[<prev] [next>] [day] [month] [year] [list]
Message-ID: <c53672a6e77f8c8bc2bcfd2717b96aaa@security.dxw.com>
Date: Mon, 8 May 2017 17:22:53 +0000
From: dxw Security <security@....com>
To: fulldisclosure@...lists.org
Subject: [FD] CSRF/Stored XSS in MSMC – Redirect After Comment could allow unauthenticated individuals to do almost anything (WordPress plugin)
Details
================
Software: MSMC - Redirect After Comment
Version: 2.1.2
Homepage: https://wordpress.org/plugins/msmc-redirect-after-comment/
Advisory report: https://security.dxw.com/advisories/csrf-stored-xss-in-msmc-redirect-after-comment/
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)
Description
================
CSRF/Stored XSS in MSMC – Redirect After Comment could allow unauthenticated individuals to do almost anything
Vulnerability
================
An unauthenticated individual can cause arbitrary JavaScript to execute within /wp-admin/ in the browser of a logged-in admin user. This could be achieved by sending a link to the admin user.
The attacker could use this to create a new user, create posts, add arbitrary PHP code (if the theme/plugin editor component is enabled) – almost anything a logged-in admin user can do.
Proof of concept
================
Step 1: Log in.
Step 2: Visit this URL to store the arbitrary HTML: http://localhost/wp-admin/options-general.php?page=msmc-comment-redirect&action=1&MSMC_redirect_location=http://localhost/?%22%3E%3Cscript%3Ealert(1)%3C/script%3E
Step 3: Visit this URL to execute the JavaScript: http://localhost/wp-admin/options-general.php?page=msmc-comment-redirect
Step 3 is unnecessary in browsers without XSS filtering (i.e. Firefox).
Mitigations
================
The plugin author has indicated that this plugin is abandonware and has unpublished it from the WordPress directory. Disable and uninstall the plugin as this bug won’t be fixed.
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
Please contact us on security@....com to acknowledge this report if you received it via a third party (for example, plugins@...dpress.org) as they generally cannot communicate with us on your behalf.
This vulnerability will be published if we do not receive a response to this report with 14 days.
Timeline
================
2017-03-17: Discovered
2017-03-20: Sent a public message on Twitter requesting the ability to DM with them
2017-03-20: Plugin author responded that the plugin was abandonware and that I could DM them
2017-03-21: Sent another public message as I was still unable to send them a DM
2017-04-04: Sent another public message
2017-04-10: The plugin was removed from wordpress.org
2017-04-24: Sent another public message to check that the plugin was permanently removed
2017-05-08: Published
Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists