[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] [CVE-2017-15867] Multiple Cross-Site Scripting (XSS) vulnerabilities in User Login History Word
From: <nicolas.buzy-debat () orange ! com>
Date: 2017-10-30 7:10:29
Message-ID: 29960_1509347429_59F6D065_29960_313_2_6AB2D331DE4A31449464D20926760F7902D4DC97 () OPEXCLILM24 ! corporate ! adroot ! infra ! ftgroup
[Download RAW message or body]
Product: User Login History Wordpress Plugin - \
https://wordpress.org/plugins/user-login-history/
Vendor: Er Faiyaz Alam
Tested version: 1.5.2
CVE ID: CVE-2017-15867
** CVE description **
Multiple cross-site scripting (XSS) vulnerabilities in the user-login-history plugin through \
1.5.2 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) \
date_from, (2) date_to, (3) user_id, (4) username, (5) country_name, (6) browser, (7) \
operating_system, or (8) ip_address parameter to admin/partials/listing/listing.php.
** Technical details **
The above-mentioned HTTP GET parameters are directly put into the value attribute of an HTML \
form field without proper sanitization. An attacker can close the HTML input tag with the "> \
(%22%3E) expression and inject arbitrary HTML/JavaScript code.
Example of the vulnerable code with the date_from parameter (line 21):
<td><input readonly="readonly" autocomplete="off" placeholder="<?php _e("From", \
"user-login-history") ?>" id="date_from" name="date_from" value="<?php echo \
isset($_GET['date_from']) ? $_GET['date_from'] : "" ?>" class="textfield-bg"></td>
** Proof of Concept **
Example using the user_id parameter:
http://<host>/wordpress/wp-admin/admin.php?page=user-login-history&user_id=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E
** Solution **
Update to version 1.6.
** Timeline **
15/10/2017: vendor contacted
15/10/2017: vendor acknowledgment
18/10/2017: fix pushed to GitHub
30/10/2017: fixed release available on WordPress Plugins Store.
** Credits **
Vulnerability discovered by Nicolas Buzy-Debat working at Orange Cyberdefense Singapore \
(CERT-LEXSI).
** References **
- WordPress-plugin-user-login-history GitHub : error log and xss and some minor improvements
https://github.com/faiyazalam/WordPress-plugin-user-login-history/commit/519341a7dece59e2c589b908a636e6cf12a61741
--
Best Regards,
Nicolas Buzy-Debat
Orange Cyberdefense Singapore (CERT-LEXSI)
_________________________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou \
privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si \
vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi \
que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange \
decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be \
protected by law; they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and \
its attachments. As emails may be altered, Orange is not liable for messages that have been \
modified, changed or falsified. Thank you.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic