lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <d5d5430f0801221250l5ac5c9f8r24e81b269c5aeb23@mail.gmail.com>
Date: Tue, 22 Jan 2008 14:50:58 -0600
From: g30rg3_x <g30rg3x@...il.com>
To: bugtraq@...urityfocus.com
Subject: XSRF under Dean’s Permalinks Migration 1.0

1. Abstract
There is and a XSRF under Dean's Permalinks Migration Plugin version
1.0 which allow any attacker to conduct the user to do and a
unsolicited action this combined within a XSS bug (also found) in the
plugin allows and attacker to gain valid credentials for the WordPress
based CMS.

2. Explanation
Since the variable $dean_pm_config['oldstructure'] its not correctly
sanitized (when retrieving), this allow any user to store/save
"malicious code" inside the database and later be injected this
"malicious code" when the data is retrieved.
Using the XSRF as a "combo" we can create crafted pages that will
force users to conduct this injection and steal some valid credentials
to the WordPress based CMS.

3. Proof-Of-Concept
This is a very innocent and short PoC...
You can download this PoC here: http://g30rg3x.com/wp-files/PoC_dpm_10.zip

4. Solution
Since i couldn't contact the plugin author by any of the public ways
that he left on his website this force me to make and release and a
special sub-version for the plugin, version which i call 1.1-gx...
This version adds the need protection against the vulnerability and
uses some of the WordPress coding standards suggest by the WordPress
Developers.
You can download this version here: http://g30rg3x.com/wp-files/dpm_11gx.zip

5. Timeline
Bug Found: 11/01/2008
Vendor Contact: 12/01/2008
Vendor Response: --/--/--
Public Disclosure: 21/01/2008

Copy: http://g30rg3x.com/xsrf-bajo-deans-permalinks-migration-10/ (Spanish Only)
_________________________
             g30rg3_x

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ