| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <AMSPR07MB179B026995A08EA60BFFC90BBA10@AMSPR07MB179.eurprd07.prod.outlook.com> Date: Mon, 22 Jun 2015 08:52:42 +0000 From: Liran Segal <lirans@...sec.com> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] CVE-2015-4413 - Wordpress “Nextend Facebook Connect” Cross Site Scripting Document Title: =============== WordPress “Nextend Facebook Connect” Plugin Version: 1.5.4 is vulnerable to Reflected XSS (Cross Site Scripting) Download URL: ============= https://wordpress.org/plugins/nextend-facebook-connect/ Release Date: ============= 2015-06-20 Vulnerability CVE ID: ===================== CVE-2015-4413 Vulnerability Disclosure Timeline: ================================== 2015 – 06 – 03 First notified to WordPress. 2015 – 06 – 07 First notified to plugin vendor . 2015 – 06 – 10 First notified to Mitre for CVE number. 2015 – 06 – 11 Vendor publish update for the plugin. 2015 – 06 – 22 Public Disclosure. Discovery Status: ================= Published Severity Level: =============== High Technical Details, Description & Proof of Concept (PoC): ======================================================== After installing Wordpress I add the plugin " Nextend Facebook Connect" witch allow you to login Wordpress with Facebook account. During my test I find out that the “redirect_to” parameter is vulnerable to Reflected XSS attack. To reach to root of the problem, I took a look in the plugin source code and realized that the “new_fb_sign_button()” witch located in the file “nextend-facebook-connect.php”. The problematic function are locate in line 432: http://www.siz.co.il/my.php?i=djvy5z2yhczl.png As you can see in the line 432, the function don’t escapes HTML tags or other dangerous symbols. When attacker injects the Javascript code in the URL the function runs the code, as you can see: http://www.siz.co.il/my.php?i=zeu3dnmw5ktz.png And pop the alert window. Solution - Fix & Patch: ======================= In order to solve this security flaw you need to add the “htmlentities” function. (http://php.net/htmlentities) As you can see in the image: http://www.siz.co.il/my.php?i=3jwizyzfgtmu.png Liran Segal (Bugsec Information Security LTD) Regards, Liran Segal Penetration Testing BugSec Cyber & Information Security ____________________________________________________________________________________________________________________________________________________________________________________________ Office: 03-9622655 Fax: 03-9511433 Mobile: 054-8308351 Mail: lirans@...sec.com<mailto:lirans@...sec.com> Site: www.bugsec.com<http://www.bugsec.com/> [תיאור: תיאור: תיאור: bugsec_car_logo]<http://www.bugsec.com/> Would you know if you’re under attack? [תיאור: cid:image002.jpg@...F3E27.3B0DCAC0]<http://www.cyber-spear.com/> Download attachment "image001.jpg" of type "image/jpeg" (2257 bytes) Download attachment "image002.jpg" of type "image/jpeg" (5152 bytes) _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists