oss-sec mailing list archives
Re: CVE request: WordPress plugin wp-cleanfix CSRF
From: Henri Salo <henri () nerv fi>
Date: Sat, 18 May 2013 12:50:54 +0300
On Sat, May 18, 2013 at 12:54:23AM -0600, Kurt Seifried wrote:
Sorry I'm not clear, this appears to be two vulns, a CSRF, and a remote code exec, the remote code exec can be triggered via the CSRF (so remote anon attacker can pull this off with some social engineering/etc.), but can also be done by users with access? Thanks.
File wpCleanFixAjax.php contains: 30 $command = strip_tags( $_POST['command'] ); 31 eval ( $command ); and there is: 12 if ( is_admin() && _wpdk_is_ajax() ) { So it only work when logged in administrator. This is not a security vulnerability as is, because WordPress administrator can upload/edit PHP as she or he likes. There is a CSRF vulnerability, which can be used to execute arbitrary PHP. POST /wordpress/wordpress-351/wp-admin/admin-ajax.php action=wpCleanFixAjax&command=echo phpversion(); So in short: two vulnerabilities, but eval can't be used without CSRF as far as I can tell. --- Henri Salo
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVE request: WordPress plugin wp-cleanfix CSRF Henri Salo (May 16)
- Re: CVE request: WordPress plugin wp-cleanfix CSRF Kurt Seifried (May 18)
- Re: CVE request: WordPress plugin wp-cleanfix CSRF Henri Salo (May 18)
- Re: CVE request: WordPress plugin wp-cleanfix CSRF Kurt Seifried (May 18)
- Re: CVE request: WordPress plugin wp-cleanfix CSRF Henri Salo (May 18)
- Re: CVE request: WordPress plugin wp-cleanfix CSRF Kurt Seifried (May 18)