Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 13 Apr 2015 20:02:40 +1200
From: Matthew Daley <mattd@...fuzz.com>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE request / Advisory: Floating Social Bar (Wordpress plugin)
 1.0.1 - 1.1.6

On 13 April 2015 at 18:25,  <cve-assign@...re.org> wrote:
>> I'd like to request a CVE ID for this issue. This is the first such
>> request; this message serves as an advisory as well.
>>
>> Affected software: Floating Social Bar (Wordpress plugin)
>> Affected versions: 1.0.1 - 1.1.6
>> Website: https://wordpress.org/plugins/floating-social-bar/
>>
>> Description: One of the plugin's unauthenticated AJAX action handlers
>> is vulnerable to a stored cross-site scripting vulnerability. By
>> invoking the action with certain parameters, it is possible for
>> unauthenticated attackers to force the persistent injection of
>> arbitrary script across the site's post pages.
>>
>> Fixed version: 1.1.7
>> Fix: https://plugins.trac.wordpress.org/changeset/1129648/floating-social-bar/trunk
>> Changelog: https://plugins.trac.wordpress.org/changeset/1129648/floating-social-bar/trunk#file5
>
> Use CVE-2015-3299 for the specific issue in your "Description" section
> above. It seems conceivable that 1129648 also fixed something else,
> e.g.,
>
>   1. Maybe the
>      "-     add_action( 'wp_ajax_nopriv_fsb_save_order', array( $this, 'save_order' ) );"
>
>      code change means that wp_ajax_nopriv_fsb_save_order allowed
>      bypassing intended access control, even if the attacker did not
>      supply an XSS payload.

Yes. It wasn't intended for non-administrators to be able to adjust
the services by executing the action.

>
>   2. Maybe the patched code can help to prevent a CSRF attack against
>      an authenticated action handler.

Again, yes. Administrators could be forced to execute the action with
an attacker's parameters via a CSRF attack. Nonces have been added to
stop this.

>
> If so, then additional CVE IDs would be needed.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ