[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

XSRF under Dean’s Permalinks Migration 1.0

1. Abstract
There is and a XSRF under Dean's Permalinks Migration Plugin version
1.0 which allow any attacker to conduct the user to do and a
unsolicited action this combined within a XSS bug (also found) in the
plugin allows and attacker to gain valid credentials for the WordPress
based CMS.

2. Explanation
Since the variable $dean_pm_config['oldstructure'] its not correctly
sanitized (when retrieving), this allow any user to store/save
"malicious code" inside the database and later be injected this
"malicious code" when the data is retrieved.
Using the XSRF as a "combo" we can create crafted pages that will
force users to conduct this injection and steal some valid credentials
to the WordPress based CMS.

3. Proof-Of-Concept
This is a very innocent and short PoC...
You can download this PoC here: http://g30rg3x.com/wp-files/PoC_dpm_10.zip

4. Solution
Since i couldn't contact the plugin author by any of the public ways
that he left on his website this force me to make and release and a
special sub-version for the plugin, version which i call 1.1-gx...
This version adds the need protection against the vulnerability and
uses some of the WordPress coding standards suggest by the WordPress
You can download this version here: http://g30rg3x.com/wp-files/dpm_11gx.zip

5. Timeline
Bug Found: 11/01/2008
Vendor Contact: 12/01/2008
Vendor Response: --/--/--
Public Disclosure: 21/01/2008

Copy: http://g30rg3x.com/xsrf-bajo-deans-permalinks-migration-10/ (Spanish Only)