*XSS and Uncontrolled redirect Vulns in Encrypted Blog Plugin for Wordpress* # Date: 28 August 2013 # Author: k3170makan # Vendor or Software Link: http://wordpress.org/plugins/encrypted-blog/ # Version: 0.0.6.2 # Category: webapps # Tested on: N/A The Encrypted Blog Plug-in for Wordpress suffers from multiple vulnerabilities exposing authenticated wordpress users to Cross Site Scripting attacks and Uncontrolled redirects and via a combination of these vulnerabilities a leakage of the Encryption key set by the wordpress user. *Cross Site Scripting:* The contents of the redirect_to field in the encrypt_blog_form.php, which is supplied via GET method is not sanitized and allows attackers to submit malicious HTML/JavaScript and other client side browser scripting content. Here's the code: from https://github.com/marcusds/EncryptedBlog/blob/master/encrypted_blog_form.php 13 <form name="loginform" id="loginform" action="<?php 14 if( isset( $_GET['redirect_to'] ) && !empty( $_GET['redirect_to'] ) ) 15 { 16 *echo $_GET['redirect_to'];* 17 if( strpos( $_GET['redirect_to'], '?' ) === false && substr( $_GET['page'], -1 ) !== '/') { 18 echo '/'; 19 } 20 } 21 else 22 { 23 echo './'; 24 } line 16 shows the that the echo is done without parsing the redirect_to field's value or remove any potentially malicious HMTL. PoC: http://imgur.com/S9L4FeV *Uncontrolled Redirect:* The uncontrolled redirect stems the following code:https://github.com/marcusds/EncryptedBlog/blob/master/encrypted_blog_form.php#L43 line 43 shows that unsanitized and uncontrolled data from the redirect_to field is used to build redirects, meaning that attackers will be able to redirect victims to arbitrary domains. PoC: http://imgur.com/LrWmB77 -- <Keith k3170makan <http://about.me/k3170makan> Makan/> blog.k3170makan.com