lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 24 Apr 2016 00:00:06 +0530
From: Rahul Pratap Singh <techno.rps@...il.com>
To: bugtraq@...urityfocus.com
Subject: Google SEO Pressor Snippet Plugin XSS Vulnerability

## FULL DISCLOSURE

#Product : Google SEO Pressor Snippet Plugin
#Exploit Author : Rahul Pratap Singh
#Version :1.2.6
#Home page Link : https://wordpress.org/plugins/google-seo-author-snippets/
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 21/4/2016

XSS Vulnerability:

----------------------------------------
Description:
----------------------------------------
Following  parameters are not sanitized that leads to XSS Vulnerability.

Event Name, Events Url, Photo, Location ,Start Date, End Date, Street
Address, Address Locality, Address Region, Longitude, Latitude, Event
type, Offer aggregate, Low Price, High Price, Offer Url, Price, Events
Website, Offer Quantity, Price valid Until, Tickets currency

----------------------------------------
Vulnerable Code:
----------------------------------------

File Name: testfiles/google-seo-author-snippets/create_meta_box.php

$videos_value=get_post_meta($post->ID,$videos_id,true);
                         ?>
                        <tr> <th>
                         <label for="google_seo_meta_title"><?php  _e(
$videos_title );  ?></label>
                          </th>
                          <td><?php
        if(isset($videos_field['type']) &&
($videos_field['type']=='datepicker')){
                                   echo '<input type="date"
id="'.$videos_field['id'].'" name="'.$videos_field['id'].'"
value="'.$videos_value.'" />';
                       echo ''.
                     '       jQuery(document).ready(function($) {'.
                     '          var dateField = "'. $videos_field['id']
.'";'.
                     '          $(\'#\'+dateField).datepick({ '.
                     '           minDate: new Date()'.
                     '          });'.
                     '       });'.
                     '';
}else{ ?>

                                <input type="text" id="<?php echo
$videos_id; ?>" name="<?php echo $videos_id; ?>"  class="large-text"
value="<?php echo $videos_value; ?>" />     <?php }?>
----------------------------------------
POC:
----------------------------------------
https://0x62626262.files.wordpress.com/2016/04/google-seo-pressor-snippet-plugin-xss.png

Fix:
No fix Available

Vulnerability Disclosure Timeline:
→ March 03, 2016  – Bug discovered, initial report to WordPress.
→ March 07, 2016  – No, response. Report sent again.
→ March 08, 2016  – WordPress Acknowledged. Plugin taken down.
→ April 21, 2016  – Plugin still down. No patch available.

Pub Ref:
https://0x62626262.wordpress.com/2016/04/21/google-seo-pressor-snippet-plugin-xss-vulnerability/
https://wordpress.org/plugins/google-seo-author-snippets/

Download attachment "0xE5D04434.asc" of type "application/pgp-keys" (61463 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists