| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 11 Feb 2017 11:28:15 +0100 From: Manuel Garcia Cardenas <advidsec@...il.com> To: fulldisclosure@...lists.org, dm@...urityfocus.com Subject: [FD] WordPress Plugin Easy Table 1.6 - Persistent Cross-Site Scripting ============================================= MGC ALERT 2017-001 - Original release date: Feb 07, 2017 - Last revised: Feb 12, 2017 - Discovered by: Manuel Garcia Cardenas - Severity: 4,8/10 (CVSS Base Score) ============================================= I. VULNERABILITY ------------------------- WordPress Plugin Easy Table 1.6 - Persistent Cross-Site Scripting II. BACKGROUND ------------------------- Easy Table is a WordPress plugin that allow you to insert table in easy way. III. DESCRIPTION ------------------------- Has been detected a Persistent XSS vulnerability in Easy Table, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. IV. PROOF OF CONCEPT ------------------------- Malicious Request: /wordpress/wp-admin/options-general.php?page=easy-table easy_table_plugin_option[shortcodetag] easy_table_plugin_option[attrtag] easy_table_plugin_option[class] easy_table_plugin_option[width] easy_table_plugin_option[border] easy_table_plugin_option[align] easy_table_plugin_option[limit] easy_table_plugin_option[nl] easy_table_plugin_option[terminator] easy_table_plugin_option[delimiter] easy_table_plugin_option[escape] In all of this parameters an attacker can inject for example "><script>alert(1)</script> to perform a attack of Persistent Cross-Site Scripting. V. BUSINESS IMPACT ------------------------- An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc. VI. SYSTEMS AFFECTED ------------------------- Easy Table <= 1.6 VII. SOLUTION ------------------------- Disable the plugin until a fix is available. VIII. REFERENCES ------------------------- https://wordpress.org/plugins-wp/easy-table/ IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY ------------------------- Feb 07, 2017 1: Initial release Feb 12, 2017 2: Last revision XI. DISCLOSURE TIMELINE ------------------------- Feb 07, 2017 1: Vulnerability acquired by Manuel Garcia Cardenas Feb 07, 2017 2: Send to vendor Feb 09, 2017 3: New contact with vendor without response Feb 12, 2017 4: Sent to lists XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT ------------------------- Manuel Garcia Cardenas Pentester _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists