Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 18 May 2013 12:50:54 +0300
From: Henri Salo <henri@...v.fi>
To: Kurt Seifried <kseifried@...hat.com>
Cc: oss-security@...ts.openwall.com, plugins@...dpress.org
Subject: Re: CVE request: WordPress plugin wp-cleanfix CSRF

On Sat, May 18, 2013 at 12:54:23AM -0600, Kurt Seifried wrote:
> Sorry I'm not clear, this appears to be two vulns, a CSRF, and a
> remote code exec, the remote code exec can be triggered via the CSRF
> (so remote anon attacker can pull this off with some social
> engineering/etc.), but can also be done by users with access? Thanks.

File wpCleanFixAjax.php contains:

30         $command = strip_tags( $_POST['command'] );
31         eval ( $command );

and there is:

12 if ( is_admin() && _wpdk_is_ajax() ) {

So it only work when logged in administrator. This is not a security
vulnerability as is, because WordPress administrator can upload/edit PHP as she
or he likes.

There is a CSRF vulnerability, which can be used to execute arbitrary PHP.

POST /wordpress/wordpress-351/wp-admin/admin-ajax.php
action=wpCleanFixAjax&command=echo phpversion();

So in short: two vulnerabilities, but eval can't be used without CSRF as far as
I can tell.

---
Henri Salo

Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.