a13c4ea572
23 changes to exploits/shellcodes SysGauge 4.5.18 - Local Denial of Service Systematic SitAware - NVG Denial of Service Allok AVI DivX MPEG to DVD Converter 2.6.1217 - Buffer Overflow (SEH) Allok Video Joiner 4.6.1217 - Stack-Based Buffer Overflow Allok WMV to AVI MPEG DVD WMV Converter 4.6.1217 - Buffer Overflow Faleemi Windows Desktop Software - (DDNS/IP) Local Buffer Overflow Advantech WebAccess < 8.1 - webvrpcs DrawSrv.dll Path BwBuildPath Stack-Based Buffer Overflow osTicket 1.10 - SQL Injection osTicket 1.10 - SQL Injection (PoC) Open-AuditIT Professional 2.1 - Cross-Site Request Forgery Homematic CCU2 2.29.23 - Arbitrary File Write MiniCMS 1.10 - Cross-Site Request Forgery WordPress Plugin Relevanssi 4.0.4 - Reflected Cross-Site Scripting WordPress Plugin Contact Form 7 to Database Extension 2.10.32 - CSV Injection Homematic CCU2 2.29.23 - Remote Command Execution Joomla! Component Acymailing Starter 5.9.5 - CSV Macro Injection Joomla! Component AcySMS 3.5.0 - CSV Macro Injection WordPress Plugin WP Security Audit Log 3.1.1 - Sensitive Information Disclosure Tenda W308R v2 Wireless Router 5.07.48 - Cookie Session Weakness Remote DNS Change osCommerce 2.3.4.1 - Remote Code Execution Tenda W316R Wireless Router 5.07.50 - Remote DNS Change D-Link DIR-850L Wireless AC1200 Dual Band Gigabit Cloud Router - Authentication Bypass Tenda FH303/A300 Firmware V5.07.68_EN - Remote DNS Change Vtiger CRM 6.3.0 - Authenticated Arbitrary File Upload (Metasploit) Tenda W3002R/A302/w309r Wireless Router V5.07.64_en - Remote DNS Change (PoC)
46 lines
No EOL
2 KiB
Text
46 lines
No EOL
2 KiB
Text
# Exploit Title : Relevanssi Wordpress Search Plugin Reflected Cross Site Scripting (XSS)
|
|
# Date: 23-03-2018
|
|
# Exploit Author : Stefan Broeder
|
|
# Contact : https://twitter.com/stefanbroeder
|
|
# Vendor Homepage: https://www.relevanssi.com
|
|
# Software Link: https://wordpress.org/plugins/relevanssi
|
|
# Version: 4.0.4
|
|
# CVE : CVE-2018-9034
|
|
# Category : webapps
|
|
|
|
Description
|
|
===========
|
|
Relevanssi is a WordPress plugin with more than 100.000 active installations. Version 4.0.4 (and possibly previous versions) are affected by a Reflected XSS vulnerability.
|
|
|
|
Vulnerable part of code
|
|
=======================
|
|
File: relevanssi/lib/interface.php:1055 displays unescaped value of $_GET variable 'tab'.
|
|
|
|
..
|
|
1049 if( isset( $_REQUEST[ 'tab' ] ) ) {
|
|
1050 $active_tab = $_REQUEST[ 'tab' ];
|
|
1051 } // end if
|
|
1052
|
|
1053 if ($active_tab === "stopwords") $display_save_button = false;
|
|
1054
|
|
1055 echo "<input type='hidden' name='tab' value='$active_tab' />";
|
|
..
|
|
|
|
Impact
|
|
======
|
|
Arbitrary JavaScript code can be run on browser side if a logged in WordPress administrator is tricked to click on a link or browse a URL under the attacker control.
|
|
This can potentially lead to creation of new admin users, or remote code execution on the server.
|
|
|
|
Proof of Concept
|
|
============
|
|
In order to exploit this vulnerability, the attacker needs to have the victim visit the following link:
|
|
|
|
/wp-admin/options-general.php?page=relevanssi%2Frelevanssi.php&tab='><SCRIPT>var+x+%3D+String(%2FXSS%2F)%3Bx+%3D+x.substring(1%2C+x.length-1)%3Balert(x)<%2FSCRIPT><BR+
|
|
|
|
Please note that quotes and double quotes are properly escaped by WordPress, however javascript escaping (\) is applied while the value is in an HTML attribute. There, escaping a quote by \' has no effect (" should be used). This allows us to break out of the HTML attribute and start the script tag. Within the script, quotes are properly escaped but there are ways to obfuscate javascript without requiring these symbols as can be seen in above payload.
|
|
|
|
|
|
Solution
|
|
========
|
|
|
|
Update to version 4.1 |