Re: CVE-2009-4168: WordPress plugin vkontakte-api XSS vulnerability

[Henri Salo <henri () nerv fi>]

On Mon, Mar 11, 2013 at 09:44:33AM +0200, Henri Salo wrote:
> Plugin URL: http://wordpress.org/extend/plugins/vkontakte-api/
> Affected file: tagcloud.swf 368b01e1728111f99d93ac5805d97abbb899a910
> PoC: 
> wp-content/plugins/vkontakte-api/swf/tagcloud.swf?mode=tags&tagcloud=<tags><a+href=%27javascript:alert%28document.cookie%29%27+style=%27font-size:+40pt%27>oss-security</a></tags>
> Affected versions: 1.21, 1.22, 1.23, 1.24, 1.25, 1.26, 1.27, 2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.7
>
> Currently no fix available.

WordPress plugin-guys replied Mon, 11 Mar 2013 21:32:52 +0000

"Closed this morning :)"

Now the changelog says:

------------------------------------------------------------------------
r681668 | kowack | 2013-03-14 09:39:40 +0200 (Thu, 14 Mar 2013) | 1 line

2.7 to 3.0
------------------------------------------------------------------------
r681323 | kowack | 2013-03-13 18:04:13 +0200 (Wed, 13 Mar 2013) | 1 line

amen
------------------------------------------------------------------------
r681320 | kowack | 2013-03-13 18:01:49 +0200 (Wed, 13 Mar 2013) | 1 line

major update, may has bugs :(
------------------------------------------------------------------------
r568584 | kowack | 2012-07-07 09:49:19 +0300 (Sat, 07 Jul 2012) | 1 line

And it seems that tagcloud.swf is removed from version 3.0 of the plugin.
Changelog does not include CVE nor notification about security issues fixed.
Well at least it is fixed.

--
Henri Salo

Attachment: signature.asc
Description: Digital signature