Re: CVE request: WordPress plugin wp-cleanfix CSRF

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/18/2013 03:50 AM, Henri Salo wrote:
> On Sat, May 18, 2013 at 12:54:23AM -0600, Kurt Seifried wrote:
> > Sorry I'm not clear, this appears to be two vulns, a CSRF, and a 
> > remote code exec, the remote code exec can be triggered via the
> > CSRF (so remote anon attacker can pull this off with some social 
> > engineering/etc.), but can also be done by users with access?
> > Thanks.
>
> File wpCleanFixAjax.php contains:
>
> 30         $command = strip_tags( $_POST['command'] ); 31
> eval ( $command );
>
> and there is:
>
> 12 if ( is_admin() && _wpdk_is_ajax() ) {
>
> So it only work when logged in administrator. This is not a
> security vulnerability as is, because WordPress administrator can
> upload/edit PHP as she or he likes.
>
> There is a CSRF vulnerability, which can be used to execute
> arbitrary PHP.
>
> POST /wordpress/wordpress-351/wp-admin/admin-ajax.php 
> action=wpCleanFixAjax&command=echo phpversion();
>
> So in short: two vulnerabilities, but eval can't be used without
> CSRF as far as I can tell.
>
> --- Henri Salo


Ok this is a slightly messy one. Normally yes, WP admin can modify the
site and thus execute arbitrary PHP, so a remote flaw that allows php
command execution only for admin would be a security flaw (e.g. worth
of hardening) but not typically a security vulnerability (e.g. worthy
of a CVE and full security treatment).

However in this case it is exploitable, the CSRF provides a vector for
exploitation. So it's gets a separate CVE.

So please use CVE-2013-2108 for the WordPress plugin wp-cleanfix CSRF

And please use CVE-2013-2109 for the WordPress plugin wp-cleanfix Code
Execution

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIbBAEBAgAGBQJRl+qtAAoJEBYNRVNeJnmT8aEP93mY/3AQjDkAdaflQVO1jkAH
YRl8t9HJgwqvSYHhzb7cRNXVUBiIjXp/p2CeCFr6YZVwMWwNj2I2J5nvWSl4SZ0a
Q7XsEFzYk5IzM0H+tkG6o9k4+2kHbSbSLgIAY66NmmqRH2yrFI0yGbZmh6rnOQew
YShWETw+cBBkRE6eaFGGY3HwrgRnrxSLhq4ZbeXJw5JTQSmBJuvcFcRwMDtik1xb
WdlDPRPZ2QXstHYUnHhr1ar8v1H8T0xegbcLqa0mYO6x0hJTlEjizon6OxSOYCf9
nxQxIGceMbky30YmuN/4+D77gKLQONPdrK3KhSmlI7BPpxG4uv3IQbNwtjTooj3f
bG4ogr2E7tPSVIzjFv/oHGyattFUkkOK7pQxthrWxXaQOsy0ULjHuPXKOwxByT9n
t6QaF+TXYZgg3esoKlWBI40sHDJEVpskMxnlq+2RX4KIk6rmINMqk1Dk/5AqwkhL
CqeN2SbBVUZ/iII2DbDV7sPK6YYMGQJH1/mSaWzZiFaGDnoZltnofvkJgQe9/x1E
vYkJlyl0gi1q49Olz9MprIv2t4vxg1mS+4bnyPnRJ4xrw8OBheevmT4tTCsIDXF2
oFbtEnwJdekBf6d1tjOUbEnj8aJlSYQ2UdCwRwg4PjgnGAfqvolk7joGC0rawHna
H59nYKmVh8R/YiPKQ5o=
=jXn+
-----END PGP SIGNATURE-----