[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Wordpress Download Monitor - Download Page Cross-Site Scripting

To: "'full-disclosure'" <full-disclosure@xxxxxxxxxxxxxxxxx>, "'bugtraq'" <bugtraq@xxxxxxxxxxxxxxxxx>, <secalert@xxxxxxxxxxxxxxxxxx>, <bugs@xxxxxxxxxxxxxxxxxxx>, "'vuln'" <vuln@xxxxxxxxxxx>, <vuln@xxxxxxxxxxxxxxxx>, <news@xxxxxxxxxxxxxx>, <moderators@xxxxxxxxx>, <submissions@xxxxxxxxxxxxxxxxxxxxxxx>, <submit@xxxxxxxxxxxxxx>
Subject: Wordpress Download Monitor - Download Page Cross-Site Scripting
From: "Joseph Sheridan" <joe@xxxxxxxxxxxxxx>
Date: Sun, 9 Sep 2012 10:26:10 +0100

/-----------------------------------------------------------------\
| Wordpress Download Monitor - Download Page Cross-Site Scripting |
\-----------------------------------------------------------------/


Summary
=======

Wordpress Download Monitor 3.3.5.7 is subject to a cross-site scripting 
vulnerability. The 'dlsearch' parameter is not sufficiently 

sanitised before being written to pages including the '[download_page]' 
shortcode. An attacker could distribute a malicious URL as part 

of a phishing campaign. Users following the link would trigger this 
vulnerability which could potentially steal session cookies, 

redirect the user to a malicious URL or download malware onto their machine.

CVE number: CVE-2012-4768
Impact: Medium
Vendor homepage: http://mikejolley.com/
Vendor notified: 30/08/2012
Vendor fixed: 30/08/2012
Credit: Chris Cooper and Joseph Sheridan of ReactionIS

This advisory is posted at:

http://www.reactionpenetrationtesting.co.uk/wordpress-download-monitor-xss.html


Affected Products
======== ========

Confirmed in Wordpress Download Monitor 3.3.5.7. Versions prior to 3.3.5.9 may 
also be affected.


Details
=======cv
The 'dlsearch' parameter, written to any page/post including the 
'[download_page]' shortcode, was found to be subject to a cross-site 

scripting vulnerability. It was possible to inject arbitrary Javascript code 
into the parameter which is passed into the page content 

without sanitisation. 

Injecting the following Javascript code will trigger the vulnerability, causing 
the page to return a Javascript alert box:

"><script>alert('xsstest')</script>

---
Example Request:
+---------------

GET /wp/?dlsearch="><script>alert('xsstest')</script> HTTP/1.1
Host: 192.168.0.6


---
Example Response:
+----------------

--- SNIP ---
<form id="download-page-search" action="" method="post">
<p><label for="dlsearch">Search Downloads:</label> <input type="text" 
name="dlsearch" id="dlsearch" value=""><script>alert('xsstest')

</script>" /><input class="search_submit" type="submit" value="Go" /><input 
type="hidden" name="page_id" value="2" 

/></p></form><h3>Results found for 
<em>""><script>alert('xsstest')</script>"</em> <small><a 

href="http://192.168.0.6/wp/";>&laquo;&nbsp;Downloads</a></small></h3>
--- SNIP ---


Impact
======

An attacker might entice users to follow a malicious URL, causing Javascript 
code to execute in their browser, potentially stealing 

session cookies, redirecting the user to a malicious URL or downloading malware 
onto their machine.


Solution
========

Upgrade to Wordpress Download Monitor 3.3.5.9.


Distribution
============

In addition to posting on the website, a text version of this notice has been 
posted to the following e-mail and Usenet news recipients.

* bugtraq () securityfocus com
* full-disclosure () lists grok org uk

Future updates of this advisory, if any, will be placed on the ReactionIS 
corporate website, but may or may not be actively announced on 

mailing lists or newsgroups. Users concerned about this problem are encouraged 
to check the URL below for any updates:

http://www.reactionpenetrationtesting.co.uk/wordpress-download-monitor-xss.html

==============================================================================

Reaction Information Security 
Lombard House Business Centre,
Suite 117,
12-17 Upper Bridge Street,
Canterbury, Kent, CT1 2NF

Phone: +44 (0)1227 785050
Email: research () reactionis {dot} co {dot} uk
Web: http://www.reactionpenetrationtesting.co.uk


Joseph Sheridan
Director
CHECK Team Leader, CREST Infrastructure, CREST Application, CISSP
Tel: 07812052515
Web: www.reactionis.com
Email: joe@xxxxxxxxxxxxxxxx

Reaction Information Security Limited.
Registered in England No: 6929383
Registered Office: 1, The Mews, 69 New Dover Road, Canterbury, CT1 3DZ
 
This email and any files transmitted with it are confidential and are intended 
solely for the use of the individual to whom they are addressed. If you are not 
the intended recipient please notify the sender. Any unauthorised dissemination 
or copying of this email or its attachments and any use or disclosure of any 
information contained in them, is strictly prohibited.

 Please consider the environment before printing this email

Prev by Date: nullcon CTF HackIM is on
Next by Date: [PRE-SA-2012-06] FreeRADIUS: Stack Overflow in TLS-based EAP Methods
Previous by thread: nullcon CTF HackIM is on
Next by thread: [PRE-SA-2012-06] FreeRADIUS: Stack Overflow in TLS-based EAP Methods
Index(es):
- Date
- Thread