lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <571BBF62.9000906@gmail.com>
Date: Sun, 24 Apr 2016 00:00:58 +0530
From: Rahul Pratap Singh <techno.rps@...il.com>
To: bugtraq@...urityfocus.com
Subject: Easy Social Share Buttons for WordPress XSS Vulnerability

## FULL DISCLOSURE

#Product :Easy Social Share Buttons for WordPress
#Exploit Author : Rahul Pratap Singh
#Version :3.2.5
#Home page Link :
http://codecanyon.net/item/easy-social-share-buttons-for-wordpress/6394476
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 21/4/2016

XSS Vulnerability:

----------------------------------------
Description:
----------------------------------------
Following  parameters are not sanitized that leads to XSS Vulnerability.

----------------------------------------
Vulnerable Code:
----------------------------------------

 File Name: testfiles/Easy Social Share Buttons for WordPress
v3.2.5/easy-social-share-buttons3/lib/modules/social-image-share/essb-social-image-share-selected.php
Found at line:16
echo '<link rel="canonical" href="'.$page_link.'"/>';
Found at line:17
echo '<meta property="og:url" content="'.$page_link.'"/>';
Found at line:18
echo '<meta property="twitter:url" content="'.$page_link.'"/>';
Found at line:20
echo '<meta property="og:image" content="http://'.$_GET['img'].'"/>';
Found at line:21
echo '<meta property="twitter:image" content="http://'.$_GET['img'].'"/>';
Found at line:38
echo '<meta http-equiv="refresh" content="0;url='.$_GET['url'].'">';

File Name: testfiles/Easy Social Share Buttons for WordPress
v3.2.5/easy-social-share-buttons3/lib/modules/social-metrics-lite/esml-render-results.php
Found at line:49
<input type="hidden" name="page" value="<?php echo $_REQUEST['page'] ?>" />

File Name: testfiles/Easy Social Share Buttons for WordPress
v3.2.5/easy-social-share-buttons3/lib/admin/essb-settings-shortcode-generator.php
Found at line:3
$active_shortcode = isset($_REQUEST['code']) ? $_REQUEST['code'] :
'easy-social-share';
Found at line:7
$scg->activate($active_shortcode);
Found at line:53
<input type="hidden" id="code" name="code" value="<?php echo
$active_shortcode; ?>"/>

File Name: testfiles/Easy Social Share Buttons for WordPress
v3.2.5/easy-social-share-buttons3/lib/core/options/essb-options-interface.php
Found at line:8
$active_section = isset($_REQUEST['section']) ? $_REQUEST['section'] : '';
Found at line:24
echo '<input id="section" name="section" type="hidden"
value="'.$active_section.'"/>';

File Name: testfiles/Easy Social Share Buttons for WordPress
v3.2.5/easy-social-share-buttons3/lib/core/options/essb-options-interface.php
Found at line:9
$active_subsection = isset($_REQUEST['subsection']) ?
$_REQUEST['subsection'] : '';
Found at line:25
echo '<input id="subsection" name="subsection" type="hidden"
value="'.$active_subsection.'"/>';
Found at line:26
echo '<input id="tab" name="tab" type="hidden" value="'.$current_tab.'"/>';
----------------------------------------

Fix:
Update to 3.5

Vulnerability Disclosure Timeline:
→ March 12, 2016  – Bug discovered, initial report to Vendor
→ March 14, 2016  – Vendor Acknowledged
→ March 30, 2016  – Vendor Deployed a Patch

Pub Ref:
https://0x62626262.wordpress.com/2016/04/21/easy-social-share-buttons-for-wordpress-xss-vulnerability/
http://fb.creoworx.com/essb/change-log/

Download attachment "0xE5D04434.asc" of type "application/pgp-keys" (61463 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ