| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 24 Apr 2016 00:03:01 +0530 From: Rahul Pratap Singh <techno.rps@...il.com> To: bugtraq@...urityfocus.com Subject: CM-AD-Changer XSS Vulnerability ## FULL DISCLOSURE #Product : cm-ad-changer #Exploit Author : Rahul Pratap Singh #Version :1.7.2 #Home page Link : https://wordpress.org/plugins/cm-ad-changer/ #Website : 0x62626262.wordpress.com #Linkedin : https://in.linkedin.com/in/rahulpratapsingh94 #Date : 21/4/2016 XSS Vulnerability: ---------------------------------------- Description: ---------------------------------------- Following parameters are not sanitized that leads to XSS Vulnerability. title, comment, link ---------------------------------------- Vulnerable Code: ---------------------------------------- File Name: testfiles/cm-ad-changer/backend/views/admin_settings.php Found at line:61 <input type="checkbox" name="acs_active" id="acs_active" value="1" <?php echo ($fields_data['acs_active'] == '1' ? 'checked=checked' : '') ?> /> Found at line:73 <textarea id="acs_custom_css" name="acs_custom_css" rows=7 value="<?php echo stripslashes($fields_data['acs_custom_css']) ?>"><?php echo stripslashes($fields_data['acs_custom_css']) ?></textarea> File Name: testfiles/cm-ad-changer/backend/views/admin_campaigns.php Found at line:96 <textarea value="<?php echo (isset($fields_data['comment']) ? stripslashes($fields_data['comment']) : '') ?>" name="comment" id="comment"><?php echo (isset($fields_data['comment']) ? stripslashes($fields_data['comment']) : '') ?></textarea> ---------------------------------------- POC: ---------------------------------------- https://0x62626262.files.wordpress.com/2016/04/cm-ad-changer-xss-poc.png https://0x62626262.files.wordpress.com/2016/04/cm-ad-changer-xss-poc1.png Fix: Update to 1.7.6 Vulnerability Disclosure Timeline: → March 14, 2016 – Bug discovered, initial report to Vendor. → March 22, 2016 – No Response. Report sent again. → March 23, 2016 – WordPress Acknowledged. → April 21, 2016 – Full Disclosure. Pub Ref: https://0x62626262.wordpress.com/2016/04/21/cm-ad-changer-xss-vulnerability/ https://ad-changer.cminds.com/cm-ad-changer-plugin-free-edition-release-notes/ Download attachment "0xE5D04434.asc" of type "application/pgp-keys" (61463 bytes) Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists