Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 16 Apr 2016 13:59:06 +0530
From: shravan kumar <cor3sm4sh3r@...il.com>
To: oss-security@...ts.openwall.com
Subject: Reflected XSS Vulnerability in Wordpress Custom-metas plugin 1.5.1

Hello  ,


I would like to disclose a XSS vulnerability in Custom-metas plugin version
1.5.1  .

The Plugin can be found at https://wordpress.org/plugins/custom-metas/


Reproduction steps:

   - Install the plugin custom-metas
   - Log in to wp-admin as administrator (tested on firefox)
   - Pass the XSS payload as GET parameter to the
   /wp-admin/admin.php?page=custom-metas&paged=<XSS payload here>
   - example
   http://targetip/WPinstallationdir/wp-admin/admin.php?page=custom-metas&paged=
   "><script>alert(1);</script>
   - you will see a alert box.

Technical details:

This vulnerability is due to display of unsanitized GET parameters, which
are directly displayed on the page with-out any filters.

The vulnerable page is

/wp-content/plugins/custom-metas/tpl/meta-data-form-multiple.php


The Code responsible for the vulnerability is

LINE 10
 $currentPageNo = ( isset($_GET['paged']) && $_GET['paged'] != "")?
$_GET['paged']:1;

the currentPageNo variable is set using $_GET['paged'] .

It is then displayed in unsafe manner i.e without any filters. in following
line of code

LINE 43

<input type="text" size="2" value="<?php echo $currentPageNo;?>"
name="paged" title="Current page" id="postCurrent" class="current-page" />
of <span class="total-pages"><?php echo $tPostNumCount; ?></span>


-- 
Shravan Kumar

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ