| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 5 Mar 2013 10:35:43 +0100 From: alej andr0 <alejandr0.m0f0@...il.com> To: undisclosed-recipients:; Subject: WordPress Count-Per-Day plugin 3.2.5. Type-1 (reflected) Cross Site Scripting (XSS) #------------------ # WordPress Count-Per-Day plugin 3.2.5. Type-1 (reflected) Cross Site Scripting (XSS) # # affected versions <= 3.2.5. (tested on 3.2.5, 3.2.3) # # impact: # - code execution in browser context # # author: alejandr0.m0f0 1/ navigate to the page: /wordpress/wp-admin/?page=cpd_metaboxes 2/ bottom of the page: "visitors per day" current date is printed (e.g., 2013-03-04) replace this field by 2013-03-04"><img src=x onerror=alert(1)> press show. 3/ request is submitted, server reflects the sent value. filter on server side is identity, thus pretty easy to exploit. the payload gets executed. ---------- e.g., of exploitation: ------------------- POST .../wordpress/wp-admin/?page=cpd_metaboxes HTTP/1.1 ... daytoshow=2013-03-04%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&showday=Show ------------------- # requirements: victim should be authenticated as user having access to this plugin (e.g., admin) # this is still a practical attack in case e.g. attacker embeds an iframe on a website he controls, and assuming the victim is logged in wordpress, then the SOP access control is bypassed. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists