exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Pretty Photo Cross Site Scripting

WordPress Pretty Photo Cross Site Scripting
Posted Nov 20, 2013
Authored by Rafay Baloch

WordPress Pretty Photo plugin suffers from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | ad0e6a2ec0cba32a53f8cd31ffa972175ab2ab31289e66a75ebdb86aeda53924

WordPress Pretty Photo Cross Site Scripting

Change Mirror Download
Wp-Pretty Photo DOM Based XSS Vulnerability

Details
=======
Product: PrettyPhoto Plugin
Security-Risk: Moderate
Remote-Exploit: yes
Company: RHAINFOSEC
Website: http://services.rafayhackingarticles.net
Vendor-URL: https://github.com/scaron/prettyphoto
Vendor-Status: informed
Advisory-Status: published

Credits
=======
Discovered by: Rafay Baloch
http://services.rafayhackingarticles.net

Description
========
The worpdress pretty photo plugin appears to be vulnerable to a DOM based
xss, unlike other XSS, dom based xss occurs on the client side, thus
leaving all the server side defenses worthlesss. The issue occurs inside
the client side javascripts
where the source (User supplied input) is passed through a vulnerable sink
(Anything that creates/writes) without sanitsing/escaping the user supplied
input

More Details
=========


Line 623: hashIndex = getHashtag();

Inside the line 623, we see a variable hashIndex which calls th e
getHashtag() function, which is responsible for returning the user
supplied values after the hash.


Let's take a look at teh getHashtag() function:

getHashtag()
{
url=location.href;hashtag=(url.indexOf('#!')!=-1)?decodeURI
(url.substring(url.indexOf('#!')+2,url.length)):false;return
hashtag;};

The function getHashtag() is used for returning the user supplied input,
the function also checks if the user input contains the hash bang and then
returns the value.

setTimeout(function()
{
$("a[rel^='" + hashRel + "']:eq(" + hashIndex + ")").trigger('click'); },
50);

Finally we have the above line which is responsible for the cause of the
dom based xss, the $("a[rel^='" + hashRel + "']:eq(" + hashIndex + ")
writes the user supplied input to the dom without sanitising the input.

POC
===

http://target.com/#!%22%3E%3Cimg%20src=1%20onerror=prompt%280%29;%3E//

The issue was fixed by sanitising the "hashrel" input before returning it
to the user.

hashIndex = parseInt(hashIndex);
hashRel = hashRel.replace(/([ #;&,.+*~\':"!^$[\]()=>|\/])/g,'\\$1');


References
==========

http://www.rafayhackingarticles.net/2013/05/kali-linux-dom-based-xss-writeup.html


Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    25 Files
  • 16
    Aug 16th
    3 Files
  • 17
    Aug 17th
    6 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close