin fails to use CSRF and XSS prevention techniques which are available in WordPress (nonces, and \
esc_attr()) so it allows an attacker to cause a logged in admin user to be the victim of a CSRF attack \
which stores malicious content in the database which, due to lack of escaping, is output as raw HTML. Via \
JavaScript the attacker is able to cause the user’s browser to do almost anything including add users, \
delete posts, and even modify PHP files if that option hasn’t been disabled.

Proof of concept
================
Pressing the submit button here will change the logo setting to contain some JavaScript. Browsers with no \
reflected XSS prevention (like Firefox) will execute the JavaScript immediately, other browsers will \
execute the JavaScript when the page is loaded next. <form method=\"POST\" \
action=\"http://localhost/wp-admin/options-general.php?page=privateonly.php\">  <input type=\"text\" \
name=\"po_logo\" value=\"&quot;>&lt;script>alert(1)&lt;/script>\">  <input type=\"text\" \
name=\"po_submit\" value=\"Y\">  <input type=\"submit\">
</form>

Mitigations
================

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: \
https://security.dxw.com/disclosure/

Please contact us on security@dxw.com to acknowledge this report if you received it via a third party \
(for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.

Timeline
================

2015-03-20: Discovered
2015-07-09: Reported to vendor by email
2015-07-09: Requested CVE
2015-07-31: No reply. Tried on twitter and got a brief response
2015-08-18: After multiple further attempts, still no reply. Escalating to WP Plugins

Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[prev in list] [next in list] [prev in thread] [next in thread] 