Lucene search

HistoryJan 24, 2008 - 12:00 a.m.

XSRF under Dean’s Permalinks Migration 1.0

  1. Abstract
    There is and a XSRF under Dean's Permalinks Migration Plugin version
    1.0 which allow any attacker to conduct the user to do and a
    unsolicited action this combined within a XSS bug (also found) in the
    plugin allows and attacker to gain valid credentials for the WordPress
    based CMS.

  2. Explanation
    Since the variable $dean_pm_config['oldstructure'] its not correctly
    sanitized (when retrieving), this allow any user to store/save
    "malicious code" inside the database and later be injected this
    "malicious code" when the data is retrieved.
    Using the XSRF as a "combo" we can create crafted pages that will
    force users to conduct this injection and steal some valid credentials
    to the WordPress based CMS.

  3. Proof-Of-Concept
    This is a very innocent and short PoC…
    You can download this PoC here:

  4. Solution
    Since i couldn't contact the plugin author by any of the public ways
    that he left on his website this force me to make and release and a
    special sub-version for the plugin, version which i call 1.1-gx…
    This version adds the need protection against the vulnerability and
    uses some of the WordPress coding standards suggest by the WordPress
    You can download this version here:

  5. Timeline
    Bug Found: 11/01/2008
    Vendor Contact: 12/01/2008
    Vendor Response: --/–/–
    Public Disclosure: 21/01/2008

Copy: (Spanish Only)
