# Exploit Title: WordPress CP Polls 1.0.8 - Reflected file download (.bat file)
# Date: 2016-02-22
# Google Dork: Index of /wp-content/plugins/cp-polls/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Plugin URI: http://wordpress.dwbooster.com/forms/cp-polls
# Version: 1.0.8
# Demo: https://www.youtube.com/watch?v=uc6P59BPEkU

=============
 Description
=============

With **CP Polls** you can publish a poll into a page/post and optionally display statistics of the results. 
You can receive email notifications every time a vote is added or opt to receive Excel reports periodically.

The Polls can have dependant questions, this means that some questions are displayed depending of the 
selection made on other questions.

(copy of README.txt)


===================
 Technical details
===================

CP Polls plugin for wordpress is prone to file download issue. A hacker is able to attack an administrator by
exploiting a CSRF in the 'change cp poll name' converting the downloadable report file (csv) to a malicious .bat file.
Because there is not restriction in the cp poll name the CSRF exploit can change the name to ...

malicious.bat;

The semicolon (;) character must be restricted because the header 'Content-Disposition' uses this characteer as a 
parameter delimitation. For example, when we change the name of a cp poll to 'malicious.bat;' when an administrator
download the report (thinking that is a csv file) the response header turns:
""
Content-Disposition: attachment; file=malicious.bat;.csv
""
the csv is ignored and the administrator gets a .BAT file


So, how to exploit this vulnerability to execute commands on the victim's machine?
Whe have an option. If the cp_poll is added in a post we can vote them and we can inject our malicious payload
into a votation.

==============================
 Proof of Concept CSRF (html)
==============================

https://www.youtube.com/watch?v=uc6P59BPEkU

==========================

If the csrf attack is succesful, we only need to inject our commands in votations. In ´fieldnames´ post parameter
 we can inject our commands.

==========
 CREDITS
==========

Vulnerability discovered by:
	Joaquin Ramirez Martinez [i0 security-lab]
	joaquin.ramirez.mtz.lab[at]gmail[dot]com
	https://www.facebook.com/I0-security-lab-524954460988147/
	https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q


========
TIMELINE
========

2016-02-10 vulnerability discovered
2016-02-22 reported to vendor
2016-03-01 released cp polls v1.0.9
2016-03-01 public disclousure