看板 Bugtraq 關於我們 聯絡資訊
發信人larry0@me.com ("Larry W. Cashdollar"),
看板Bugtraq
標 題Persistent XSS in Media File Renamer V1.7.0 wordpress plugin
發信站NCTU CS FreeBSD Server (Wed Feb 26 15:38:25 2014)
轉信站ptt!csnews.cs.nctu!news.cednctu!FreeBSD.cs.nctu!.POSTED!securityfocus.
Title: Persistent XSS in Media File Renamer V1.7.0 wordpress plugin Date: 1/31/2014 Author: Larry W. Cashdollar, @_larry0 Vendor: Notified 2/4/2014 CVE: 2014-2040=20 Download:=20 http://www.meow.fr/media-file-renamer/ Vulnerability: The following functions do not sanitize input before being echoed out:=20= In file mfrh_class.settings-api.php: 166 function callback_multicheck( $args ) { 167 $value =3D $this->get_option( $args['id'], $args['section'], = $args['std'] ); 168 =20 169 $html =3D ''; 170 foreach ( $args['options'] as $key =3D> $label ) { 171 $checked =3D isset( $value[$key] ) ? $value[$key] : '0'; 172 $html .=3D sprintf( ' ', $args['section'], $a rgs['id'], $key, checked( $checked, $key, = false ) ); 173 $html .=3D sprintf( ' %3$s ', $args['section'], $args['id'], $label, $key ); 174 } =20 175 $html .=3D sprintf( ' %s', $args['desc'] ); 176 =20 177 echo $html; 178 } =20 function callback_radio( $args ) { 186=20 187 $value =3D $this->get_option( $args['id'], $args['section'], = $args['std'] ); 188 =20 189 $html =3D ''; 190 foreach ( $args['options'] as $key =3D> $label ) { 191 $html .=3D sprintf( ' ', $args['section'], $args['id'], $ key, checked( $value, $key, false = ) ); 192 $html .=3D sprintf( ' %3$s ', $args['section'], $args['id'], $label, $key ); 193 } =20 194 $html .=3D sprintf( ' %s', $args['desc'] ); 195 =20 196 echo $html; 197 } function callback_wysiwyg( $args ) { 250=20 251 $value =3D wpautop( $this->get_option( $args['id'], = $args['section'], $args['std'] ) ); 252 $size =3D isset( $args['size'] ) && !is_null( $args['size'] = ) ? $args['size'] : '500px'; 253=20 254 echo ' '; 255=20 256 wp_editor( $value, $args['section'] . '[' . $args['id'] . = ']', array( 'teeny' =3D> true, 'textarea_rows' =3D>=20 10 ) ); 257=20 258 echo ' '; 259=20 260 echo sprintf( ' %s ', $args['desc'] ); 261 } PoC: If a user with permission to add media or edit media uploads a file = with "<script>alert(1)</script>" as the title=20 they can XSS the site admin user.=20 Full Advisory:=20 = http://www.vapid.dhs.org/advisories/wordpress/plugins/MediaFileRenamer-1.7= ..0/index.html=