[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] CSRF/Stored XSS in MSMC – Redirect After Comment could allow unauthenticated individuals to do almost anything (WordPress plugin)

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] CSRF/Stored XSS in MSMC – Redirect After Comment could allow unauthenticated individuals to do almost anything (WordPress plugin)
From: dxw Security <security@xxxxxxx>
Date: Mon, 8 May 2017 17:22:53 +0000

Details
================
Software: MSMC - Redirect After Comment
Version: 2.1.2
Homepage: https://wordpress.org/plugins/msmc-redirect-after-comment/
Advisory report: 
https://security.dxw.com/advisories/csrf-stored-xss-in-msmc-redirect-after-comment/
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)

Description
================
CSRF/Stored XSS in MSMC – Redirect After Comment could allow unauthenticated 
individuals to do almost anything

Vulnerability
================
An unauthenticated individual can cause arbitrary JavaScript to execute within 
/wp-admin/ in the browser of a logged-in admin user. This could be achieved by 
sending a link to the admin user.
The attacker could use this to create a new user, create posts, add arbitrary 
PHP code (if the theme/plugin editor component is enabled) – almost anything a 
logged-in admin user can do.

Proof of concept
================
Step 1: Log in.
Step 2: Visit this URL to store the arbitrary HTML: 
http://localhost/wp-admin/options-general.php?page=msmc-comment-redirect&action=1&MSMC_redirect_location=http://localhost/?%22%3E%3Cscript%3Ealert(1)%3C/script%3E
Step 3: Visit this URL to execute the JavaScript: 
http://localhost/wp-admin/options-general.php?page=msmc-comment-redirect
Step 3 is unnecessary in browsers without XSS filtering (i.e. Firefox).

Mitigations
================
The plugin author has indicated that this plugin is abandonware and has 
unpublished it from the WordPress directory. Disable and uninstall the plugin 
as this bug won’t be fixed.

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our 
disclosure policy: https://security.dxw.com/disclosure/

Please contact us on security@xxxxxxx to acknowledge this report if you 
received it via a third party (for example, plugins@xxxxxxxxxxxxx) as they 
generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this 
report with 14 days.

Timeline
================

2017-03-17: Discovered
2017-03-20: Sent a public message on Twitter requesting the ability to DM with 
them
2017-03-20: Plugin author responded that the plugin was abandonware and that I 
could DM them
2017-03-21: Sent another public message as I was still unable to send them a DM
2017-04-04: Sent another public message
2017-04-10: The plugin was removed from wordpress.org
2017-04-24: Sent another public message to check that the plugin was 
permanently removed
2017-05-08: Published



Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.
          


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: Re: [FD] 360 security android app snoops data to China Unicom network via insecure HTTP
Next by Date: [FD] Veritas Netbackup v8.0 - Multiple Vulnerabilities
Previous by thread: [FD] Aleph Research: Google Nexus 9 SensorHub Firmware Downgrade Vulnerability (CVE-2017-0582)
Next by thread: [FD] Veritas Netbackup v8.0 - Multiple Vulnerabilities
Index(es):
- Date
- Thread