WordPress Pretty Photo Cross Site Scripting

2013-11-21 / 2013-12-21
Credit: Rafay Baloch
Risk: Low
Local: No
Remote: Yes

CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Wp-Pretty Photo DOM Based XSS Vulnerability Details ======= Product: PrettyPhoto Plugin Security-Risk: Moderate Remote-Exploit: yes Company: RHAINFOSEC Website: http://services.rafayhackingarticles.net Vendor-URL: https://github.com/scaron/prettyphoto Vendor-Status: informed Advisory-Status: published Credits ======= Discovered by: Rafay Baloch http://services.rafayhackingarticles.net Description ======== The worpdress pretty photo plugin appears to be vulnerable to a DOM based xss, unlike other XSS, dom based xss occurs on the client side, thus leaving all the server side defenses worthlesss. The issue occurs inside the client side javascripts where the source (User supplied input) is passed through a vulnerable sink (Anything that creates/writes) without sanitsing/escaping the user supplied input More Details ========= Line 623: hashIndex = getHashtag(); Inside the line 623, we see a variable hashIndex which calls th e getHashtag() function, which is responsible for returning the user supplied values after the hash. Let's take a look at teh getHashtag() function: getHashtag() { url=location.href;hashtag=(url.indexOf('#!')!=-1)?decodeURI (url.substring(url.indexOf('#!')+2,url.length)):false;return hashtag;}; The function getHashtag() is used for returning the user supplied input, the function also checks if the user input contains the hash bang and then returns the value. setTimeout(function() { $("a[rel^='" + hashRel + "']:eq(" + hashIndex + ")").trigger('click'); }, 50); Finally we have the above line which is responsible for the cause of the dom based xss, the $("a[rel^='" + hashRel + "']:eq(" + hashIndex + ") writes the user supplied input to the dom without sanitising the input. POC === http://target.com/#!%22%3E%3Cimg%20src=1%20onerror=prompt%280%29;%3E// The issue was fixed by sanitising the "hashrel" input before returning it to the user. hashIndex = parseInt(hashIndex); hashRel = hashRel.replace(/([ #;&,.+*~\':"!^$[\]()=>|\/])/g,'\\$1'); References ========== http://www.rafayhackingarticles.net/2013/05/kali-linux-dom-based-xss-writeup.html



Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com


Back to Top