[wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

Harry Metcalfe harry at dxw.com
Fri Mar 28 15:52:06 UTC 2014 

Hi Chris,

We're aware of that, but not sure what alternative there is if the 
people who write plugins don't contact us when we report issues to them. 
We try to give people enough time to fix things, but if it doesn't look 
like they're going to, we believe it is the responsible thing to do to 
publish vulnerabilities so that people affected by them can take steps 
to protect themselves.

Our disclosure policy is here <https://security.dxw.com/disclosure/>, 
and we always draw people's attention to it (see below). All that said, 
it is a difficult area and I'm certainly open to suggestions about how 
to do it better.

Harry


On 28/03/2014 15:29, Chris McCoy wrote:
> I think Daniel was refering to posting to a public list, some malicious
> people could take advantage of this, and cause some havoc.
>
> On 2014-03-28, 10:46 AM, "Harry Metcalfe" <harry at dxw.com> wrote:
>
>> Hi Daniel,
>>
>> This vulnerability was reported to plugins at wordpress.org on 2nd
>> February. The author has not responded, so we are disclosing the
>> vulnerability in order that anyone using this plugin can take steps to
>> protect themselves.
>>
>> This is certainly not an advertisement.
>>
>> Administrivia: It was my assumption that this list would be interested
>> to know about vulnerable plugins. If anyone has strong feelings for or
>> against that assumption, please let me know off-list. If there is a
>> consensus we will honour it.
>>
>> Cheers,
>>
>> Harry
>>
>>
>> On 28/03/2014 14:41, Daniel Bachhuber wrote:
>>> Hi Harry,
>>>
>>> Please refrain from advertising on this list. Plugin security issues
>>> should
>>> be reported to plugins at wordpress.org
>>>
>>> Thanks.
>>>
>>>
>>> On Fri, Mar 28, 2014 at 5:39 AM, Harry Metcalfe <harry at dxw.com> wrote:
>>>
>>>> Details
>>>> ================
>>>> Software: WP HTML Sitemap
>>>> Version: 1.2
>>>> Homepage: http://wordpress.org/plugins/wp-html-sitemap/
>>>> CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)
>>>>
>>>> Description
>>>> ================
>>>> CSRF vulnerability in WP HTML Sitemap 1.2
>>>>
>>>> Vulnerability
>>>> ================
>>>> A CSRF vulnerability exists which allows an attacker to delete the
>>>> sitemap
>>>> if a logged-in admin user visits a link of the attacker's choosing.
>>>> Line 202 of inc/AdminPage.php says "// check whether form was just
>>>> submitted" but the following if/elseif statements only check whether a
>>>> particular button was pressed without checking nonce values. The form
>>>> in
>>>> question is printed in wp_html_sitemap_AdminPage::createSitemapForm()
>>>> around line 146 of the same file.
>>>>
>>>> Proof of concept
>>>> ================
>>>> This form deletes the sitemap without requiring a nonce value:
>>>> <form action="http://not-a-real-site.local/wp-admin/options-
>>>> general.php?page=wp-html-sitemap&tab=general" method="POST">
>>>> <input type="text" name="deleteSitemap" value="Delete Sitemap">
>>>> <input type="submit">
>>>> </form>
>>>>
>>>> Mitigations
>>>> ================
>>>> Disable the plugin until a fix is available.
>>>>
>>>> Disclosure policy
>>>> ================
>>>> dxw believes in responsible disclosure. Your attention is drawn to our
>>>> disclosure policy: https://security.dxw.com/disclosure/
>>>>
>>>> Please contact us on security at dxw.com to acknowledge this report if you
>>>> received it via a third party (for example, plugins at wordpress.org) as
>>>> they generally cannot communicate with us on your behalf.
>>>>
>>>> Please note that this vulnerability will be published if we do not
>>>> receive
>>>> a response to this report with 14 days.
>>>>
>>>> Timeline
>>>> ================
>>>>
>>>> 2014-02-21: Discovered
>>>> 2014-02-26: Reported
>>>> 2014-03-28: No response received. Published
>>>>
>>>>
>>>> Discovered by dxw:
>>>> ================
>>>> Tom Adams
>>>> Please visit security.dxw.com for more information.
>>>>
>>>>
>>>> _______________________________________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.com
>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>> -- 
>> Harry Metcalfe
>> 07790 559 876
>> @harrym
>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

-- 
Harry Metcalfe
07790 559 876
@harrym

More information about the wp-hackers mailing list