Latest YouTube Video

Tuesday, August 1, 2017

[FD] Stored XSS in Salutation Responsive WordPress + BuddyPress Theme could allow logged-in users to do almost anything an admin can (WordPress plugin)

Details ================ Software: Salutation Responsive WordPress + BuddyPress Theme Version: 3.0.15 Homepage: http://ift.tt/2cHClUN Advisory report: http://ift.tt/2tTIMIy CVE: Awaiting assignment CVSS: 4.9 (Medium; AV:N/AC:M/Au:S/C:P/I:P/A:N) Description ================ Stored XSS in Salutation Responsive WordPress + BuddyPress Theme could allow logged-in users to do almost anything an admin can Vulnerability ================ The theme contains JavaScript (assets/js/onLoad.js) which iterates through .section-tabs a and puts every href value it finds into jQuery(). jQuery() doesn’t just search for elements which match a selector (i.e. jQuery(\'.section-tabs\')), it also creates elements (i.e. jQuery(\'
\')). $(\'.section-tabs\').simpleSlideTop(); // ... $.fn.simpleSlideTop = function(opts) { // ... contentID = $(this).attr(\'href\'); $(contentID).hide(); An attacker without the unfiltered_html capability would be able to inject arbitrary HTML as if they had the unfiltered_html capability. With the ability to inject arbitrary HTML, the attacker is able add JavaScript which causes a logged-in administrator user to do almost anything – including creating new user accounts, deleting posts, and more. Proof of concept ================ Click the activate button on the theme Install and activate Revolution Slider plugin Create a new user with role of Author (by default, Authors do not possess the unfiltered_html capability) Log in as that user Visit “Add New Post” screen Switch the editor to “Text” mode Enter the following:  Press “Publish” Press “View post” You will see an alertbox appear showing the value “1” For comparison, if the same user account enters  or , it will be blocked by WordPress. Mitigations ================ Upgrade to version 3.0.16 or later. Disclosure policy ================ dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: http://ift.tt/1B6NWzd Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf. This vulnerability will be published if we do not receive a response to this report with 14 days. Timeline ================ 2017-04-26: Discovered 2017-07-25: Reported via contact form on http://para.llel.us/ 2017-07-25: Vendor reported issue fixed in 3.0.16 2017-07-31: Advisory published Discovered by dxw: ================ Tom Adams Please visit security.dxw.com for more information.

Source: Gmail -> IFTTT-> Blogger

No comments: