|
Message-Id: <201309020043.r820hGQH015179@linus.mitre.org> Date: Sun, 1 Sep 2013 20:43:16 -0400 (EDT) From: cve-assign@...re.org To: roguecoder@...h.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: [CVE Request] IndiaNIC Testimonial 2.2 WP plugin -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > The testimonial plugin by IndiaNIC contains CSRF, XSS and SQLi vulnerabilities. > I was able to deface the website, extract user credentials etc through crafted forms. > Can someone please assign CVE's to this? > > 1: http://seclists.org/fulldisclosure/2013/Sep/5 > http://wordpress.org/plugins/indianic-testimonial/ The entire disclosure seems to be based on CSRF attacks against an admin. Based on what you sent, we are not sure whether XSS is an independent vulnerability in this plugin. Is there a usable XSS attack that does not require a CSRF vulnerability, and does not require that the admin intentionally enter an XSS attack string during an authenticated session? The SQL injection: name="custom_query" value="1=1) union select 1,2,3,@@version,5,6,7,8,9,10,11,12,13,14#" is something that we would typically expect is an independent vulnerability. A person who has admin access within a web interface is not necessarily authorized to execute arbitrary SQL statements. We found this code that seems to be relevant: http://plugins.svn.wordpress.org/indianic-testimonial/trunk/testimonial.php if ($_template_data['custom_query']) { $filter_by = " AND ({$_template_data['custom_query']})"; } $_testimonial_result = $this->wpdb->get_results( "SELECT * FROM {$this->wpdb->prefix}inic_testimonial WHERE (id NOT IN(" . implode(",", $_current_featured_testimonial_id) . ")){$filter_by} ORDER BY {$_template_data['ord_by']} LIMIT {$_no_of_testimonial}"); So, the outcome at this point is: IndiaNIC Testimonial plugin 2.2 for WordPress CSRF: Use CVE-2013-5672. SQL injection: Use CVE-2013-5673. XSS: no CVE assigned; waiting for other information that XSS is an independent primary vulnerability here MITRE's CVE team does not do vulnerability coordination, but we think this disclosure process is not what the vendor would have preferred: 2013-08-07 - Email sent to IndiaNIC 2013-08-08 - Notification left on the plugin's Support board on wordpress.org Please see the "For a WordPress plugin security issue, email plugins [at] wordpress.org" step listed on the http://codex.wordpress.org/FAQ_Security web page. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJSI91WAAoJEGvefgSNfHMdFzgIAIIIKw5mquHpGMdKVgmEoA/H NfKySaxYvWUhxspwxYP4tciasZWpMDI3AL3s8OTlOJ1uEr08GTEvUXd6lBvXvqRu w0bQhYwpGBU6A5m71UWiOUKWUy7qKstC9fcUNlxbDysX7s+/tUzFZsqpXmtuTPc7 a/KFj/LuGcNi4voBqkv0/GZFNvU9jmySjhSVPCOwAiFw02HmU3GbmvJ24CNFvkca QJNY3jxLA3h7YSHPk8A0sYxWiiAyKXeyjN5t2o2R0tHBiNpKIoqCZjH+YSjNo1IU YuM7i3yfrQm8uGlLc8gB7NmWMMQqokf0BF4Gi3StFGBAsx+WrX3yAu45LvLyjMI= =u0kJ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.