exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Infocus Theme Cross Site Scripting

WordPress Infocus Theme Cross Site Scripting
Posted Jan 27, 2014
Authored by Rafay Baloch

WordPress Infocus Theme suffers from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 72175cc3a0ba10815ddba1acc6812efb9bf950f993641bc2dc35d2e2ee6ad9bd

WordPress Infocus Theme Cross Site Scripting

Change Mirror Download
Infocus Theme DOM Based XSS

Details
=======
Product: Infocus Theme DOM Based XSS
Security-Risk: Moderate
Remote-Exploit: yes
Company: RHAINFOSEC
Website: http://services.rafayhackingarticles.net
Vendor-URL:
http://themeforest.net/item/infocus-powerful-professional-wordpress-theme/85486
Vendor-Status: informed
Advisory-Status: published

Credits
=======
Discovered By: Rafay Baloch
http://rhainfosec.com

Description
========
The worpdress theme "Infocus" appears to use vulnerable instance of pretty
photo plugin that
is prone to a DOM based xss, unlike other XSS, dom based xss occurs on the
client side, thus
leaving all the server side defenses worthlesss. The issue occurs inside
the client side javascripts
where the source (User supplied input) is passed through a vulnerable sink
(Anything that creates/writes) without sanitsing/escaping the user supplied
input

More Details
=========


Line 623: hashIndex = getHashtag();

Inside the line 623, we see a variable hashIndex which calls th e
getHashtag() function, which is responsible for returning the user
supplied values after the hash.


Let's take a look at teh getHashtag() function:

getHashtag()
{
url=location.href;hashtag=(url.indexOf('#!')!=-1)?decodeURI
(url.substring(url.indexOf('#!')+2,url.length)):false;return
hashtag;};

The function getHashtag() is used for returning the user supplied input,
the function also checks if the user input contains the hash bang and then
returns the value.

setTimeout(function()
{
$("a[rel^='" + hashRel + "']:eq(" + hashIndex + ")").trigger('click'); },
50);

Finally we have the above line which is responsible for the cause of the
dom based xss, the $("a[rel^='" + hashRel + "']:eq(" + hashIndex + ")
writes the user supplied input to the dom without sanitising the input.

POC
===

http://target.com/#!%22%3E%3Cimg%20src=1%20onerror=prompt%280%29;%3E//

The issue was fixed by sanitising the "hashrel" input before returning it
to the user.

hashIndex = parseInt(hashIndex);
hashRel = hashRel.replace(/([ #;&,.+*~\':"!^$[\]()=>|\/])/g,'\\$1');


References
==========

http://www.rafayhackingarticles.net/2013/05/kali-linux-dom-based-xss-writeup.html
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close