lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <AMSPR07MB1790D273115DABD539F32D9BBA10@AMSPR07MB179.eurprd07.prod.outlook.com>
Date: Mon, 22 Jun 2015 10:28:40 +0000
From: Liran Segal <lirans@...sec.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] CVE-2015-4557 - Wordpress “Nextend Twitter Connect” &  “Nextend Google Connect” Cross Site Scripting

Wordpress “Nextend Twitter Connect”
===================================
Document Title:
===============
WordPress “Nextend Twitter Connect” Plugin Version: 1.5.1 is vulnerable to Reflected XSS (Cross Site Scripting)


Download URL:

=============

https://wordpress.org/plugins/nextend-twitter-connect/



Release Date:

=============
2015-06-20


Vulnerability CVE ID:

=====================
CVE-2015-4557


Vulnerability Disclosure Timeline:

==================================
2015 – 06 – 15 First notified to WordPress.
2015 – 06 – 15 First notified to plugin vendor .
2015 – 06 – 15 First notified to Mitre for CVE number.
2015 – 06 – 16 Vendor publish update for the plugin.
2015 – 06 – 22 Public Disclosure.


Discovery Status:

=================

Published


Severity Level:

===============

High


Technical Details, Description & Proof of Concept (PoC):

========================================================

After installing Wordpress I add the plugin "Nextend Twitter Connect" witch allow you to login Wordpress with Twitter account.

During my test I find out that the “redirect_to” parameter is vulnerable to Reflected XSS attack.
http://www.siz.co.il/my.php?i=hvmwzqo0tmjw.png


To reach to root of the problem, I took a look in the plugin source code and realized that the “new_Twitter_sign_button” witch located in the file “nextend-Twitter-connect.php”.

The problematic function are locate in line 492:
http://www.siz.co.il/my.php?i=bndijzkozjdy.png


As you can see in the line 492, the function don’t escapes HTML tags or other dangerous symbols.

When attacker injects the Javascript code in the URL the function runs the code, as you can see:

http://www.siz.co.il/my.php?i=ni4jzmzjmrni.png

And pop the alert window.


Solution - Fix & Patch:

=======================

In order to solve this security flaw you need to add the “htmlentities” function. (http://php.net/htmlentities)

As you can see in the image:
http://www.siz.co.il/my.php?i=yjz4jmie4m1g.png



Wordpress “Nextend Google Connect”
===================================
Document Title:
===============
WordPress “Nextend Google Connect” Plugin Version: 1.5.1 is vulnerable to Reflected XSS (Cross Site Scripting)


Download URL:

=============

https://wordpress.org/plugins/nextend-google-connect/



Release Date:

=============
2015-06-20


Vulnerability CVE ID:

=====================
CVE-2015-4557


Vulnerability Disclosure Timeline:

==================================
2015 – 06 – 15 First notified to WordPress.
2015 – 06 – 15 First notified to plugin vendor .
2015 – 06 – 15 First notified to Mitre for CVE number.
2015 – 06 – 16 Vendor publish update for the plugin.
2015 – 06 – 22 Public Disclosure.


Discovery Status:

=================

Published


Severity Level:

===============

High


Technical Details, Description & Proof of Concept (PoC):

========================================================

After installing Wordpress I add the plugin "Nextend Google Connect" witch allow you to login Wordpress with Google account.

During my test I find out that the “redirect_to” parameter is vulnerable to Reflected XSS attack.
http://www.siz.co.il/my.php?i=yzjzqwyn4qo3.png


To reach to root of the problem, I took a look in the plugin source code and realized that the “new_google_sign_button” witch located in the file “nextend-Google-connect.php”.

The problematic function are locate in line 433:

http://www.siz.co.il/my.php?i=z4dnntazxkmz.png


As you can see in the line 433, the function don’t escapes HTML tags or other dangerous symbols.

When attacker injects the Javascript code in the URL the function runs the code, as you can see:

http://www.siz.co.il/my.php?i=0omtugeig1z0.png



And pop the alert window.


Solution - Fix & Patch:

=======================

In order to solve this security flaw you need to add the “htmlentities” function. (http://php.net/htmlentities)

As you can see in the image:
http://sizmedia.com/my.php?i=zmnjdljwthmm.png


Liran Segal (Bugsec Information Security LTD)

Regards,
Liran Segal
Penetration Testing
BugSec Cyber & Information Security

____________________________________________________________________________________________________________________________________________________________________________________________


Office: 03-9622655 Fax: 03-9511433 Mobile: 054-8308351

Mail: lirans@...sec.com<mailto:lirans@...sec.com> Site: www.bugsec.com<http://www.bugsec.com/>

[תיאור: תיאור: תיאור: bugsec_car_logo]<http://www.bugsec.com/>
Would you know if you’re under attack?
[תיאור: cid:image002.jpg@...F3E27.3B0DCAC0]<http://www.cyber-spear.com/>


Download attachment "image001.jpg" of type "image/jpeg" (2257 bytes)

Download attachment "image002.jpg" of type "image/jpeg" (5152 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ