Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 13 Jun 2015 23:27:43 +1200
From: Matthew Daley <mattd@...fuzz.com>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE requests / Advisory: Codestyling Localization (Wordpress
 plugin) - multiple RCE via CSRF, multiple XSS

On 5 June 2015 at 08:52,  <cve-assign@...re.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>> The plugin contains multiple AJAX actions that, while having the
>> necessary permission checks, do not have anti-CSRF protection
>
> It appears that the main vulnerability you are reporting is the
> multiple CSRF. Use CVE-2015-4179.
>
> In reading your advisory, we weren't able to determine if there are
> any realistic scenarios in which an authenticated user would
> intentionally use csp_po_scan_source_file or csp_po_save_catalog_entry
> for RCE (i.e., scenarios that do not involve CSRF) and thereby obtain
> additional access to the server machine. We think you may mean
> scenarios in which the authenticated user has the manage_options
> capability but not the edit_plugins capability.

The manage_options capability is required to trigger any of the
RCE'able actions, hence normal users (without the capability) cannot
exploit them (unless they target an administrator with a CSRF attack,
as described in the advisory.)

However, I hadn't considered users with the manage_options capability
exploiting the RCE'able actions themselves. So yes, I suppose
Administrators could use this to escalate to Super Administrator on
multisite WordPress installations (multisite Super Administrators get
extra capabilities compared to normal Administrators; see
<https://codex.wordpress.org/Roles_and_Capabilities#Super_Admin> and
<https://codex.wordpress.org/Roles_and_Capabilities#Additional_Admin_Capabilities>)

> (As always, to obtain multiple CVE IDs for a report, it is useful to
> describe all of the substantially distinct scenarios, not only the
> scenarios in which risk is greatest.)
>
> Also, we did not understand whether the "Multiple XSS in various AJAX
> actions ... reflected unescaped POST parameters in certain AJAX
> actions' responses" issue is independently relevant. Do you mean that
> there is unescaped reflection regardless of whether the AJAX action is
> authorized?

No, the actions have appropriate authorisation checks and will not be
vulnerable to XSS if the caller is unauthorised.

> More specifically, if all of the CSRF issues in the plugin
> were fixed in a normal way, would unauthenticated attackers be able to
> conduct XSS attacks by hosting JavaScript code that forces an
> administrator's browser to make a POST request without a nonce?

Assuming that the usual WordPress anti-CSRF nonces were added in the
appropriate locations, i.e., to the csp_po_check_security function,
then no.

- Matthew

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.