lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-id: <BD3EB5D5-A900-4F56-94E2-E020173BEC12@me.com>
Date: Sun, 23 Feb 2014 20:29:18 -0500
From: "Larry W. Cashdollar" <larry0@...com>
To: full <full-disclosure@...ts.grok.org.uk>
Subject: Persistent XSS in Media File Renamer V1.7.0
	wordpress plugin

Title: Persistent XSS in Media File Renamer V1.7.0 wordpress plugin
Date: 1/31/2014
Author: Larry W. Cashdollar, @_larry0
Vendor: Notified 2/4/2014
CVE: 2014-2040 
Download: http://www.meow.fr/media-file-renamer/

Vulnerability:
The following functions do not sanitize input before being echoed out: 
In file mfrh_class.settings-api.php:
166     function callback_multicheck( $args ) {
167         $value = $this->get_option( $args['id'], $args['section'], $args['std'] );
168         
169         $html = '';
170         foreach ( $args['options'] as $key => $label ) {
171             $checked = isset( $value[$key] ) ? $value[$key] : '0';
172             $html .= sprintf( '
', $args['section'], $a    rgs['id'], $key, checked( $checked, $key, false ) );
173             $html .= sprintf( '
 %3$s
', $args['section'], $args['id'], $label, $key );
174         }   
175         $html .= sprintf( '
 %s', $args['desc'] );
176         
177         echo $html;
178     }   


    function callback_radio( $args ) {
186 
187         $value = $this->get_option( $args['id'], $args['section'], $args['std'] );
188         
189         $html = '';
190         foreach ( $args['options'] as $key => $label ) {
191             $html .= sprintf( '
', $args['section'], $args['id'], $    key, checked( $value, $key, false ) );
192             $html .= sprintf( '
 %3$s
', $args['section'], $args['id'], $label, $key );
193         }   
194         $html .= sprintf( '
 %s', $args['desc'] );
195         
196         echo $html;
197     }


 function callback_wysiwyg( $args ) {
250 
251         $value = wpautop( $this->get_option( $args['id'], $args['section'], $args['std'] ) );
252         $size = isset( $args['size'] ) && !is_null( $args['size'] ) ? $args['size'] : '500px';
253 
254         echo '

';
255 
256         wp_editor( $value, $args['section'] . '[' . $args['id'] . ']', array( 'teeny' => true, 'textarea_rows' => 10 ) );
257 
258         echo '

';
259 
260         echo sprintf( '

 %s
', $args['desc'] );
261     }


PoC: If a user with permission to add media or edit media uploads a file with "<script>alert(1)</script>" as the title they can XSS the site admin user. 

Full Advisory: http://www.vapid.dhs.org/advisories/wordpress/plugins/MediaFileRenamer-1.7.0/index.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ