Permalinks Migration Plugin Vulnerability



EDIT: Thank you Connie for bringing up the issue about the PacketStorm advisory regarding this issue. I’ve added a link to that advisory at the bottom of this post.

Over at Weblog Tools Collection, an article was posted earlier today regarding a vulnerability in version 1.0 of the Deans Permalinks Migration Plugin. The said vulnerability involves XSRF or Cross-site request forgery and allow the attacker to steal valid credentials.

The person who found out about this vulnerability and goes by the name g30rg3_x has an explanation for this vulnerability:

Since the variable $dean_pm_config[’oldstructure’] its not correctly sanitized (when retrieving), this allow any user to store/save “malicious code” inside the database and later be injected this “malicious code” when the data is retrieved. Using the XSRF as a “combo” we can create crafted pages that will force users to conduct this injection and steal some valid credentials to the WordPress based CMS.

As a normal procedure or etiquette for developers and programmers, g30rg3_x contacted the plugin author first to notify him about the vulnerability. But after several failed attempts, he took it upon himself to create and provide a fix for this plugin vulnerability.

If you’re currently using the Dean’s Permalink Migration Plugin version 1.0, it is strongly advised that you deactivate it and/or download/install the modified version to keep your blog secure. You can download the special sub-version 1.1-gx here.

If you want to read the PacketStorm advisory regarding the Dean’s Permalinks Migration Plugin vulnerability, click here. You can find this at page 20 of PacketStorm’s January advisory archives.

Hopefully no one gets victimized by this vulnerability. Have a fun and safe weekend everyone!

Owner and editor of JaypeeOnline. Self-proclaimed geek. New media writer and consultant. WordPress advocate. Loves blogging, gadgets, video games and sports. You can follow him on Google+, Facebook or Twitter.

8 Comments

  1. JP Habaradas

    February 3, 2008 at 3:53 AM

    @Connie – Hi there! Thanks for bringing that up. I totally forgot to mention about the PacketStorm advisory and to provide the link to it. Anyways, I’ve added a link to the original Packetstorm advisory which you can find in page 20. Again, thanks for the heads up! :D

  2. Connie

    February 3, 2008 at 12:43 AM

    So where’s the link to the packetstorm advisory? I checked the weblogtools link, found none. I checked all advisories released by packetstorm for January 2008 (http://packetstormsecurity.org/0801-advisories/) and there’s nothing there either.

    Isn’t it just as possible that he who claims vulnerability in Dean Lee’s plugin was the one who injected the vulnerability in the revised version?

    Shouldn’t the revised version be double checked first before advising people to download it?

    Connie’s last blog post..Some thoughts about shrimp crackers and entrepreneurship

  3. JP Habaradas

    January 27, 2008 at 8:22 PM

    @trench – Before I changed my permalink structure, I was also scared to do it. But when I saw other bloggers do it and figured out how to do it, I got enough courage to do it. The Permalink Redirect plugin helped a lot because all traffic that was going to the old permalinks was directed to the new ones.

    Btw, I noticed that after I changed the permalinks structure, my SERP rankings improved. :)

  4. trench

    January 27, 2008 at 4:20 AM

    yeah, Im to chicken sh*t to try and change my permalinks now! very risky business! I’ve been getting incredible traffic and my latest PR was 5. So, got to stay focused! haha

    trench’s last blog post..Sweeney Todd: The Demon Barber of Fleet Street (Theaters)

  5. JP Habaradas

    January 25, 2008 at 9:55 PM

    @bluep – Ei, how you doin? Long time no see. Good to know that someone is learning and gaining new knowledge or acquiring new information from my blog. That’s the main reason I blog and what keeps me going.

    Glad you like the theme. There are many magazine type themes that are widget ready so maybe you can try the other ones if you’re having a hard time with Mimbo. Btw, your current theme looks very nice and you did a great job with it.

    You have a good weekend too & God bless! :)

  6. bluep

    January 25, 2008 at 9:53 PM

    hello jaypee. I haven’t tried this before. Dami ko talaga nahuhukay na plugins dito sa blog mo.

    anyhow your new theme is very grand. its like the mimbo theme which resembles an online magazine. I love this magazine type of theme. the mimbo was supposed to be my current theme pero i find it hard to meddle with the codes kaya i just went for the usual widget friendly.

    Have a nice weekend jaypee.

    bluep’s last blog post..Malayang Isipan

  7. JP Habaradas

    January 25, 2008 at 6:30 PM

    @jhay – I almost used this plugin when I changed my permalink structure. Good thing I decided to use the Permalink Redirect plugin.

    Haha you read that comment? Anyways, yeah I’m on the lookout for a new reliable webhost. If you want the detailed version, I’ll tell you via IM. :D

  8. jhay

    January 25, 2008 at 6:27 PM

    It’s a good thing I don’t use this plugin, or any plugin that tinkers with my permalinks. Messing around with it is too risky in my thinking. Once a plugin screws up, your permalinks gets screwed up, and say good bye to PR and traffic. :lol:

    BTW, read from iRonnie that you’re planning on switching hosts? Could you tell the story why? I’m just curious, coz you’re leaving DreamHost? lol

    jhay’s last blog post..The FEJ Theme Reboot

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.