Search the Community
Showing results for tags 'wordpress cp polls 1.0.8 malicious file download'.
Found 1 result
-
# Exploit Title: WordPress CP Polls 1.0.8 - Reflected file download (.bat file) # Date: 2016-02-22 # Google Dork: Index of /wp-content/plugins/cp-polls/ # Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ] # Plugin URI: http://wordpress.dwbooster.com/forms/cp-polls # Version: 1.0.8 # Demo: https://www.youtube.com/watch?v=uc6P59BPEkU ============= Description ============= With **CP Polls** you can publish a poll into a page/post and optionally display statistics of the results. You can receive email notifications every time a vote is added or opt to receive Excel reports periodically. The Polls can have dependant questions, this means that some questions are displayed depending of the selection made on other questions. (copy of README.txt) =================== Technical details =================== CP Polls plugin for wordpress is prone to file download issue. A hacker is able to attack an administrator by exploiting a CSRF in the 'change cp poll name' converting the downloadable report file (csv) to a malicious .bat file. Because there is not restriction in the cp poll name the CSRF exploit can change the name to ... malicious.bat; The semicolon (;) character must be restricted because the header 'Content-Disposition' uses this characteer as a parameter delimitation. For example, when we change the name of a cp poll to 'malicious.bat;' when an administrator download the report (thinking that is a csv file) the response header turns: "" Content-Disposition: attachment; file=malicious.bat;.csv "" the csv is ignored and the administrator gets a .BAT file So, how to exploit this vulnerability to execute commands on the victim's machine? Whe have an option. If the cp_poll is added in a post we can vote them and we can inject our malicious payload into a votation. ============================== Proof of Concept CSRF (html) ============================== https://www.youtube.com/watch?v=uc6P59BPEkU ========================== If the csrf attack is succesful, we only need to inject our commands in votations. In ´fieldnames´ post parameter we can inject our commands. ========== CREDITS ========== Vulnerability discovered by: Joaquin Ramirez Martinez [i0 security-lab] joaquin.ramirez.mtz.lab[at]gmail[dot]com https://www.facebook.com/I0-security-lab-524954460988147/ https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q ======== TIMELINE ======== 2016-02-10 vulnerability discovered 2016-02-22 reported to vendor 2016-03-01 released cp polls v1.0.9 2016-03-01 public disclousure
