Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 13 Jun 2015 23:27:43 +1200
From: Matthew Daley <>
Subject: Re: CVE requests / Advisory: Codestyling Localization (Wordpress
 plugin) - multiple RCE via CSRF, multiple XSS

On 5 June 2015 at 08:52,  <> wrote:
> Hash: SHA1
>> The plugin contains multiple AJAX actions that, while having the
>> necessary permission checks, do not have anti-CSRF protection
> It appears that the main vulnerability you are reporting is the
> multiple CSRF. Use CVE-2015-4179.
> In reading your advisory, we weren't able to determine if there are
> any realistic scenarios in which an authenticated user would
> intentionally use csp_po_scan_source_file or csp_po_save_catalog_entry
> for RCE (i.e., scenarios that do not involve CSRF) and thereby obtain
> additional access to the server machine. We think you may mean
> scenarios in which the authenticated user has the manage_options
> capability but not the edit_plugins capability.

The manage_options capability is required to trigger any of the
RCE'able actions, hence normal users (without the capability) cannot
exploit them (unless they target an administrator with a CSRF attack,
as described in the advisory.)

However, I hadn't considered users with the manage_options capability
exploiting the RCE'able actions themselves. So yes, I suppose
Administrators could use this to escalate to Super Administrator on
multisite WordPress installations (multisite Super Administrators get
extra capabilities compared to normal Administrators; see
<> and

> (As always, to obtain multiple CVE IDs for a report, it is useful to
> describe all of the substantially distinct scenarios, not only the
> scenarios in which risk is greatest.)
> Also, we did not understand whether the "Multiple XSS in various AJAX
> actions ... reflected unescaped POST parameters in certain AJAX
> actions' responses" issue is independently relevant. Do you mean that
> there is unescaped reflection regardless of whether the AJAX action is
> authorized?

No, the actions have appropriate authorisation checks and will not be
vulnerable to XSS if the caller is unauthorised.

> More specifically, if all of the CSRF issues in the plugin
> were fixed in a normal way, would unauthenticated attackers be able to
> conduct XSS attacks by hosting JavaScript code that forces an
> administrator's browser to make a POST request without a nonce?

Assuming that the usual WordPress anti-CSRF nonces were added in the
appropriate locations, i.e., to the csp_po_check_security function,
then no.

- Matthew

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.