AOH :: HP Unsorted P :: BX1581.HTM


1. Abstract
There is and a XSRF under Dean's Permalinks Migration Plugin version
1.0 which allow any attacker to conduct the user to do and a
unsolicited action this combined within a XSS bug (also found) in the
plugin allows and attacker to gain valid credentials for the WordPress
based CMS.

2. Explanation
Since the variable $dean_pm_config['oldstructure'] its not correctly
sanitized (when retrieving), this allow any user to store/save
"malicious code" inside the database and later be injected this
"malicious code" when the data is retrieved.
Using the XSRF as a "combo" we can create crafted pages that will
force users to conduct this injection and steal some valid credentials
to the WordPress based CMS.

3. Proof-Of-Concept
This is a very innocent and short PoC...
You can download this PoC here: 

4. Solution
Since i couldn't contact the plugin author by any of the public ways
that he left on his website this force me to make and release and a
special sub-version for the plugin, version which i call 1.1-gx...
This version adds the need protection against the vulnerability and
uses some of the WordPress coding standards suggest by the WordPress
You can download this version here: 

5. Timeline
Bug Found: 11/01/2008
Vendor Contact: 12/01/2008
Vendor Response: --/--/--
Public Disclosure: 21/01/2008

Copy: (Spanish Only) 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to