Wordpress Plugin Store Locator Plus 4.2.23 Email Injection

关注 0

基本字段

漏洞编号：: SSV-89532

披露/发现时间：: 未知

提交时间：: 2015-09-25

漏洞等级：

漏洞类别：: 其他类型

影响组件：: WordPress

漏洞作者：: 未知

提交者：: 正切

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

贡献者正切共获得 3.1KB

<p>如果我们拥有有效的“钥匙”就可以发送邮件给任何人</p><p>File: store-locator-le\include\send-email.php</p><pre><code class="language-php" data-lang="php" style="font-family: Menlo, Monaco, 'Courier New', monospace; font-size: 16px; border-radius: 3px;"><span class="k" style="color: rgb(0, 102, 153);">if</span> <span class="p">(</span><span class="o" style="color: rgb(85, 85, 85);">!</span><span class="nx">wp_verify_nonce</span><span class="p">(</span><span class="nv" style="color: rgb(0, 51, 51);">$_REQUEST</span><span class="p">[</span><span class="s1" style="color: rgb(204, 51, 0);">'valid'</span><span class="p">],</span><span class="s1" style="color: rgb(204, 51, 0);">'em'</span><span class="p">))</span> <span class="k" style="color: rgb(0, 102, 153);">die</span><span class="p">();</span> <span class="nv" style="color: rgb(0, 51, 51);">$message_headers</span> <span class="o" style="color: rgb(85, 85, 85);">=</span> <span class="s2" style="color: rgb(204, 51, 0);">"From: </span><span class="se" style="color: rgb(204, 51, 0);">\"</span><span class="si" style="color: rgb(170, 0, 0);">{</span><span class="nv" style="color: rgb(0, 51, 51);">$_GET</span><span class="p">[</span><span class="s1" style="color: rgb(204, 51, 0);">'email_name'</span><span class="p">]</span><span class="si" style="color: rgb(170, 0, 0);">}</span><span class="se" style="color: rgb(204, 51, 0);">\"</span><span class="s2" style="color: rgb(204, 51, 0);"> <</span><span class="si" style="color: rgb(170, 0, 0);">{</span><span class="nv" style="color: rgb(0, 51, 51);">$_GET</span><span class="p">[</span><span class="s1" style="color: rgb(204, 51, 0);">'email_from'</span><span class="p">]</span><span class="si" style="color: rgb(170, 0, 0);">}</span><span class="s2" style="color: rgb(204, 51, 0);">></span><span class="se" style="color: rgb(204, 51, 0);">\n</span><span class="s2" style="color: rgb(204, 51, 0);">"</span> <span class="o" style="color: rgb(85, 85, 85);">.</span> <span class="s2" style="color: rgb(204, 51, 0);">"Content-Type: text/plain; charset=</span><span class="se" style="color: rgb(204, 51, 0);">\"</span><span class="s2" style="color: rgb(204, 51, 0);">"</span> <span class="o" style="color: rgb(85, 85, 85);">.</span> <span class="nx">get_option</span><span class="p">(</span><span class="s1" style="color: rgb(204, 51, 0);">'blog_charset'</span><span class="p">)</span> <span class="o" style="color: rgb(85, 85, 85);">.</span> <span class="s2" style="color: rgb(204, 51, 0);">"</span><span class="se" style="color: rgb(204, 51, 0);">\"\n</span><span class="s2" style="color: rgb(204, 51, 0);">"</span><span class="p">;</span> <span class="nx">wp_mail</span><span class="p">(</span><span class="nv" style="color: rgb(0, 51, 51);">$_GET</span><span class="p">[</span><span class="s1" style="color: rgb(204, 51, 0);">'email_to'</span><span class="p">],</span><span class="nv" style="color: rgb(0, 51, 51);">$_GET</span><span class="p">[</span><span class="s1" style="color: rgb(204, 51, 0);">'email_subject'</span><span class="p">],</span><span class="nv" style="color: rgb(0, 51, 51);">$_GET</span><span class="p">[</span><span class="s1" style="color: rgb(204, 51, 0);">'email_message'</span><span class="p">],</span><span class="nv" style="color: rgb(0, 51, 51);">$message_headers</span><span class="p">);</span></code></pre><p>默认情况下，此标记显示在每一页上，用[ slplus ]标签。</p><p>File: store-locator-le\include\class.ui.php</p><pre><code class="language-php" data-lang="php" style="font-family: Menlo, Monaco, 'Courier New', monospace; font-size: 16px; border-radius: 3px;"><span class="nv" style="color: rgb(0, 51, 51);">$scriptData</span><span class="p">[</span><span class="s1" style="color: rgb(204, 51, 0);">'ajaxurl'</span><span class="p">]</span> <span class="o" style="color: rgb(85, 85, 85);">=</span> <span class="nx">admin_url</span><span class="p">(</span><span class="s1" style="color: rgb(204, 51, 0);">'admin-ajax.php'</span><span class="p">);</span> <span class="nv" style="color: rgb(0, 51, 51);">$scriptData</span><span class="p">[</span><span class="s1" style="color: rgb(204, 51, 0);">'nonce'</span><span class="p">]</span> <span class="o" style="color: rgb(85, 85, 85);">=</span> <span class="nx">wp_create_nonce</span><span class="p">(</span><span class="s1" style="color: rgb(204, 51, 0);">'em'</span><span class="p">);</span> <span class="c1" style="color: rgb(153, 153, 153);">// FILTER: slp_script_data</span> <span class="c1" style="color: rgb(153, 153, 153);">//</span> <span class="nv" style="color: rgb(0, 51, 51);">$scriptData</span> <span class="o" style="color: rgb(85, 85, 85);">=</span> <span class="nx">apply_filters</span><span class="p">(</span><span class="s1" style="color: rgb(204, 51, 0);">'slp_script_data'</span><span class="p">,</span><span class="nv" style="color: rgb(0, 51, 51);">$scriptData</span><span class="p">);</span> <span class="nx">wp_localize_script</span><span class="p">(</span><span class="s1" style="color: rgb(204, 51, 0);">'csl_script'</span> <span class="p">,</span><span class="s1" style="color: rgb(204, 51, 0);">'slplus'</span> <span class="p">,</span> <span class="nv" style="color: rgb(0, 51, 51);">$scriptData</span><span class="p">);</span></code></pre><p>这可以被用来从一个不存在的或伪造的地址发送垃圾邮件.</p>

等 13 兑换了

PoC (非 pocsuite 插件)

贡献者 Mik3y 共获得 0.65KB

登陆后兑换查看

共 3 兑换

参考链接

http://security.szurek.pl/store-locator-plus-4223-email-injection.html

解决方案

临时解决方案

暂无临时解决方案

官方解决方案

暂无官方解决方案

防护方案

暂无防护方案

暂无评论

※本站提供的任何内容、代码与服务仅供学习，请勿用于非法用途，否则后果自负