Persistent Cross-Site Scripting

  • III. DESCRIPTION
    ————————-
    Has been detected a Persistent XSS vulnerability in Easy Table, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user’s browser.

    IV. PROOF OF CONCEPT
    ————————-
    Malicious Request:
    /wordpress/wp-admin/options-general.php?page=easy-table

    easy_table_plugin_option[shortcodetag]
    easy_table_plugin_option[attrtag]
    easy_table_plugin_option[class]
    easy_table_plugin_option[width]
    easy_table_plugin_option[border]
    easy_table_plugin_option[align]
    easy_table_plugin_option[limit]
    easy_table_plugin_option[nl]
    easy_table_plugin_option[terminator]
    easy_table_plugin_option[delimiter]
    easy_table_plugin_option[escape]

    In all of this parameters an attacker can inject for example “><script>alert(1)</script> to perform a attack of Persistent Cross-Site Scripting.

Viewing 4 replies - 1 through 4 (of 4 total)
  • pluginvulnerabilities

    (@pluginvulnerabilities)

    That page is only accessible to Administrator-level users and they normally are permitted to use the equivalent of cross-site scripting (XSS) due to them having the unfiltered_html capability, so them being able to do what is mentioned here wouldn’t be a vulnerability on its own. If that could be combined with cross-site request forgery (CSRF) when saving those values then there would be a vulnerability, but CSRF is prevented with proper use of a nonce. So there doesn’t look to be a vulnerability here, but it does look like it could be considered a bug.

    Thread Starter advidsec

    (@advidsec)

    Hello,

    I know that the page it is only accesible with Administratos, but it is a fact that the page do not sanitize correctly the input validation of the parameters.

    https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

    So think to the developer will correct the bug to prevent this “vulnerability”.

    Regards,

    pluginvulnerabilities

    (@pluginvulnerabilities)

    Administrator-level users are normally permitted to use the equivalent of cross-site scripting (XSS) due to them having the unfiltered_html capability, so what they can do there wouldn’t be a vulnerability.

    This could be considered a bug though and it looks like the plugin could be changed to prevent the issue from happening without it causing any problems.

    Thread Starter advidsec

    (@advidsec)

    Good copy & paste, GL ??

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Persistent Cross-Site Scripting’ is closed to new replies.