Re: CVE requests / Advisory: Codestyling Localization (Wordpress plugin) - multiple RCE via CSRF, multiple XSS

[Matthew Daley <mattd () bugfuzz com>]

On 5 June 2015 at 08:52,  <cve-assign () mitre org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > The plugin contains multiple AJAX actions that, while having the
> > necessary permission checks, do not have anti-CSRF protection
>
> It appears that the main vulnerability you are reporting is the
> multiple CSRF. Use CVE-2015-4179.
>
> In reading your advisory, we weren't able to determine if there are
> any realistic scenarios in which an authenticated user would
> intentionally use csp_po_scan_source_file or csp_po_save_catalog_entry
> for RCE (i.e., scenarios that do not involve CSRF) and thereby obtain
> additional access to the server machine. We think you may mean
> scenarios in which the authenticated user has the manage_options
> capability but not the edit_plugins capability.

The manage_options capability is required to trigger any of the
RCE'able actions, hence normal users (without the capability) cannot
exploit them (unless they target an administrator with a CSRF attack,
as described in the advisory.)

However, I hadn't considered users with the manage_options capability
exploiting the RCE'able actions themselves. So yes, I suppose
Administrators could use this to escalate to Super Administrator on
multisite WordPress installations (multisite Super Administrators get
extra capabilities compared to normal Administrators; see
<https://codex.wordpress.org/Roles_and_Capabilities#Super_Admin> and
<https://codex.wordpress.org/Roles_and_Capabilities#Additional_Admin_Capabilities>)

> (As always, to obtain multiple CVE IDs for a report, it is useful to
> describe all of the substantially distinct scenarios, not only the
> scenarios in which risk is greatest.)
>
> Also, we did not understand whether the "Multiple XSS in various AJAX
> actions ... reflected unescaped POST parameters in certain AJAX
> actions' responses" issue is independently relevant. Do you mean that
> there is unescaped reflection regardless of whether the AJAX action is
> authorized?

No, the actions have appropriate authorisation checks and will not be
vulnerable to XSS if the caller is unauthorised.

> More specifically, if all of the CSRF issues in the plugin
> were fixed in a normal way, would unauthenticated attackers be able to
> conduct XSS attacks by hosting JavaScript code that forces an
> administrator's browser to make a POST request without a nonce?

Assuming that the usual WordPress anti-CSRF nonces were added in the
appropriate locations, i.e., to the csp_po_check_security function,
then no.

- Matthew