23 Jun

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Analytics Tracker

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

The changelog entry for version 1.1.1 of the plugin Analytics Tracker is “Fixed XSS vulnerability on search event, thanks to Arjan ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

22 Jun

Reflected Cross-Site Scripting (XSS) Vulnerability in Product Catalog

We recently have been trying to get an idea of how effective it would be to try to proactively catch some vulnerabilities when changes are made to WordPress plugins that include those vulnerabilities. In doing one of the preliminary checks we immediately came across a reflected cross-site scripting (XSS) vulnerability that exists in the plugin Product Catalog that has existed since its first version was released nearly four years ago.

Contrary the scaremongering we have seen from other web security companies this type of vulnerability isn’t a major concern as we don’t see hackers trying to exploit it on a large scale and all major web browsers other than Firefox have filtering that would need to be evaded to make it work. At the same this type of vulnerability shouldn’t be remaining in a plugin that long as it involves a failure of security at a fairly basic level and in the form it was here, easy to detect.

The vulnerability occurs in the file /html/CatalogueDetails.php on line 44:

<form id="nav-menu-meta" action="admin.php?page=UPCP-options&Action=UPCP_Catalogue_Details&Selected=Catalogue&Catalogue_ID=<?php echo $_GET['Catalogue_ID']; ?>#Catalogues" class="nav-menu-meta" method="post" enctype="multipart/form-data">

The value of GET input “Catalogue_ID” is output without being escaped, which could permit malicious JavaScript on to the page.

We notified the developer of the issue a week ago, we haven’t heard back from them and while the plugins has been updated since then, the vulnerability hasn’t been fixed.

Proof of Concept

The following proof of concept will cause any available cookies to be shown in alert box. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin.php?page=UPCP-options&Action=UPCP_Catalogue_Details&Selected=Catalogue&Catalogue_ID=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E

Timeline

  • June 15, 2017 – Developer notified.
22 Jun

Reflected Cross-Site Scripting (XSS) Vulnerability in uCare

We recently have been trying to get an idea of how effective it would be to try to proactively catch some vulnerabilities when changes are made to WordPress plugins that include those vulnerabilities. During that preliminary checking we found that the plugin uCare contains a reflected cross-site scripting (XSS) vulnerability.

The vulnerability is an example of where one of things we check for during our security reviews of WordPress plugins selected by our customers, making sure that code is included to restrict direct access to .php files that are not intended to accessed, can be useful.

When deactivating the plugin and choosing to provide feedback the file /emails/product-feedback.php in included to generate the feedback message. That file can be accessed directly.

When accessed as intended the use of output buffering causes the content output by the file to not be displayed in the web browser. But when accessed directly that doesn’t occur and several post inputs are output without being escaped. As an example, on line 6 the POST input “reason” is output:

<p style="margin-left: 20px"><?php echo $_POST['reason']; ?></p>

That could be used to cause malicious JavaScript code to output on to the page.

We contacted the developer of the plugin about the issue a week ago, but we have not heard back from them and the vulnerability has yet to be fixed.

Proof of Concept

The following proof of concept will cause any available cookies to be shown in alert box. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-content/plugins/ucare-support-system/emails/product-feedback.php" method="POST">
<input type="hidden" name="reason" value='<script>alert("XSS");</script>' />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • June 15, 2017 – Developer notified.
16 Jun

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in WordPress Download Manager

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

There are number of reasons we believe it is a good idea for the discoverer of a vulnerability to include ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

16 Jun

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in WP-Members

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

An advisory was released by the JPCERT/CC and IPA that a cross-site scripting (XSS) vulnerability had been fixed in ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

06 Jun

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Memphis Documents Library

From time to time vulnerabilities are fixed in plugin without someone putting out a report on the vulnerability and we will put out a post detailing the vulnerability. While putting out the details of the vulnerability increases the chances of it being exploited, it also can help to identify vulnerabilities that haven’t been fully fixed (in some cases not fixed at all) and help to identify additional vulnerabilities in ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

19 May

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in MaxButtons

An advisory was released by the JPCERT/CC and IPA that a cross-site scripting (XSS) vulnerability had been fixed in version 6.19 of the plugin MaxButtons, which was discovered by “ASAI Ken and Chris Liu”. In looking at the changes made in that version we found that it was a reflected cross-site scripting (XSS) vulnerability.

In version 6.18 in the file /includes/admin_header.php the ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

15 May

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Crafty Social Buttons

From time to time vulnerabilities are fixed in plugin without someone putting out a report on the vulnerability and we will put out a post detailing the vulnerability. While putting out the details of the vulnerability increases the chances of it being exploited, it also can help to identify vulnerabilities that haven’t been fully fixed (in some cases not fixed at all) and help to ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

05 May

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in RSS Post Importer

From time to time vulnerabilities are fixed in plugin without someone putting out a report on the vulnerability and we will put out a post detailing the vulnerability. While putting out the details of the vulnerability increases the chances of it being exploited, it also can help to identify vulnerabilities that haven’t been fully fixed (in some cases not fixed at all) and help to ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

03 May

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in SlideDeck 2 & 3

From time to time vulnerabilities are fixed in plugin without someone putting out a report on the vulnerability and we will put out a post detailing the vulnerability. While putting out the details of the vulnerability increases the chances of it being exploited, it also can help to identify vulnerabilities that haven’t been fully fixed (in some cases not fixed at all) and help to ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.