|
Message-ID: <20130314084710.GA12061@kludge.henri.nerv.fi>
Date: Thu, 14 Mar 2013 10:47:10 +0200
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Cc: plugins@...dpress.org
Subject: Re: CVE-2009-4168: WordPress plugin vkontakte-api
XSS vulnerability
On Mon, Mar 11, 2013 at 09:44:33AM +0200, Henri Salo wrote:
> Plugin URL: http://wordpress.org/extend/plugins/vkontakte-api/
> Affected file: tagcloud.swf 368b01e1728111f99d93ac5805d97abbb899a910
> PoC: wp-content/plugins/vkontakte-api/swf/tagcloud.swf?mode=tags&tagcloud=<tags><a+href=%27javascript:alert%28document.cookie%29%27+style=%27font-size:+40pt%27>oss-security</a></tags>
> Affected versions: 1.21, 1.22, 1.23, 1.24, 1.25, 1.26, 1.27, 2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.7
>
> Currently no fix available.
WordPress plugin-guys replied Mon, 11 Mar 2013 21:32:52 +0000
"Closed this morning :)"
Now the changelog says:
------------------------------------------------------------------------
r681668 | kowack | 2013-03-14 09:39:40 +0200 (Thu, 14 Mar 2013) | 1 line
2.7 to 3.0
------------------------------------------------------------------------
r681323 | kowack | 2013-03-13 18:04:13 +0200 (Wed, 13 Mar 2013) | 1 line
amen
------------------------------------------------------------------------
r681320 | kowack | 2013-03-13 18:01:49 +0200 (Wed, 13 Mar 2013) | 1 line
major update, may has bugs :(
------------------------------------------------------------------------
r568584 | kowack | 2012-07-07 09:49:19 +0300 (Sat, 07 Jul 2012) | 1 line
And it seems that tagcloud.swf is removed from version 3.0 of the plugin.
Changelog does not include CVE nor notification about security issues fixed.
Well at least it is fixed.
--
Henri Salo
Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.