oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: WordPress plugin wp-cleanfix CSRF

From: Kurt Seifried <kseifried () redhat com>
Date: Sat, 18 May 2013 00:54:23 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/16/2013 08:59 AM, Henri Salo wrote:

Hello,

Can I get CVE for CSRF vulnerability in WordPress plugin
wp-cleanfix, thanks. Attacker can execute arbitrary PHP code using
eval() in wpCleanFixAjax.php with CSRF. I also noticed the plugin
contains wp-cleanfix.php:

<script type="text/javascript"
src="http://blog.wpxtre.me/widget/?<?php echo time() ?>"></script>

Tested: 2.4.4

Information posted originally 11 months ago, but eval() alone is
not dangerous. Not sure if this should be 2012 or 2013 CVE.

References: 
http://wordpress.org/support/topic/plugin-wp-cleanfix-remote-code-execution-warning



https://github.com/wpscanteam/wpscan/issues/186

http://wordpress.org/extend/plugins/wp-cleanfix/

--- Henri Salo


Sorry I'm not clear, this appears to be two vulns, a CSRF, and a
remote code exec, the remote code exec can be triggered via the CSRF
(so remote anon attacker can pull this off with some social
engineering/etc.), but can also be done by users with access? Thanks.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRlyWeAAoJEBYNRVNeJnmTh6QQAMLgGvd+D/4QuYaTqjS+Xo9w
Mshtlh0GYOUvy6vNgFvdVTep7ymhm+Q9OwTOQe2NpnUwZ3NZz3D5NbA+eLgym+Lj
M3g/rf0IIsLW2xo/hpcvHJgkpOf9OWn9/IZm1bMzMwaE+oPmPScvY3ZdHFNv4smX
alza7RUWMeJ+dsEa/Hbrgh2GRvvdZqRQUbl3ZkgCcviTjWwwyrYdntnpcEu7/del
Leu0drl5410QHQf7U+P+0yHGC/JTWt4sD8yw9xX06+KYOcmPjOuEH0mKyFTDc5NK
PJO3tg1I5cGRGl4oYSLgObOU4TcJDo3qtela/lbRSez2VLTwt/amUApkhGfZ8ptU
F1ykktKWaB55SP2P6gv/1jpmbjNxVXToA3CLoDlaGaqETzEBUgaRhunNZrmgq4F0
Cm3InhxZhzaNHntccw5To7pA+0VSZ7vmwOIvqwFnpi6fYsEBrihNzMnC6qCQaEx5
4IJaOJuifUvAYf35Co9nhp/nve7G7Ty3/+pGGGcRUdUCSUpOptLmCXB5UgKpX88q
r8hKuOmRCYGnU0RCIPE9lBICzN9b5/4LDYU+QqTkGUE57yOoOdHD852J16yI/zQy
V9yZgd90ccjIPZ6Tz6Gsxh48GxM2lXYXPtDykxxZSJOpZLyS1IOJ+z/XZWYXomE1
e8DyjWwKi/UIBWkzYPJd
=kjdk
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: