| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 24 Apr 2016 00:00:58 +0530 From: Rahul Pratap Singh <techno.rps@...il.com> To: bugtraq@...urityfocus.com Subject: Easy Social Share Buttons for WordPress XSS Vulnerability ## FULL DISCLOSURE #Product :Easy Social Share Buttons for WordPress #Exploit Author : Rahul Pratap Singh #Version :3.2.5 #Home page Link : http://codecanyon.net/item/easy-social-share-buttons-for-wordpress/6394476 #Website : 0x62626262.wordpress.com #Linkedin : https://in.linkedin.com/in/rahulpratapsingh94 #Date : 21/4/2016 XSS Vulnerability: ---------------------------------------- Description: ---------------------------------------- Following parameters are not sanitized that leads to XSS Vulnerability. ---------------------------------------- Vulnerable Code: ---------------------------------------- File Name: testfiles/Easy Social Share Buttons for WordPress v3.2.5/easy-social-share-buttons3/lib/modules/social-image-share/essb-social-image-share-selected.php Found at line:16 echo '<link rel="canonical" href="'.$page_link.'"/>'; Found at line:17 echo '<meta property="og:url" content="'.$page_link.'"/>'; Found at line:18 echo '<meta property="twitter:url" content="'.$page_link.'"/>'; Found at line:20 echo '<meta property="og:image" content="http://'.$_GET['img'].'"/>'; Found at line:21 echo '<meta property="twitter:image" content="http://'.$_GET['img'].'"/>'; Found at line:38 echo '<meta http-equiv="refresh" content="0;url='.$_GET['url'].'">'; File Name: testfiles/Easy Social Share Buttons for WordPress v3.2.5/easy-social-share-buttons3/lib/modules/social-metrics-lite/esml-render-results.php Found at line:49 <input type="hidden" name="page" value="<?php echo $_REQUEST['page'] ?>" /> File Name: testfiles/Easy Social Share Buttons for WordPress v3.2.5/easy-social-share-buttons3/lib/admin/essb-settings-shortcode-generator.php Found at line:3 $active_shortcode = isset($_REQUEST['code']) ? $_REQUEST['code'] : 'easy-social-share'; Found at line:7 $scg->activate($active_shortcode); Found at line:53 <input type="hidden" id="code" name="code" value="<?php echo $active_shortcode; ?>"/> File Name: testfiles/Easy Social Share Buttons for WordPress v3.2.5/easy-social-share-buttons3/lib/core/options/essb-options-interface.php Found at line:8 $active_section = isset($_REQUEST['section']) ? $_REQUEST['section'] : ''; Found at line:24 echo '<input id="section" name="section" type="hidden" value="'.$active_section.'"/>'; File Name: testfiles/Easy Social Share Buttons for WordPress v3.2.5/easy-social-share-buttons3/lib/core/options/essb-options-interface.php Found at line:9 $active_subsection = isset($_REQUEST['subsection']) ? $_REQUEST['subsection'] : ''; Found at line:25 echo '<input id="subsection" name="subsection" type="hidden" value="'.$active_subsection.'"/>'; Found at line:26 echo '<input id="tab" name="tab" type="hidden" value="'.$current_tab.'"/>'; ---------------------------------------- Fix: Update to 3.5 Vulnerability Disclosure Timeline: → March 12, 2016 – Bug discovered, initial report to Vendor → March 14, 2016 – Vendor Acknowledged → March 30, 2016 – Vendor Deployed a Patch Pub Ref: https://0x62626262.wordpress.com/2016/04/21/easy-social-share-buttons-for-wordpress-xss-vulnerability/ http://fb.creoworx.com/essb/change-log/ Download attachment "0xE5D04434.asc" of type "application/pgp-keys" (61463 bytes) Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists