Title: Reflected XSS & Blind SQLi in wordpress plugin eshop v6.3.14 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2016-01-27 |
CVE-ID:[CVE-2016-0765][CVE-2016-0769] |
CWE: |
Download Site: https://wordpress.org/plugins/eshop |
Vendor: Richard Pedley |
Vendor Notified: 2016-01-29 |
Vendor Contact: http://elfden.co.uk/ |
Advisory: |
Description: An accessible Shopping Cart plugin. eShop is an accessible shopping cart plugin for WordPress, packed with various features. |
Vulnerability: The following code snippets do not sanitize user input before passing back to the browser via $_GET request.
http://plugins.svn.wordpress.org/eshop/trunk/eshop-orders.php
From eshop-orders.php XSS via page & action variables:
144 $apge=get_admin_url().'admin.php?page='.$_GET['page'].'&action='.$_GET['action'];
145 echo '<ul id="eshopsubmenu" class="stuffbox">';
146 echo '<li><span>'.__('Sort Orders by »','eshop').'</span></li>';
147 echo '<li><a href="'.$apge.'&by=da"'.$cda.'>'.__('Date Ascending','eshop').'</a></li>';
148 echo '<li><a href="'.$apge.'&by=dd"'.$cdd.'>'.__('Date Descending','eshop').'</a></li>';
149 echo '<li><a href="'.$apge.'&by=tn"'.$ctn.'>'.__('ID Number','eshop').'</a></li>';
150 echo '<li><a href="'.$apge.'&by=ca"'.$cca.'>'.__('Company','eshop').'</a></li>';
151 echo '<li><a href="'.$apge.'&by=na"'.$cna.'>'.__('Customer','eshop').'</a></li>';
152 echo '</ul>';
244 <input type="hidden" name="action" value="<?php echo $_GET['action'];
?>" />
303 $phpself='?page='.$_GET['page'];
.
503 echo "<div id=\"eshopformfloat\"><form id=\"orderstatus\"
action=\"".$phpself."\" method=\"post\">";
504 ?>
.
515 <input type="hidden" name="action" value="<?php echo $_GET['action'];?>" />
.
.
586 $downloadable .=''.$dlinfo->downloads.'<a href="'.$phpself.'&view='.$view.'&adddown='.$dlinfo->id.'" title="'.__('Increase download allowance by 1','eshop').'">'.__('Increase','eshop').'</a>, <a
href="'.$phpself.'&view='.$view.'&decdown='.$dlinfo->id.'" title="'.__('Decrea se download allowance by 1','eshop').'">'.__('Decrease','eshop').'</a></span>';
587
.
.
642 echo '<strong>'.__('Email:','eshop').'</strong>'." <a href=\"".$phpself."&viewemail=".$view."\" title=\"".__('Send a form email','eshop')."\" >".$drow->email.'</a> <small class="noprint">'.__('(sends a form email)','eshop')."</small><br />\n";
.
.
746 if($status=='Deleted'){$delete="<p class=\"delete noprint\"><a href=\"".$phpself."&delid=".$view."\">".__('Completely delete this order?','eshop')."< /a><br />".__('<small><strong>Warning:</strong> this order will be completely deleted and cannot be recovered at a later
date.</small>','eshop')."</p>";}else{$de lete='';};
Blind SQL Injection & requires authenticated user to Wordpress.
From eshop-orders.php, requires admin user:
287 if (!function_exists('deleteorder')) {
288 function deleteorder($delid){
289 global $wpdb;
290 $dtable=$wpdb->prefix.'eshop_orders';
291 $itable=$wpdb->prefix.'eshop_order_items';
292 $dltable=$wpdb->prefix.'eshop_download_orders';
293 $checkid=$wpdb->get_var("Select checkid From $dtable where id='$delid' && status='Deleted'");
.
.
392 eshop_admin_mode();
393 if(isset($_GET['delid']) && !isset($_GET['view'])){
394 deleteorder($_GET['delid']);
From eshop-orders.php, Requires a regular logged in user:
The following code allows SQL injection via the unsanitized $view variable.
354 if(isset($_GET['view'])){
355 $view=$_GET['view'];
356 $status=$wpdb->get_var("Select status From $dtable where
id='$view'”);
SQL injection points via POST to mark & change:
421 if(isset($_POST['mark']) && !isset($_POST['change'])){
422 $mark=$_POST['mark'];
423 $checkid=$_POST['checkid'];
424 $query2=$wpdb->get_results("UPDATE $dtable set status='$mark' where checkid='$checkid'");
425 do_action( 'eshop_order_status_updated', $checkid, $mark );
426 echo '<div class="updated fade">'.__('Order status changed successfully.','eshop').'</div>';
427 }
.
.
429 if(isset($_POST['change'])){
430 if(isset($_POST['move']) && $_POST['move'][0]!=''){
431 foreach($_POST['move'] as $v=>$ch){
432 $mark=$_POST['mark'];
433 $query2=$wpdb->get_results("UPDATE $dtable set status='$mark' where checkid='$ch'");
434 do_action( 'eshop_order_status_updated', $ch,$mark );
|
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: [eshop.png] |
Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory