Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 01 Mar 2017 04:39:21 -0500
From: "Larry W. Cashdollar" <larry0@...com>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: Persistent XSS Vulnerability in Wordpress plugin AnyVar v0.1.1

Title: Persistent XSS Vulnerability in Wordpress plugin AnyVar v0.1.1
Author: Larry W. Cashdollar, @_larry0
Date: 2017-02-21
Download Site: https://wordpress.org/plugins/anyvar
Vendor: https://profiles.wordpress.org/matt_dev/
Vendor Notified: 2017-02-28
Vendor Contact: plugins@...dpress.org
Description: AnyVar is a simple search and replace plugin. It lets you add changeable variables (text snippets) to posts, sidebars, widgets, links & themes.
Vulnerability:
$var_name and $var_text aren't sanitized before being sent to the webpage.  $var_name only can contain text so only $var_text is exploitable
In file ./anyvar/anyvar.php:

202                         echo "<tr id='anyvar-$var_name' $class>
203                                 <th scope='row' class='check-column'><input     type='checkbox' name='delete[]' value='$var_name' /></th>
204                                 <td><a class='row-title' href='?page=".$_GET    ['page']."&action=edit&amp;var=$var_name' title='Edit &quot;$var_name&quot;'    > $var_name</a></td>
205                                 <td>[$var_name]</td>
206                                 <td><textarea name='anyvar_text_$var_name' i    d='anyvar_text_$var_name' cols='60' rows='3' readonly>$var_text</textarea></    td>

CVE-ID: CVE-2017-6103
Exploit Code:
	• In the text field box the following will trigger a JS alert popup:
	•  
	• </textarea><script>alert(1);</script><textarea>
Screen Shots: [http://www.vapidlabs.com/m/xssvar.png]
Advisory: http://www.vapidlabs.com/advisory.php?v=177

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ