[<prev] [next>] [day] [month] [year] [list]
Message-ID: <f2e29425-8538-da41-c90e-c65d3d3e169f@securify.nl>
Date: Mon, 8 Aug 2016 17:53:02 +0200
From: Summer of Pwnage <lists@...urify.nl>
To: fulldisclosure@...lists.org
Subject: [FD] Cross-Site Request Forgery vulnerability in Add From Server
WordPress Plugin
------------------------------------------------------------------------
Cross-Site Request Forgery vulnerability in Add From Server WordPress
Plugin
------------------------------------------------------------------------
Edwin Molenaar, July 2016
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that Add From Server is vulnerabile to Cross-Site
Request Forgery. It can be exploited by luring the target user into
clicking a specially crafted link or visiting a malicious website (or
advertisement). An attacker can use this issue to add illegal content to
the victims server, or add very large files to the victim's server to
exaust the amount of avalible disk space.
------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160718-0004
------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
These issues were successfully tested on Add From Server WordPress
Plugin version 6.2.
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Add From Server version 3.3.2.
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_vulnerability_in_add_from_server_wordpress_plugin.html
------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists