Identify if we have the software, in 16.09, 17.03, and unstable. Then determine if we are vulnerable, and make a comment with your findings. It can also be helpful to specify if you think there is a patch, or if it can be fixed via a general update.
Example:
unstable: we are not vulnerable (link to the package)
17.03: we are vulnerable (link to the package)
16.09: we don't have it packaged
IMPORTANT: If you believe there are possibly related issues, bring them up on the parent issue!
Patching
Start by commenting on this issue saying you're working on a patch. This way, we don't duplicate work.
If you open a pull request, tag this issue and the master issue for the roundup.
If you commit the patch directly to a branch, please leave a comment on this issue with the branch and the commit hash, example:
Wed, 01 Mar 2017 04:39:21 -0500 "Larry W. Cashdollar" , 2DC459E9-2A8F-45E1-8D1C-7AC78F3BCADB@me.com
Title: Persistent XSS Vulnerability in Wordpress plugin AnyVar v0.1.1
Author: Larry W. Cashdollar, @_larry0
Date: 2017-02-21
Download Site: https://wordpress.org/plugins/anyvar
Vendor: https://profiles.wordpress.org/matt_dev/
Vendor Notified: 2017-02-28
Vendor Contact: plugins@wordpress.org
Description: AnyVar is a simple search and replace plugin. It lets you add changeable variables (text snippets) to posts, sidebars, widgets, links & themes.
Vulnerability:
$var_name and $var_text aren't sanitized before being sent to the webpage. $var_name only can contain text so only $var_text is exploitable
In file ./anyvar/anyvar.php:
202 echo "<tr id='anyvar-$var_name' $class>
203 <th scope='row' class='check-column'><input type='checkbox' name='delete[]' value='$var_name' /></th>
204 <td><a class='row-title' href='?page=".$_GET ['page']."&action=edit&var=$var_name' title='Edit "$var_name"' > $var_name</a></td>
205 <td>[$var_name]</td>
206 <td><textarea name='anyvar_text_$var_name' i d='anyvar_text_$var_name' cols='60' rows='3' readonly>$var_text</textarea></ td>
CVE-ID: CVE-2017-6103
Exploit Code:
• In the text field box the following will trigger a JS alert popup:
•
• </textarea><script>alert(1);</script><textarea>
Screen Shots: [http://www.vapidlabs.com/m/xssvar.png]
Advisory: http://www.vapidlabs.com/advisory.php?v=177
Here is a report from the oss-security mailing list for Vulnerability Roundup 27.
Skip to First Email
Instructions:
Identification
Identify if we have the software, in 16.09, 17.03, and unstable. Then determine if we are vulnerable, and make a comment with your findings. It can also be helpful to specify if you think there is a patch, or if it can be fixed via a general update.
Example:
IMPORTANT: If you believe there are possibly related issues, bring them up on the parent issue!
Patching
Start by commenting on this issue saying you're working on a patch. This way, we don't duplicate work.
If you open a pull request, tag this issue and the master issue for the roundup.
If you commit the patch directly to a branch, please leave a comment on this issue with the branch and the commit hash, example:
Skip to First Email
Upon Completion ...
Info
Triage Indicator:
Should the search term be changed from
wordpress
? Suggest a new package search by commenting:Known CVEs: CVE-2017-6103
Skip to End
Wed, 01 Mar 2017 04:39:21 -0500 "Larry W. Cashdollar",
2DC459E9-2A8F-45E1-8D1C-7AC78F3BCADB@me.com
Skip to End