the original cloud security

WordPress Pretty Photo Cross Site Scripting

WordPress Pretty Photo Cross Site Scripting
Posted Nov 20, 2013
Authored by Rafay Baloch

WordPress Pretty Photo plugin suffers from a cross site scripting vulnerability.

tags | exploit, xss
MD5 | efb1df2016a22b2f0ce769614c2b718e

WordPress Pretty Photo Cross Site Scripting

Change Mirror Download
Wp-Pretty Photo DOM Based XSS Vulnerability

Details
=======
Product: PrettyPhoto Plugin
Security-Risk: Moderate
Remote-Exploit: yes
Company: RHAINFOSEC
Website: http://services.rafayhackingarticles.net
Vendor-URL: https://github.com/scaron/prettyphoto
Vendor-Status: informed
Advisory-Status: published

Credits
=======
Discovered by: Rafay Baloch
http://services.rafayhackingarticles.net

Description
========
The worpdress pretty photo plugin appears to be vulnerable to a DOM based
xss, unlike other XSS, dom based xss occurs on the client side, thus
leaving all the server side defenses worthlesss. The issue occurs inside
the client side javascripts
where the source (User supplied input) is passed through a vulnerable sink
(Anything that creates/writes) without sanitsing/escaping the user supplied
input

More Details
=========


Line 623: hashIndex = getHashtag();

Inside the line 623, we see a variable hashIndex which calls th e
getHashtag() function, which is responsible for returning the user
supplied values after the hash.


Let's take a look at teh getHashtag() function:

getHashtag()
{
url=location.href;hashtag=(url.indexOf('#!')!=-1)?decodeURI
(url.substring(url.indexOf('#!')+2,url.length)):false;return
hashtag;};

The function getHashtag() is used for returning the user supplied input,
the function also checks if the user input contains the hash bang and then
returns the value.

setTimeout(function()
{
$("a[rel^='" + hashRel + "']:eq(" + hashIndex + ")").trigger('click'); },
50);

Finally we have the above line which is responsible for the cause of the
dom based xss, the $("a[rel^='" + hashRel + "']:eq(" + hashIndex + ")
writes the user supplied input to the dom without sanitising the input.

POC
===

http://target.com/#!%22%3E%3Cimg%20src=1%20onerror=prompt%280%29;%3E//

The issue was fixed by sanitising the "hashrel" input before returning it
to the user.

hashIndex = parseInt(hashIndex);
hashRel = hashRel.replace(/([ #;&,.+*~\':"!^$[\]()=>|\/])/g,'\\$1');


References
==========

http://www.rafayhackingarticles.net/2013/05/kali-linux-dom-based-xss-writeup.html


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    2 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close