Xorbin Analog Flash Clock 1.0 For WordPress XSS

2013.07.01
Credit: Prakhar Prasad
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79
Dork: inurl:xorbin-analog-flash-clock

==================================================================== Xorbin Analog Flash Clock 1.0 Plugin for Wordpress Flash-based XSS ==================================================================== Description: This plugin displays analog flash clock on your website. It's easy to use and it's highly customizable. You can add analog flash clock to your website as a widget and use as many clocks as you like on one page Published: 30-06-2013 Version : 1.0 Severity : Low to Moderate CVSS Score: 5 CVE: 2013-4692 Authors : Prakhar Prasad http://www.prakharprasad.com Rafay Baloch http://www.rafayhackingarticles.net Download : http://wordpress.org/plugins/xorbin-analog-flash-clock/ Vendor : XORBin http://www.xorbin.com/ Google Dork: inurl:xorbin-analog-flash-clock Details: The vulnerability exists in "xorAnalogClock.swf" file of this plugin, "widgetUrl" and "urlWindow" parameter is taken from external input and is passed first into URLRequest() and then to navigateToURL() function. Pseudocode: navigateToURL(new URLRequest(_root.widgetUrl), _root.urlWindow); Proof-of-Concept: http://domain.tld/wordpress/wp-content/plugins/xorbin-analog-flash-clock/media/xorAnalogClock.swf#?urlWindow=_self&widgetUrl=javascript:alert(1); Clicking on clock will execute the Javascript payload. Solution: Similar method can be applied as described here - https://code.google.com/p/doctype-mirror/wiki/ArticleFlashSecurityGetURL

References:

http://www.prakharprasad.com


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top