[wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

Chris McCoy chris at lod.com
Fri Mar 28 15:29:06 UTC 2014 

I think Daniel was refering to posting to a public list, some malicious
people could take advantage of this, and cause some havoc.

On 2014-03-28, 10:46 AM, "Harry Metcalfe" <harry at dxw.com> wrote:

>Hi Daniel,
>
>This vulnerability was reported to plugins at wordpress.org on 2nd
>February. The author has not responded, so we are disclosing the
>vulnerability in order that anyone using this plugin can take steps to
>protect themselves.
>
>This is certainly not an advertisement.
>
>Administrivia: It was my assumption that this list would be interested
>to know about vulnerable plugins. If anyone has strong feelings for or
>against that assumption, please let me know off-list. If there is a
>consensus we will honour it.
>
>Cheers,
>
>Harry
>
>
>On 28/03/2014 14:41, Daniel Bachhuber wrote:
>> Hi Harry,
>>
>> Please refrain from advertising on this list. Plugin security issues
>>should
>> be reported to plugins at wordpress.org
>>
>> Thanks.
>>
>>
>> On Fri, Mar 28, 2014 at 5:39 AM, Harry Metcalfe <harry at dxw.com> wrote:
>>
>>> Details
>>> ================
>>> Software: WP HTML Sitemap
>>> Version: 1.2
>>> Homepage: http://wordpress.org/plugins/wp-html-sitemap/
>>> CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)
>>>
>>> Description
>>> ================
>>> CSRF vulnerability in WP HTML Sitemap 1.2
>>>
>>> Vulnerability
>>> ================
>>> A CSRF vulnerability exists which allows an attacker to delete the
>>>sitemap
>>> if a logged-in admin user visits a link of the attacker's choosing.
>>> Line 202 of inc/AdminPage.php says "// check whether form was just
>>> submitted" but the following if/elseif statements only check whether a
>>> particular button was pressed without checking nonce values. The form
>>>in
>>> question is printed in wp_html_sitemap_AdminPage::createSitemapForm()
>>> around line 146 of the same file.
>>>
>>> Proof of concept
>>> ================
>>> This form deletes the sitemap without requiring a nonce value:
>>> <form action="http://not-a-real-site.local/wp-admin/options-
>>> general.php?page=wp-html-sitemap&tab=general" method="POST">
>>> <input type="text" name="deleteSitemap" value="Delete Sitemap">
>>> <input type="submit">
>>> </form>
>>>
>>> Mitigations
>>> ================
>>> Disable the plugin until a fix is available.
>>>
>>> Disclosure policy
>>> ================
>>> dxw believes in responsible disclosure. Your attention is drawn to our
>>> disclosure policy: https://security.dxw.com/disclosure/
>>>
>>> Please contact us on security at dxw.com to acknowledge this report if you
>>> received it via a third party (for example, plugins at wordpress.org) as
>>> they generally cannot communicate with us on your behalf.
>>>
>>> Please note that this vulnerability will be published if we do not
>>>receive
>>> a response to this report with 14 days.
>>>
>>> Timeline
>>> ================
>>>
>>> 2014-02-21: Discovered
>>> 2014-02-26: Reported
>>> 2014-03-28: No response received. Published
>>>
>>>
>>> Discovered by dxw:
>>> ================
>>> Tom Adams
>>> Please visit security.dxw.com for more information.
>>>
>>>
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
>-- 
>Harry Metcalfe
>07790 559 876
>@harrym
>
>_______________________________________________
>wp-hackers mailing list
>wp-hackers at lists.automattic.com
>http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list