Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <201309020043.r820hGQH015179@linus.mitre.org>
Date: Sun, 1 Sep 2013 20:43:16 -0400 (EDT)
From: cve-assign@...re.org
To: roguecoder@...h.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: [CVE Request] IndiaNIC Testimonial 2.2 WP plugin

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> The testimonial plugin by IndiaNIC contains CSRF, XSS and SQLi vulnerabilities.
> I was able to deface the website, extract user credentials etc through crafted forms.
> Can someone please assign CVE's to this?
>
> 1: http://seclists.org/fulldisclosure/2013/Sep/5

> http://wordpress.org/plugins/indianic-testimonial/

The entire disclosure seems to be based on CSRF attacks against an
admin. Based on what you sent, we are not sure whether XSS is an
independent vulnerability in this plugin. Is there a usable XSS attack
that does not require a CSRF vulnerability, and does not require that
the admin intentionally enter an XSS attack string during an
authenticated session?

The SQL injection:

  name="custom_query" value="1=1) union select 1,2,3,@@version,5,6,7,8,9,10,11,12,13,14#"

is something that we would typically expect is an independent
vulnerability. A person who has admin access within a web interface is
not necessarily authorized to execute arbitrary SQL statements. We
found this code that seems to be relevant:

  http://plugins.svn.wordpress.org/indianic-testimonial/trunk/testimonial.php
  
      if ($_template_data['custom_query']) {
        $filter_by = " AND ({$_template_data['custom_query']})";
      }

      $_testimonial_result = $this->wpdb->get_results(
      "SELECT * FROM {$this->wpdb->prefix}inic_testimonial WHERE (id NOT IN(" .
      implode(",", $_current_featured_testimonial_id) . ")){$filter_by}
      ORDER BY {$_template_data['ord_by']} LIMIT {$_no_of_testimonial}");

So, the outcome at this point is:

  IndiaNIC Testimonial plugin 2.2 for WordPress

  CSRF:           Use CVE-2013-5672.
  SQL injection:  Use CVE-2013-5673.
  XSS:            no CVE assigned; waiting for other information that
                  XSS is an independent primary vulnerability here

MITRE's CVE team does not do vulnerability coordination, but we think
this disclosure process is not what the vendor would have preferred:

  2013-08-07 - Email sent to IndiaNIC
  2013-08-08 - Notification left on the plugin's Support board on wordpress.org

Please see the "For a WordPress plugin security issue, email plugins
[at] wordpress.org" step listed on the
http://codex.wordpress.org/FAQ_Security web page.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSI91WAAoJEGvefgSNfHMdFzgIAIIIKw5mquHpGMdKVgmEoA/H
NfKySaxYvWUhxspwxYP4tciasZWpMDI3AL3s8OTlOJ1uEr08GTEvUXd6lBvXvqRu
w0bQhYwpGBU6A5m71UWiOUKWUy7qKstC9fcUNlxbDysX7s+/tUzFZsqpXmtuTPc7
a/KFj/LuGcNi4voBqkv0/GZFNvU9jmySjhSVPCOwAiFw02HmU3GbmvJ24CNFvkca
QJNY3jxLA3h7YSHPk8A0sYxWiiAyKXeyjN5t2o2R0tHBiNpKIoqCZjH+YSjNo1IU
YuM7i3yfrQm8uGlLc8gB7NmWMMQqokf0BF4Gi3StFGBAsx+WrX3yAu45LvLyjMI=
=u0kJ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.