XSRF under Dean’s Permalinks Migration 1.0
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: XSRF under Dean’s Permalinks Migration 1.0
- From: g30rg3_x <g30rg3x@xxxxxxxxx>
- Date: Tue, 22 Jan 2008 14:50:58 -0600
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=VXb5Lokqg+Y0d7cNyW+HCGI+wOWRzXMsiVzMZ2KFFB8=; b=Wj1KFBncUzNjexCKE0YqGDFXmXhVOHh7QMwNhlQ0nlgjoI4QPPHWMkDTUML3MJKVZdW2CPYh1BxLkIAzU6SyWQj8E1u4A9PDg+gM845PIQPaj4UweGh/fNNX4toAoabB/YcUuKa62XI57S1nhAblOXltOEHbxR3x9KA6vP+ZN3k=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=wZBLK4mQWN4sVvvXWrrdDm4bBDgzU4hrMOPxzUhmubdP59qRXPWCiGUOMDOCaD1HAZ1gtRi4Xl/VvoJx8WPkCLrNs31JY79K/DnUcbEAB2aaCguneiJAX9gKHMFd2RFepkwuDVWD0vkNw3QCzuHp3pGv3XsAOf9S7PcpOTa2GkA=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
1. Abstract
There is and a XSRF under Dean's Permalinks Migration Plugin version
1.0 which allow any attacker to conduct the user to do and a
unsolicited action this combined within a XSS bug (also found) in the
plugin allows and attacker to gain valid credentials for the WordPress
based CMS.
2. Explanation
Since the variable $dean_pm_config['oldstructure'] its not correctly
sanitized (when retrieving), this allow any user to store/save
"malicious code" inside the database and later be injected this
"malicious code" when the data is retrieved.
Using the XSRF as a "combo" we can create crafted pages that will
force users to conduct this injection and steal some valid credentials
to the WordPress based CMS.
3. Proof-Of-Concept
This is a very innocent and short PoC...
You can download this PoC here: http://g30rg3x.com/wp-files/PoC_dpm_10.zip
4. Solution
Since i couldn't contact the plugin author by any of the public ways
that he left on his website this force me to make and release and a
special sub-version for the plugin, version which i call 1.1-gx...
This version adds the need protection against the vulnerability and
uses some of the WordPress coding standards suggest by the WordPress
Developers.
You can download this version here: http://g30rg3x.com/wp-files/dpm_11gx.zip
5. Timeline
Bug Found: 11/01/2008
Vendor Contact: 12/01/2008
Vendor Response: --/--/--
Public Disclosure: 21/01/2008
Copy: http://g30rg3x.com/xsrf-bajo-deans-permalinks-migration-10/ (Spanish Only)
_________________________
g30rg3_x