Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 16 Jun 2015 15:29:19 -0400 (EDT)
Subject: Re: CVE Request - Cross-Site Request Forgery Vulnerability in Users to CSV Wordpress Plugin v1.4.5

Hash: SHA1

> I've discovered a CSRF vulnerability in the Users to CSV Wordpress Plugin
> v1.4.5 which allows for user information can be exported via a GET request
> to users.php. I request a CVE for the same.

We typically don't have CVEs for CSRF issues in which the impact is
information disclosure, because the information is disclosed to the
victim rather than to the attacker.

Is there any way that the attacker can specify that the CSV data
should be written to a file with a public URL served by the web
server, so that the attacker can read it later? The source code
perhaps suggests that the data is always sent to the victim, e.g.,

  if ( is_admin() ) {
  header('Content-Disposition: attachment; filename="'.$table.'.csv"');
  echo $csv;

Possibly there is a concern that the user data is sensitive
information that might be transmitted over an insecure network path in
cleartext during the CSRF attack, and this might be a network path
that the admin would avoid during any intentional access to the
WordPress installation. However, this is not the type of CSRF impact
that normally has a CVE, and the scenario in question could be
considered a site-specific problem or user error (i.e., either follow or at least don't
remain logged in after moving the client machine to an especially
insecure network).

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.