• Resolved netiad

    (@netiad)


    Hello,

    I found a cross-site scripting (XSS) vulnerability in front-end-pm.

    Here is the attack scenario:

    UserA sends a message to UserB with the following in the message body:

    <script>alert(1)</script>

    UserB views the message and the javascript written above executes (displays a pop up).

    This is a simple example that demonstrates how UserA can run javascript on UserB computer.

    As a result any user can send malicious javascript and when the unknowing other user reads the message it will execute on their computer.

    The explanation and fix is here in the section “Cross-site scripting”

    How to fix the intentionally vulnerable plugin

    https://www.ads-software.com/plugins/front-end-pm/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Shamim Hasan

    (@shamim51)

    Thank you for letting me know.
    An security update has already been published. Please update this plugin as soon as possible.

    Also please try and let me know immediately if you found any bug (specially security related)

    Thanks again.

    Thread Starter netiad

    (@netiad)

    okay, thanks!

    Also, can you try the following on a host that doesn’t have “Mod_Security” (maybe try on your local computer). My host uses Mod_Security so it blocks it but the plugin looks vulnerable to it:

    https://your_url.com/messages/?fepaction=newmessage&to=%3Cscript%3Ealert(1)%3C/script%3E

    same with other items: message_to, etc…

    Plugin Author Shamim Hasan

    (@shamim51)

    If you see code you will see that “to” is not using directly from GET. It is passing to fep_get_userdata() function which use get_user_by() function. It applies to other items message_to etc also.

    After that also if you think it is vulnerable please give me explanation. It will be easy for me to understand and solve the issue.

    Thanks

    Thread Starter netiad

    (@netiad)

    Excellent! Thanks!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘URGENT: Cross-site Scripting Vulnerability’ is closed to new replies.