[Full-disclosure] IA, CSRF and FPD vulnerabilities in Organizer for WordPress
- From: "MustLive" <mustlive@xxxxxxxxxxxxxxxxxx>
- Date: Thu, 26 Apr 2012 20:09:01 +0300
I want to warn you about multiple new security vulnerabilities in plugin
Organizer for WordPress. This is the third in series of advisories
concerning vulnerabilities in this plugin.
These are Insufficient Authorization, Cross-Site Request Forgery and Full
path disclosure vulnerabilities.
Vulnerable are Organizer 1.2.1 and previous versions.
As answered me the developer of the plugin, he doesn't support it anymore
and will not be fixing any vulnerabilities in it.
Insufficient Authorization (WASC-02):
Access to users.php and execution of all operations are allowed to any users
of the system (even Subscriber).
View of settings, adding, editing and deleting of users settings are
possible. Particularly any user (such as Subscriber) can set, even for his
account, allowed extensions for uploading files, e.g. php.
Including unprivileged user can conduct Persistent XSS attacks on admin (via
two earlier-mentioned Persistent XSS holes). And also this vulnerability
allows to conduct CSRF attacks (for changing of the settings) not only on
admin, but on any logged in user.
All functionality of the plugin is vulnerable to CSRF attacks. Besides
earlier-mentioned CSRF in script users.php, e.g. in script dir.php via CSRF
it's possible to create, rename and delete directories (it's possible to
rename and delete only empty directories). For this it's needed to send
three corresponding POST requests.
And in script view.php via CSRF it's possible to rename, copy and delete
uploaded files. For this it's needed to send three corresponding POST
has built-in functionality (and vulnerability) - showing of full path at the
2012.04.15 - informed the developer about previous vulnerabilities.
2012.04.17 - the developer answered, that he didn't support the plugin
2012.04.17 - additionally informed the developer about new vulnerabilities.
2012.04.20 - disclosed at my site (http://websecurity.com.ua/5801/).
Best wishes & regards,
Administrator of Websecurity web site
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Prev by Date: Re: [Full-disclosure] [New tool] - Exploit Pack - Web Security
- Next by Date: [Full-disclosure] Microsoft MSN Hotmail - Password Reset & Setup Vulnerability
- Previous by thread: [Full-disclosure] [SECURITY] [DSA 2461-1] spip security update
- Next by thread: [Full-disclosure] Microsoft MSN Hotmail - Password Reset & Setup Vulnerability