XSRF under Dean’s Permalinks Migration 1.0

1. Abstract
   There is and a XSRF under Dean's Permalinks Migration Plugin version
   1.0 which allow any attacker to conduct the user to do and a
   unsolicited action this combined within a XSS bug (also found) in the
   plugin allows and attacker to gain valid credentials for the WordPress
   based CMS.

2. Explanation
   Since the variable $dean_pm_config['oldstructure'] its not correctly
   sanitized (when retrieving), this allow any user to store/save
   "malicious code" inside the database and later be injected this
   "malicious code" when the data is retrieved.
   Using the XSRF as a "combo" we can create crafted pages that will
   force users to conduct this injection and steal some valid credentials
   to the WordPress based CMS.

3. Proof-Of-Concept
   This is a very innocent and short PoC…
   You can download this PoC here: http://g30rg3x.com/wp-files/PoC_dpm_10.zip

4. Solution
   Since i couldn't contact the plugin author by any of the public ways
   that he left on his website this force me to make and release and a
   special sub-version for the plugin, version which i call 1.1-gx…
   This version adds the need protection against the vulnerability and
   uses some of the WordPress coding standards suggest by the WordPress
   Developers.
   You can download this version here: http://g30rg3x.com/wp-files/dpm_11gx.zip

5. Timeline
   Bug Found: 11/01/2008
   Vendor Contact: 12/01/2008
   Vendor Response: --/–/–
   Public Disclosure: 21/01/2008

Copy: http://g30rg3x.com/xsrf-bajo-deans-permalinks-migration-10/ (Spanish Only)

         g30rg3_x