IA, CSRF and FPD vulnerabilities in Organizer for WordPress

2012-05-01T00:00:00
ID SECURITYVULNS:DOC:28036
Type securityvulns
Reporter Securityvulns
Modified 2012-05-01T00:00:00

Description

Hello 3APA3A!

I want to warn you about multiple new security vulnerabilities in plugin Organizer for WordPress. This is the third in series of advisories concerning vulnerabilities in this plugin.

These are Insufficient Authorization, Cross-Site Request Forgery and Full path disclosure vulnerabilities.


Affected products:

Vulnerable are Organizer 1.2.1 and previous versions.

As answered me the developer of the plugin, he doesn't support it anymore and will not be fixing any vulnerabilities in it.


Details:

Insufficient Authorization (WASC-02):

Access to users.php and execution of all operations are allowed to any users of the system (even Subscriber).

http://site/wp-admin/admin.php?page=organizer/page/users.php

View of settings, adding, editing and deleting of users settings are possible. Particularly any user (such as Subscriber) can set, even for his account, allowed extensions for uploading files, e.g. php.

Including unprivileged user can conduct Persistent XSS attacks on admin (via two earlier-mentioned Persistent XSS holes). And also this vulnerability allows to conduct CSRF attacks (for changing of the settings) not only on admin, but on any logged in user.

CSRF (WASC-09):

All functionality of the plugin is vulnerable to CSRF attacks. Besides earlier-mentioned CSRF in script users.php, e.g. in script dir.php via CSRF it's possible to create, rename and delete directories (it's possible to rename and delete only empty directories). For this it's needed to send three corresponding POST requests.

http://site/wp-admin/admin.php?page=organizer/page/dir.php

And in script view.php via CSRF it's possible to rename, copy and delete uploaded files. For this it's needed to send three corresponding POST requests.

http://site/wordpress/wp-admin/admin.php?page=organizer/page/view.php

FPD (WASC-13):

Script http://site/wordpress/wp-admin/admin.php?page=organizer/page/view.php has built-in functionality (and vulnerability) - showing of full path at the server.


Timeline:

2012.04.15 - informed the developer about previous vulnerabilities. 2012.04.17 - the developer answered, that he didn't support the plugin anymore. 2012.04.17 - additionally informed the developer about new vulnerabilities. 2012.04.20 - disclosed at my site (http://websecurity.com.ua/5801/).

Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua