the original cloud security

WordPress Infocus Theme Cross Site Scripting

WordPress Infocus Theme Cross Site Scripting
Posted Jan 27, 2014
Authored by Rafay Baloch

WordPress Infocus Theme suffers from a cross site scripting vulnerability.

tags | exploit, xss
MD5 | 45e7152bf024a53f3ce62232e75c41a2

WordPress Infocus Theme Cross Site Scripting

Change Mirror Download
Infocus Theme DOM Based XSS

Details
=======
Product: Infocus Theme DOM Based XSS
Security-Risk: Moderate
Remote-Exploit: yes
Company: RHAINFOSEC
Website: http://services.rafayhackingarticles.net
Vendor-URL:
http://themeforest.net/item/infocus-powerful-professional-wordpress-theme/85486
Vendor-Status: informed
Advisory-Status: published

Credits
=======
Discovered By: Rafay Baloch
http://rhainfosec.com

Description
========
The worpdress theme "Infocus" appears to use vulnerable instance of pretty
photo plugin that
is prone to a DOM based xss, unlike other XSS, dom based xss occurs on the
client side, thus
leaving all the server side defenses worthlesss. The issue occurs inside
the client side javascripts
where the source (User supplied input) is passed through a vulnerable sink
(Anything that creates/writes) without sanitsing/escaping the user supplied
input

More Details
=========


Line 623: hashIndex = getHashtag();

Inside the line 623, we see a variable hashIndex which calls th e
getHashtag() function, which is responsible for returning the user
supplied values after the hash.


Let's take a look at teh getHashtag() function:

getHashtag()
{
url=location.href;hashtag=(url.indexOf('#!')!=-1)?decodeURI
(url.substring(url.indexOf('#!')+2,url.length)):false;return
hashtag;};

The function getHashtag() is used for returning the user supplied input,
the function also checks if the user input contains the hash bang and then
returns the value.

setTimeout(function()
{
$("a[rel^='" + hashRel + "']:eq(" + hashIndex + ")").trigger('click'); },
50);

Finally we have the above line which is responsible for the cause of the
dom based xss, the $("a[rel^='" + hashRel + "']:eq(" + hashIndex + ")
writes the user supplied input to the dom without sanitising the input.

POC
===

http://target.com/#!%22%3E%3Cimg%20src=1%20onerror=prompt%280%29;%3E//

The issue was fixed by sanitising the "hashrel" input before returning it
to the user.

hashIndex = parseInt(hashIndex);
hashRel = hashRel.replace(/([ #;&,.+*~\':"!^$[\]()=>|\/])/g,'\\$1');


References
==========

http://www.rafayhackingarticles.net/2013/05/kali-linux-dom-based-xss-writeup.html

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close