Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 1 Sep 2013 20:43:16 -0400 (EDT)
Subject: Re: [CVE Request] IndiaNIC Testimonial 2.2 WP plugin

Hash: SHA1

> The testimonial plugin by IndiaNIC contains CSRF, XSS and SQLi vulnerabilities.
> I was able to deface the website, extract user credentials etc through crafted forms.
> Can someone please assign CVE's to this?
> 1:


The entire disclosure seems to be based on CSRF attacks against an
admin. Based on what you sent, we are not sure whether XSS is an
independent vulnerability in this plugin. Is there a usable XSS attack
that does not require a CSRF vulnerability, and does not require that
the admin intentionally enter an XSS attack string during an
authenticated session?

The SQL injection:

  name="custom_query" value="1=1) union select 1,2,3,@@version,5,6,7,8,9,10,11,12,13,14#"

is something that we would typically expect is an independent
vulnerability. A person who has admin access within a web interface is
not necessarily authorized to execute arbitrary SQL statements. We
found this code that seems to be relevant:
      if ($_template_data['custom_query']) {
        $filter_by = " AND ({$_template_data['custom_query']})";

      $_testimonial_result = $this->wpdb->get_results(
      "SELECT * FROM {$this->wpdb->prefix}inic_testimonial WHERE (id NOT IN(" .
      implode(",", $_current_featured_testimonial_id) . ")){$filter_by}
      ORDER BY {$_template_data['ord_by']} LIMIT {$_no_of_testimonial}");

So, the outcome at this point is:

  IndiaNIC Testimonial plugin 2.2 for WordPress

  CSRF:           Use CVE-2013-5672.
  SQL injection:  Use CVE-2013-5673.
  XSS:            no CVE assigned; waiting for other information that
                  XSS is an independent primary vulnerability here

MITRE's CVE team does not do vulnerability coordination, but we think
this disclosure process is not what the vendor would have preferred:

  2013-08-07 - Email sent to IndiaNIC
  2013-08-08 - Notification left on the plugin's Support board on

Please see the "For a WordPress plugin security issue, email plugins
[at]" step listed on the web page.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.