博文

目前显示的是 五月, 2017的博文

A stored xss vulnerability in "/account/details.php" of WebsiteBaker 2.10.0

Description:
WebsiteBaker 2.10.0 has a stored xss  vulnerability in "/account/details.php".

Details:
More details will be release after it is fixed( 90 days after being fixed)

Credit:
This bugs was discovered by ADLab of VenusTech.

Details(public):
-------------------------------------------------------------------------------------------------------------
In "/account/details.php", 
    Line 22 has a var named $display_name which can be controlled by browser side.
    Line 47 wirte $display_name to database with escapeString.

After checking the html, we found that $display_name can bypass escapeString.

POC: 
   URL: http://localhost/websitebaker/account/preferences.php
   POST:action=details&display_name=233" onfocus="alert(/xss/)" autofocus="123



A Reflected XSS Vulnerability in wordpres plugin"raygun4wp 1.8.0.0"

图片
Description:
A Reflected XSS Vulnerability in wordpress plugin"raygun4wp 1.8.0.0"

Status:
Fixed From version 1.8.1

Details:
This vulnerability exist in the file "raygun4wp/ sendtesterror.php", the critical code as follow screen snapshot:













>> line 50 means that the variable $previousUrl is from browser side, so it can be controlled by user.

>>line 54 means that web server side has no checking on $previousUrl before writing it to the response html, so if $previousUrl contains javascript code, the code will be executed on the browser side.

So if a attacker construct a special url as follow and send it to a victim, when the victim click the url, the code which is contained in the url will be executed on the victim's browser side to do some evil.
http://localhost/wordpress/wp-content/plugins/raygun4wp/sendtesterror.php?backurl="/><script>alert("hacked");</script>


















Reference:
https://github.com/MindscapeHQ/raygun4wordpress/issu…

A SQL injection vulnerability in "/account/details.php" of WebsiteBaker 2.10.0

Description:
WebsiteBaker 2.10.0 has a SQL injection vulnerability in "/account/details.php".

Details:
More details will be release after it is fixed( 90 days after being fixed)

Credit:
This bugs was discovered by ADLab of VenusTech.

Details(public):
-------------------------------------------------------------------------------------------------------------
In "/account/details.php", 
    Line 22 has a var named $display_name which can be controlled by browser side, it will cause line 44 to trigger a sql injection.

After checking the html, we found that $display_name can bypass escapeString.

POC: 
   URL: http://localhost/websitebaker/account/preferences.php
   POST:action=details&display_name=24444' union select sleep(6)%23