WP 插件 NEX-Forms Lite 2.1.0 XSS 漏洞

Basic Fields

SSV ID:: SSV-90509

Find Time:: Unknown

Submit Time:: 2016-01-19

Level:

Category:: 跨站脚本

Component:: WordPress

Author:: Unknown

Submitter:: MyKings

CVE-ID：: CVE-2014-7151

CNNVD-ID：: CNNVD-201601-147

CNVD-ID：: Add

ZoomEye Dork：: Add

Source

Detail

Contributor huakai Got 1.65KB

## 1.漏洞分析由于下不到2.1.0的源代码，只能根据漏洞描述以及3.4版本的代码进行推敲。先看wp-admin/admin-ajax.php文件 wp-admin/admin-ajax.php:77 ```php if ( is_user_logged_in() ) { /** * Fires authenticated AJAX actions for logged-in users. * * The dynamic portion of the hook name, `$_REQUEST['action']`, * refers to the name of the AJAX action callback being fired. * * @since 2.1.0 */ do_action( 'wp_ajax_' . $_REQUEST['action'] ); } else { /** * Fires non-authenticated AJAX actions for logged-out users. * * The dynamic portion of the hook name, `$_REQUEST['action']`, * refers to the name of the AJAX action callback being fired. * * @since 2.8.0 */ do_action( 'wp_ajax_nopriv_' . $_REQUEST['action'] ); } ``` ajax有2种，如何登录状态下会进入 `do_action( 'wp_ajax_' . $_REQUEST['action'] );` 否则就进入 `do_action( 'wp_ajax_nopriv_' . $_REQUEST['action'] );` 存在漏洞的2个函数 includes/Core/class.db.php ```php add_action( 'wp_ajax_nopriv_do_insert', array('IZC_Database', 'do_insert')); add_action('wp_ajax_nopriv_do_edit',array('IZC_Database', 'do_edit')) ``` `wp_ajax_nopriv_do_insert` 和 `wp_ajax_nopriv_do_edit` 都是可以未登录状态就能进行form的新增跟编辑操作。 `form_fields` 变量未经处理就存入数据库，造成存储型xss漏洞。看看do_edit的处理代码 ```php public function do_edit() { global $wpdb; $get_fields = $wpdb->prepare("SHOW FIELDS FROM " . $wpdb->prefix . filter_var($_POST['table'], FILTER_SANITIZE_STRING)); $fields = $wpdb->get_results($get_fields); $field_array = array(); foreach ($fields as $field) { if (isset($_POST[$field->Field])) { if (is_array($_POST[$field->Field])) $field_array[$field->Field] = json_encode($_POST[$field->Field], JSON_FORCE_OBJECT); else $field_array[$field->Field] = $_POST[$field->Field]; } } $update = $wpdb->prepare($wpdb->update($wpdb->prefix . filter_var($_POST['table'], FILTER_SANITIZE_STRING), $field_array, array('Id' => filter_var($_POST['edit_Id'], FILTER_SANITIZE_NUMBER_INT)))); $wpdb->query($update); echo $_POST['edit_Id']; die(); } ``` `field_array` 未经过处理就存入了数据库。 ## 2.漏洞利用存储xss利用xss平台 ## 3. 漏洞修复 1. xss转义 `htmlspecialchars($field_array[$field->Field])` 2. 未登录状态下禁止访问 `add_action('wp_ajax_do_insert', array('IZC_Database', 'do_insert'));` `add_action('wp_ajax_do_edit', array('IZC_Database','do_edit'));` 3. 升级版本