lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 26 Apr 2012 20:09:01 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: IA,
	CSRF and FPD vulnerabilities in Organizer for WordPress

Hello list!

I want to warn you about multiple new security vulnerabilities in plugin 
Organizer for WordPress. This is the third in series of advisories 
concerning vulnerabilities in this plugin.

These are Insufficient Authorization, Cross-Site Request Forgery and Full 
path disclosure vulnerabilities.

-------------------------
Affected products:
-------------------------

Vulnerable are Organizer 1.2.1 and previous versions.

As answered me the developer of the plugin, he doesn't support it anymore 
and will not be fixing any vulnerabilities in it.

----------
Details:
----------

Insufficient Authorization (WASC-02):

Access to users.php and execution of all operations are allowed to any users 
of the system (even Subscriber).

http://site/wp-admin/admin.php?page=organizer/page/users.php

View of settings, adding, editing and deleting of users settings are 
possible. Particularly any user (such as Subscriber) can set, even for his 
account, allowed extensions for uploading files, e.g. php.

Including unprivileged user can conduct Persistent XSS attacks on admin (via 
two earlier-mentioned Persistent XSS holes). And also this vulnerability 
allows to conduct CSRF attacks (for changing of the settings) not only on 
admin, but on any logged in user.

CSRF (WASC-09):

All functionality of the plugin is vulnerable to CSRF attacks. Besides 
earlier-mentioned CSRF in script users.php, e.g. in script dir.php via CSRF 
it's possible to create, rename and delete directories (it's possible to 
rename and delete only empty directories). For this it's needed to send 
three corresponding POST requests.

http://site/wp-admin/admin.php?page=organizer/page/dir.php

And in script view.php via CSRF it's possible to rename, copy and delete 
uploaded files. For this it's needed to send three corresponding POST 
requests.

http://site/wordpress/wp-admin/admin.php?page=organizer/page/view.php

FPD (WASC-13):

Script http://site/wordpress/wp-admin/admin.php?page=organizer/page/view.php 
has built-in functionality (and vulnerability) - showing of full path at the 
server.

------------
Timeline:
------------

2012.04.15 - informed the developer about previous vulnerabilities.
2012.04.17 - the developer answered, that he didn't support the plugin 
anymore.
2012.04.17 - additionally informed the developer about new vulnerabilities.
2012.04.20 - disclosed at my site (http://websecurity.com.ua/5801/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ