[wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

Harry Metcalfe harry at dxw.com
Fri Mar 28 14:46:00 UTC 2014 

Hi Daniel,

This vulnerability was reported to plugins at wordpress.org on 2nd 
February. The author has not responded, so we are disclosing the 
vulnerability in order that anyone using this plugin can take steps to 
protect themselves.

This is certainly not an advertisement.

Administrivia: It was my assumption that this list would be interested 
to know about vulnerable plugins. If anyone has strong feelings for or 
against that assumption, please let me know off-list. If there is a 
consensus we will honour it.

Cheers,

Harry


On 28/03/2014 14:41, Daniel Bachhuber wrote:
> Hi Harry,
>
> Please refrain from advertising on this list. Plugin security issues should
> be reported to plugins at wordpress.org
>
> Thanks.
>
>
> On Fri, Mar 28, 2014 at 5:39 AM, Harry Metcalfe <harry at dxw.com> wrote:
>
>> Details
>> ================
>> Software: WP HTML Sitemap
>> Version: 1.2
>> Homepage: http://wordpress.org/plugins/wp-html-sitemap/
>> CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)
>>
>> Description
>> ================
>> CSRF vulnerability in WP HTML Sitemap 1.2
>>
>> Vulnerability
>> ================
>> A CSRF vulnerability exists which allows an attacker to delete the sitemap
>> if a logged-in admin user visits a link of the attacker's choosing.
>> Line 202 of inc/AdminPage.php says "// check whether form was just
>> submitted" but the following if/elseif statements only check whether a
>> particular button was pressed without checking nonce values. The form in
>> question is printed in wp_html_sitemap_AdminPage::createSitemapForm()
>> around line 146 of the same file.
>>
>> Proof of concept
>> ================
>> This form deletes the sitemap without requiring a nonce value:
>> <form action="http://not-a-real-site.local/wp-admin/options-
>> general.php?page=wp-html-sitemap&tab=general" method="POST">
>> <input type="text" name="deleteSitemap" value="Delete Sitemap">
>> <input type="submit">
>> </form>
>>
>> Mitigations
>> ================
>> Disable the plugin until a fix is available.
>>
>> Disclosure policy
>> ================
>> dxw believes in responsible disclosure. Your attention is drawn to our
>> disclosure policy: https://security.dxw.com/disclosure/
>>
>> Please contact us on security at dxw.com to acknowledge this report if you
>> received it via a third party (for example, plugins at wordpress.org) as
>> they generally cannot communicate with us on your behalf.
>>
>> Please note that this vulnerability will be published if we do not receive
>> a response to this report with 14 days.
>>
>> Timeline
>> ================
>>
>> 2014-02-21: Discovered
>> 2014-02-26: Reported
>> 2014-03-28: No response received. Published
>>
>>
>> Discovered by dxw:
>> ================
>> Tom Adams
>> Please visit security.dxw.com for more information.
>>
>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

-- 
Harry Metcalfe
07790 559 876
@harrym

More information about the wp-hackers mailing list