bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/40733.txt
Offensive Security 490539b3f3 DB: 2016-11-09 
17 new exploits

DigitalHive 2.0 RC2 - (base_include.php) Remote File Inclusion
DigitalHive 2.0 RC2 - 'base_include.php' Remote File Inclusion

DodosMail 2.0.1 - (dodosmail.php) Remote File Inclusion
DodosMail 2.0.1 - 'dodosmail.php' Remote File Inclusion

DoSePa 1.0.4 - (textview.php) Information Disclosure
DoSePa 1.0.4 - 'textview.php' Information Disclosure

TrueCrypt 4.3 - Privilege Escalation
TrueCrypt 4.3 - 'setuid' Privilege Escalation

w-Agora 4.2.1 - (cat) SQL Injection
w-Agora 4.2.1 - 'cat' Parameter SQL Injection

IPTBB 0.5.4 - (viewdir id) SQL Injection
IPTBB 0.5.4 - 'id' Parameter SQL Injection

LoudBlog 0.6.1 - (parsedpage) Remote Code Execution
LoudBlog 0.6.1 - 'parsedpage' Parameter Remote Code Execution

evilboard 0.1a - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
evilboard 0.1a - SQL Injection / Cross-Site Scripting

QuickTime Player 7.3.1.70 - (rtsp) Buffer Overflow
QuickTime Player 7.3.1.70 - 'RTSP' Buffer Overflow

DigitalHive 2.0 RC2 - (user_id) SQL Injection
DigitalHive 2.0 RC2 - 'user_id' Parameter SQL Injection

X7 Chat 2.0.5 - 'day' SQL Injection
X7 Chat 2.0.5 - 'day' Parameter SQL Injection

HP Data Protector 4.00-SP1b43064 - Remote Memory Leak/Dos Exploit
HP Data Protector 4.00-SP1b43064 - Remote Memory Leak/DoS

Cisco VPN Client - Integer Overflow (DOS)
Cisco VPN Client - Integer Overflow (DoS)

Multiple WordPress Plugins - timthumb.php File Upload
Multiple WordPress Plugins - 'timthumb.php' File Upload

glibc - LD_AUDIT Arbitrary DSO Load Privilege Escalation
glibc - 'LD_AUDIT' Arbitrary DSO Load Privilege Escalation

NetServe FTP Client 1.0 - Local DOS (Overflow)
NetServe FTP Client 1.0 - Local DoS (Overflow)

Microsoft Windows Server 2008/2012 - LDAP RootDSE Netlogon Denial Of Service (PoC)
Internet Explorer 8-11_ IIS_ CScript.exe/WScript.exe VBScript - CRegExp..Execute Use of Uninitialized Memory (MS14-080 / MS14-084)
Internet Explorer 9 MSHTML - CPtsTextParaclient::CountApes Out-of-Bounds Read
Microsoft Internet Explorer 8-11_ IIS_ CScript.exe/WScript.exe VBScript - CRegExp..Execute Use of Uninitialized Memory (MS14-080/MS14-084)
Microsoft Internet Explorer 9 MSHTML - CPtsTextParaclient::CountApes Out-of-Bounds Read
Linux Kernel 2.6.x < 2.6.7-rc3 - 'sys_chown()' Privilege Escalation
Solaris 8/9 ps - Environment Variable Information leak
Solaris 7/8/9 CDE libDtHelp - Buffer Overflow dtprintinfo Privilege Escalation
Solaris 7/8/9 CDE libDtHelp - Buffer Overflow Non-Exec Stack Privilege Escalation
Solaris 8/9 passwd(1) - 'circ()' Stack-Based Buffer Overflow Privilege Escalation
Linux Kernel - TCP Related Read Use-After-Free
WordPress Plugin 'XCloner' 3.1.5 - Multiple Vulnerabilities
WordPress Plugin 404 to 301 2.2.8 - Persistent Cross-Site Scripting
WordPress Plugin WassUp Real Time Analytics 1.9 - Persistent Cross-Site Scripting
MOVISTAR ADSL Router BHS_RTA - Remote File Disclosure
D-Link ADSL Router DSL-2730U/2750U/2750E - Remote File Disclosure
NETGEAR ADSL Router JNR1010 - Authenticated Remote File Disclosure
NETGEAR ADSL Router WNR500/WNR612v3/JNR1010/JNR2010 - Authenticated Remote File Disclosure
PLANET ADSL Router AND-4101 - Remote File Disclosure
Eir D1000 Wireless Router - WAN Side Remote Command Injection (Metasploit)
Avira Antivirus 15.0.21.86 - '.zip' Directory Traversal / Command Execution
2016-11-09 05:01:25 +00:00

62 lines
No EOL
3 KiB
Text
Executable file
Raw Blame History

Source: https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_wassup_real_time_analytics_wordpress_plugin.html
Persistent Cross-Site Scripting in WassUp Real Time Analytics WordPress Plugin
Abstract
A stored Cross-Site Scripting (XSS) vulnerability has been found in the WassUp Real Time Analytics WordPress Plugin. By using this vulnerability an attacker can inject malicious JavaScript code into the application, which will execute within the browser of any user who views the Activity Log, in general WP admin.
Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE ID
OVE-20160717-0002
Tested versions
This issue was successfully tested on WassUp Real Time Analytics version 1.9.
Fix
This issue has been fixed in version 1.9.1.
Introduction
The WassUp Real Time Analytics WordPress plugin can be used to analyze visitors' traffic with real-time statistics.
Details
A stored Cross-Site Scripting vulnerability was found in the Wassup WordPress plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. Particularly interesting about this issue is that an anonymous user can simply store his XSS payload in the Admin dashboard by just visiting the public site with a malformed link.
The malicious script code can be sent by anyone visiting the website (unauthenticated). The malicious code is then executed in the admin panel under section 'Current Visitors' of the Wassup plugin page.
The issue exists in the file wassup.php and is caused by the lack of output encoding on the request-uri parameter. The vulnerable code is listed below.
</span><span class="request-uri"><?php echo wassupURI::url_link
and in the file wassup.class.php:
else $urllink='<a href="'.self::add_siteurl("$urlrequested").'" target="_BLANK">'.stringShortener("$urlrequested",$chars).'</a>';
return $urllink;
Proof of concept
1. Log in as admin and empty the log data of Wassup for a clean test -> http://<targetsite>/wp-admin/admin.php?page=wassup-options -> Manage Files and Data -> Empty table
2. Open Burp Suite and sent the following requests one after another:
GET /test HTTP/1.1
Host: <targetsite>
GET ///--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(70,70,70))</SCRIPT> HTTP/1.1
Host: <targetsite>
3. Open the Current Visitors Online page as an admin: http://<targetsite>/wp-admin/admin.php?page=wassup-online
Note: Your request should be detected as a Spider/Bot by the Wassup plugin. One way to do this is by sending the requests above through Burp Suite.
Reference in a new issue View git blame Copy permalink