| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 20 Dec 2017 10:18:29 +0100 From: Ryan Dewhurst <ryandewhurst@...il.com> To: nicolas.buzy-debat@...nge.com Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: Re: [FD] [CVE-2017-17719] Cross-Site Scripting (XSS) vulnerability in WordPress Concours Plugin Hi, If you email plugins-at-wordpress.org they will attempt to contact the author, and if unable to, they usually remove the plugin from their repository. Thanks, Ryan On Tue, Dec 19, 2017 at 6:01 PM, <nicolas.buzy-debat@...nge.com> wrote: > Product: WordPress Concours Plugin - https://wordpress.org/plugins/ > wp-concours/ > Vendor: Olyos > Tested version: 1.1 > CVE ID: CVE-2017-17719 > > ** CVE description ** > A cross-site scripting (XSS) vulnerability in the wp-concours plugin > through 1.1 for WordPress allows remote attackers to inject arbitrary web > script or HTML via the result_message parameter to > includes/concours_page.php. > > ** Technical details ** > In wp-concours/includes/concours_page.php:18, $_REQUEST['result_message'] > is stored in the $message_str variable without proper sanitization. This > variable is then echoed back to user on line 28. > > Vulnerable code: > https://plugins.trac.wordpress.org/browser/wp-concours/trunk/includes/ > concours_page.php#L18 > > ** Proof of Concept ** > http://<host>/wordpress/wp-admin/admin.php?page=concours& > result_message=<script>alert(document.cookie);</script> > > ** Solution ** > No fix available yet. > > ** Timeline ** > 28/09/2017: vendor contacted; vendor asks for technical report > 06/10/2017: requested an update regarding the fix; vendor says in November > 05/12/2017: sent an e-mail to warn about the release of that advisory; no > reply > 19/12/2017: report published > > ** Credits ** > Vulnerability discovered by Nicolas Buzy-Debat working at Orange > Cyberdefense Singapore (CERT-LEXSI). > > -- > Best Regards, > > Nicolas Buzy-Debat > Orange Cyberdefense Singapore (CERT-LEXSI) > ____________________________________________________________ > _____________________________________________________________ > > Ce message et ses pieces jointes peuvent contenir des informations > confidentielles ou privilegiees et ne doivent donc > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez > recu ce message par erreur, veuillez le signaler > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages > electroniques etant susceptibles d'alteration, > Orange decline toute responsabilite si ce message a ete altere, deforme ou > falsifie. Merci. > > This message and its attachments may contain confidential or privileged > information that may be protected by law; > they should not be distributed, used or copied without authorisation. > If you have received this email in error, please notify the sender and > delete this message and its attachments. > As emails may be altered, Orange is not liable for messages that have been > modified, changed or falsified. > Thank you. > > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists