WordPress Infocus Theme Cross Site Scripting

2014.01.28
Credit: Rafay Baloch
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

Infocus Theme DOM Based XSS Details ======= Product: Infocus Theme DOM Based XSS Security-Risk: Moderate Remote-Exploit: yes Company: RHAINFOSEC Website: http://services.rafayhackingarticles.net Vendor-URL: http://themeforest.net/item/infocus-powerful-professional-wordpress-theme/85486 Vendor-Status: informed Advisory-Status: published Credits ======= Discovered By: Rafay Baloch http://rhainfosec.com Description ======== The worpdress theme "Infocus" appears to use vulnerable instance of pretty photo plugin that is prone to a DOM based xss, unlike other XSS, dom based xss occurs on the client side, thus leaving all the server side defenses worthlesss. The issue occurs inside the client side javascripts where the source (User supplied input) is passed through a vulnerable sink (Anything that creates/writes) without sanitsing/escaping the user supplied input More Details ========= Line 623: hashIndex = getHashtag(); Inside the line 623, we see a variable hashIndex which calls th e getHashtag() function, which is responsible for returning the user supplied values after the hash. Let's take a look at teh getHashtag() function: getHashtag() { url=location.href;hashtag=(url.indexOf('#!')!=-1)?decodeURI (url.substring(url.indexOf('#!')+2,url.length)):false;return hashtag;}; The function getHashtag() is used for returning the user supplied input, the function also checks if the user input contains the hash bang and then returns the value. setTimeout(function() { $("a[rel^='" + hashRel + "']:eq(" + hashIndex + ")").trigger('click'); }, 50); Finally we have the above line which is responsible for the cause of the dom based xss, the $("a[rel^='" + hashRel + "']:eq(" + hashIndex + ") writes the user supplied input to the dom without sanitising the input. POC === http://target.com/#!%22%3E%3Cimg%20src=1%20onerror=prompt%280%29;%3E// The issue was fixed by sanitising the "hashrel" input before returning it to the user. hashIndex = parseInt(hashIndex); hashRel = hashRel.replace(/([ #;&,.+*~\':"!^$[\]()=>|\/])/g,'\\$1'); References ========== http://www.rafayhackingarticles.net/2013/05/kali-linux-dom-based-xss-writeup.html

References:

http://themeforest.net/item/infocus-powerful-professional-wordpress-theme/85486
http://www.rafayhackingarticles.net/2013/05/kali-linux-dom-based-xss-writeup.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top