search

wpscanteam / wpscan

WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites. Contact us via contact@wpscan.com
https://wpscan.com/wordpress-cli-scanner
Other
8.61k stars 1.27k forks source link

XSS in plugins #176

Closed erwanlr closed 11 years ago

erwanlr commented 11 years ago

See http://wpsecure.net/2013/05/a-list-of-recent-xss-plugin-exploits-from-april/

firefart commented 11 years ago

Also this: http://wpsecure.net/2013/05/open-flash-chart/

erwanlr commented 11 years ago

Yep, I reported them to Wordpress the 7th March 2013 :

50a406e9963c6668d913b573226d6c99  ./chikuncount/php-ofc-library/ofc_upload_image.php
9ebfeab7243e3976bf5eb3b6a43c4a80  ./open-flash-chart-core-wordpress-plugin/open-flash-chart-2/php-ofc-library/ofc_upload_image.php
50a406e9963c6668d913b573226d6c99  ./php-analytics/resources/open-flash-chart/php-ofc-library/ofc_upload_image.php
50a406e9963c6668d913b573226d6c99  ./seo-spy-google-wordpress-plugin/ofc/php-ofc-library/ofc_upload_image.php
628d5048aab21a39851e411d13c9a034  ./spamtask/chart/php-ofc-library/ofc_upload_image.php
50a406e9963c6668d913b573226d6c99 ./wp-seo-spy-google/ofc/php-ofc-library/ofc_upload_image.php
erwanlr commented 11 years ago

Clarification : most of the XSS are not a direct ones, they are CSRF leading to XSS

erwanlr commented 11 years ago

the open-flash-chart was already in our DB ;)

BTW, the ofc_upload_image.php issue is known since 2009, just insane :x

fgeek commented 11 years ago

So ofc_upload_image.php issues not fixed yet or? I can contact developers and WordPress plugins guys if needed.

erwanlr commented 11 years ago

it's fixed in the main lib (open-flash-chart) but not in the other plugins (which are no more available since I reported them to wordpress)

fgeek commented 11 years ago

@erwanlr good job.

erwanlr commented 11 years ago

Btw, there was an XSS in the Jplayer.swf, I found these in the wp repo :

769d053b03973d380da80be5a91c59c2  ./audio-to-player/trunk/js/Jplayer.swf
f85e71a50abbaf2a1866ef16d392a420  ./background-music/js/Jplayer.swf
f85e71a50abbaf2a1866ef16d392a420  ./easy-media-gallery/includes/swf/Jplayer.swf
769d053b03973d380da80be5a91c59c2  ./emc2-custom-help-videos/jplayer/Jplayer.swf
f85e71a50abbaf2a1866ef16d392a420  ./haiku-minimalist-audio-player/js/Jplayer.swf
29f093d52c759a936309f061a06889b7  ./html5-jquery-audio-player/includes/jquery-jplayer/Jplayer.swf
29f093d52c759a936309f061a06889b7  ./html5-jquery-audio-player/player/js/Jplayer.swf
f85e71a50abbaf2a1866ef16d392a420  ./jammer/files/Jplayer.swf
769d053b03973d380da80be5a91c59c2  ./link2player/asset/lib/jquery.jplayer.2.1.0/jplayer.swf
406491a0a42b208e49dd398b959b34ca  ./marctv-achievement-unlocked/Jplayer.swf
38a15226beba4f2b0dac77be1d2af432  ./mp3-jplayer/trunk/js/Jplayer.swf
f85e71a50abbaf2a1866ef16d392a420  ./s2member-secure-file-browser/swf/Jplayer.swf
769d053b03973d380da80be5a91c59c2  ./s3audible-amazon-s3-music-player/js/Jplayer.swf
f85e71a50abbaf2a1866ef16d392a420  ./siteorigin-panels/video/jplayer/Jplayer.swf
769d053b03973d380da80be5a91c59c2  ./so-audible/js/Jplayer.swf
769d053b03973d380da80be5a91c59c2  ./soundslides/js/Jplayer.swf
769d053b03973d380da80be5a91c59c2  ./thecartpress/js/jquery.jplayer/Jplayer.swf
f85e71a50abbaf2a1866ef16d392a420  ./tts-engine-post-to-speech/Jplayer.swf
38a15226beba4f2b0dac77be1d2af432  ./wp-jplayer/assets/js/Jplayer.swf
f85e71a50abbaf2a1866ef16d392a420  ./wp-miniaudioplayer/js/Jplayer.swf
406491a0a42b208e49dd398b959b34ca  ./wpstorecart/js/jquery.mb.miniAudioPlayer.1.2/inc/Jplayer.swf

Some of them are already in our DB & patched (background-music, haiku-minimalist-audio-player, jammer), don't know for the others :s But it seems that the patched version is f85e71a50abbaf2a1866ef16d392a420