查看: 34943|回复: 48

WordPress Private Only 3.5.1 CSRF / XSS

[复制链接]
  • TA的每日心情

    昨天 20:06
  • 签到天数: 1628 天

    [LV.Master]伴坛终老

    发表于 2015-8-29 19:36:49 | 显示全部楼层 |阅读模式
    [PHP] 纯文本查看 复制代码
    Details
    ================
    Software: Private Only
    Version: 3.5.1
    Homepage: [url]http://wordpress.org/plugins/private-only/[/url]
    Advisory report: [url]https://security.dxw.com/advisories/csrfxss-vulnerability-in-private-only-could-allow-an-attacker-to-do-almost-anything-an-admin-user-can/[/url]
    CVE: CVE-2015-5483
    CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)
     
    Description
    ================
    CSRF/XSS vulnerability in Private Only could allow an attacker to do almost anything an admin user can
     
    Vulnerability
    ================
    This plugin fails to use CSRF and XSS prevention techniques which are available in WordPress (nonces, and esc_attr()) so it allows an attacker to cause a logged in admin user to be the victim of a CSRF attack which stores malicious content in the database which, due to lack of escaping, is output as raw HTML. Via JavaScript the attacker is able to cause the user’s browser to do almost anything including add users, delete posts, and even modify PHP files if that option hasn’t been disabled.
     
    Proof of concept
    ================
    Pressing the submit button here will change the logo setting to contain some JavaScript. Browsers with no reflected XSS prevention (like Firefox) will execute the JavaScript immediately, other browsers will execute the JavaScript when the page is loaded next.
    <form method=\"POST\" action=\"http://localhost/wp-admin/options-general.php?page=privateonly.php\">
      <input type=\"text\" name=\"po_logo\" value=\""><script>alert(1)</script>\">
      <input type=\"text\" name=\"po_submit\" value=\"Y\">
      <input type=\"submit\">
    </form>
     
    Mitigations
    ================
     
    Disclosure policy
    ================
    dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: [url]https://security.dxw.com/disclosure/[/url]
     
    Please contact us on [email]security@dxw.com[/email]<script cf-hash="f9e31" type="text/javascript">
    /* <![CDATA[ */!function(){try{var t="currentScript"in document?document.currentScript:function(){for(var t=document.getElementsByTagName("script"),e=t.length;e--;)if(t[e].getAttribute("cf-hash"))return t[e]}();if(t&&t.previousSibling){var e,r,n,i,c=t.previousSibling,a=c.getAttribute("data-cfemail");if(a){for(e="",r=parseInt(a.substr(0,2),16),n=2;a.length-n;n+=2)i=parseInt(a.substr(n,2),16)^r,e+=String.fromCharCode(i);e=document.createTextNode(e),c.parentNode.replaceChild(e,c)}}}catch(u){}}();/* ]]> */</script> to acknowledge this report if you received it via a third party (for example, [email]plugins@wordpress.org[/email]<script cf-hash="f9e31" type="text/javascript">
    /* <![CDATA[ */!function(){try{var t="currentScript"in document?document.currentScript:function(){for(var t=document.getElementsByTagName("script"),e=t.length;e--;)if(t[e].getAttribute("cf-hash"))return t[e]}();if(t&&t.previousSibling){var e,r,n,i,c=t.previousSibling,a=c.getAttribute("data-cfemail");if(a){for(e="",r=parseInt(a.substr(0,2),16),n=2;a.length-n;n+=2)i=parseInt(a.substr(n,2),16)^r,e+=String.fromCharCode(i);e=document.createTextNode(e),c.parentNode.replaceChild(e,c)}}}catch(u){}}();/* ]]> */</script>) as they generally cannot communicate with us on your behalf.
     
    This vulnerability will be published if we do not receive a response to this report with 14 days.
     
    Timeline
    ================
     
    2015-03-20: Discovered
    2015-07-09: Reported to vendor by email
    2015-07-09: Requested CVE
    2015-07-31: No reply. Tried on twitter and got a brief response
    2015-08-18: After multiple further attempts, still no reply. Escalating to WP Plugins
     
     
     
    Discovered by dxw:
    ================
    Tom Adams
    Please visit security.dxw.com for more information.
    回复

    使用道具 举报

    该用户从未签到

    发表于 2015-8-30 20:13:29 | 显示全部楼层
    还是不错的哦,顶了
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-8-30 20:15:35 | 显示全部楼层
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    2022-10-21 10:32
  • 签到天数: 11 天

    [LV.3]偶尔看看II

    发表于 2015-8-30 21:39:12 | 显示全部楼层
    学习学习技术,加油!
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-8-31 18:50:17 | 显示全部楼层
    支持,看起来不错呢!
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-9-1 02:08:27 | 显示全部楼层
    支持,看起来不错呢!
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-9-1 09:24:55 | 显示全部楼层
    支持中国红客联盟(ihonker.org)
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-9-1 09:29:18 | 显示全部楼层
    感谢楼主的分享~
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-9-1 09:34:01 | 显示全部楼层
    感谢楼主的分享~
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-9-1 13:58:00 | 显示全部楼层
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    指导单位

    江苏省公安厅

    江苏省通信管理局

    浙江省台州刑侦支队

    DEFCON GROUP 86025

    旗下站点

    邮箱系统

    应急响应中心

    红盟安全

    联系我们

    官方QQ群:112851260

    官方邮箱:security#ihonker.org(#改成@)

    官方核心成员

    Archiver|手机版|小黑屋| ( 苏ICP备2021031567号 )

    GMT+8, 2024-11-14 14:49 , Processed in 0.025264 second(s), 14 queries , Gzip On, MemCache On.

    Powered by ihonker.com

    Copyright © 2015-现在.

  • 返回顶部