Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 13 Apr 2015 20:02:40 +1200
From: Matthew Daley <mattd@...fuzz.com>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE request / Advisory: Floating Social Bar (Wordpress plugin)
 1.0.1 - 1.1.6

On 13 April 2015 at 18:25,  <cve-assign@...re.org> wrote:
>> I'd like to request a CVE ID for this issue. This is the first such
>> request; this message serves as an advisory as well.
>>
>> Affected software: Floating Social Bar (Wordpress plugin)
>> Affected versions: 1.0.1 - 1.1.6
>> Website: https://wordpress.org/plugins/floating-social-bar/
>>
>> Description: One of the plugin's unauthenticated AJAX action handlers
>> is vulnerable to a stored cross-site scripting vulnerability. By
>> invoking the action with certain parameters, it is possible for
>> unauthenticated attackers to force the persistent injection of
>> arbitrary script across the site's post pages.
>>
>> Fixed version: 1.1.7
>> Fix: https://plugins.trac.wordpress.org/changeset/1129648/floating-social-bar/trunk
>> Changelog: https://plugins.trac.wordpress.org/changeset/1129648/floating-social-bar/trunk#file5
>
> Use CVE-2015-3299 for the specific issue in your "Description" section
> above. It seems conceivable that 1129648 also fixed something else,
> e.g.,
>
>   1. Maybe the
>      "-     add_action( 'wp_ajax_nopriv_fsb_save_order', array( $this, 'save_order' ) );"
>
>      code change means that wp_ajax_nopriv_fsb_save_order allowed
>      bypassing intended access control, even if the attacker did not
>      supply an XSS payload.

Yes. It wasn't intended for non-administrators to be able to adjust
the services by executing the action.

>
>   2. Maybe the patched code can help to prevent a CSRF attack against
>      an authenticated action handler.

Again, yes. Administrators could be forced to execute the action with
an attacker's parameters via a CSRF attack. Nonces have been added to
stop this.

>
> If so, then additional CVE IDs would be needed.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.