withinsecurity: Content Spoofing OR Text Injection in https://withinsecurity.com

2016-01-16T11:32:33
ID H1:111094
Type hackerone
Reporter deepaktest30
Modified 2016-01-20T11:31:02

Description

Hi,

I just found Content Spoofing OR Text-based injection vulnerability in https://withinsecurity.com site that would like to get fixed, Below are the POC and steps to reproduced an issue.

1] Go to https://withinsecurity.com this site 2] Then just changed above url like this https://withinsecurity.com/wp-admin/ then it's redirecting to https://accounts.google.com/o/oauth2/auth?response_type=code&redirect_uri=https%3A%2F%2Fwithinsecurity.com%2Fwp-login.php&client_id=484006783216-3i2lf5d4bdga5a8lfmcap7cbq43obg4u.apps.googleusercontent.com&scope=openid+email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&access_type=online&approval_prompt=auto&state=cb04a91ac5%257Chttps%253A%252F%252Fwithinsecurity.com%252Fwp-admin%252F [ I'm authenticated in google that's why] 3] Then clicked on "Deny" button then i got this page https://withinsecurity.com/wp-login.php?error=access_denied&state=cb04a91ac5%257Chttps%253A%252F%252Fwithinsecurity.com%252Fwp-admin%252F# 4] In above page, I found "error" parameter is vulnerable for Content Spoofing OR Text-based injection attacks. 5] Ok, we need to changed above url like this https://withinsecurity.com/wp-login.php?error=Your%20account%20has%20been%20hacked%2C%20Please%20call%20us%20this%20number%20919876543210%20OR%20Drop%20mail%20at%20attacker%40mail.com&state=cb04a91ac5%257Chttps%253A%252F%252Fwithinsecurity.com%252Fwp-admin%252F# 6] Once above page loads then user supplied text/content has been displayed on vulnerable page. 7] That means above mention URL's "error" parameter is vulnerable for Content Spoofing OR Text Injection. 8] My OS in windows7 & Firefox 43.0.4 9] Let me know if you have any query.

Thanks & Regards Deepak