Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress 404 to 301 Plugin 2.2.8 - Persistent Cross-Site Scripting Vulnerability

🗓️ 08 Nov 2016 00:00:00Reported by Alyssa MilburnType 
zdt
 zdt🔗 0day.today👁 30 Views

WordPress 404 to 301 Plugin 2.2.8 - Cross-Site Scripting Vulnerabilit

Code
Source: https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_vulnerability_in_404_to_301_wordpress_plugin.html
 
Stored Cross-Site Scripting vulnerability in 404 to 301 WordPress Plugin
 
Abstract
 
A stored Cross-Site Scripting vulnerability was found in the 404 to 301 WordPress Plugin. This issue can be exploited by an anonymous user and allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf.
 
Contact
 
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
 
The Summer of Pwnage
 
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
 
OVE ID
 
OVE-20160719-0003
 
Tested versions
 
This issue was successfully tested on 404 to 301 WordPress Plugin version 2.2.8.
 
Fix
 
This issue is resolved in 404 to 301 WordPress Plugin version 2.3.1.
 
Introduction
 
The 404 to 301 WordPress Plugin automatically redirects, logs and notifies all 404 page errors to any page using 301 redirect for SEO. A Stored Cross-Site Scripting vulnerability exists in the 404-to-301 WordPress plugin.
 
Details
 
The vulnerability exists in the file admin/class-404-to-301-logs.php, which fails to correctly escape user-controlled strings which are output in HTML tables containing logs shown to site administrators, such as the Referer (ref) and User-Agent (ua) fields.
 
In order to exploit this issue, after an attack attempt has been made, an administrator must view the logs (via the WordPress administration console) provided by the plugin, by clicking '404 Error Logs'.
 
Proof of concept
 
Submit an HTTP request to a non-existent URL (to trigger the 404 handler) containing a header such as one of the following:
 
Referer: "<iframe src=/></iframe>
User-Agent: "<script>alert(/hi/);</script>

#  0day.today [2018-03-31]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Nov 2016 00:00Current
0.2Low risk
Vulners AI Score0.2
wordpress404 to 301cross-site scriptingvulnerabilitysummer of pwnagesecurifyove-20160719-0003version 2.3.1seohttp requestproof of concept
30