lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <f2e29425-8538-da41-c90e-c65d3d3e169f@securify.nl> Date: Mon, 8 Aug 2016 17:53:02 +0200 From: Summer of Pwnage <lists@...urify.nl> To: fulldisclosure@...lists.org Subject: [FD] Cross-Site Request Forgery vulnerability in Add From Server WordPress Plugin ------------------------------------------------------------------------ Cross-Site Request Forgery vulnerability in Add From Server WordPress Plugin ------------------------------------------------------------------------ Edwin Molenaar, July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It was discovered that Add From Server is vulnerabile to Cross-Site Request Forgery. It can be exploited by luring the target user into clicking a specially crafted link or visiting a malicious website (or advertisement). An attacker can use this issue to add illegal content to the victims server, or add very large files to the victim's server to exaust the amount of avalible disk space. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160718-0004 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ These issues were successfully tested on Add From Server WordPress Plugin version 6.2. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ This issue is resolved in Add From Server version 3.3.2. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_vulnerability_in_add_from_server_wordpress_plugin.html ------------------------------------------------------------------------ Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its goal is to contribute to the security of popular, widely used OSS projects in a fun and educational way. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists