Информационная безопасность
[RU] switch to English


Дополнительная информация

  Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  [SECURITY] [DSA 3343-1] twig security update

  CVE-2015-6535: Stored XSS in YouTube Embed (WordPress plugin) allows admins to compromise super admins

  Jenkins 1.626 - Cross Site Request Forgery / Code Execution

  Dogma India dogmaindia CMS - Auth Bypass Vulnerability

From:grajalerts_(at)_gmail.com <grajalerts_(at)_gmail.com>
Date:26 октября 2015 г.
Subject:CVE-2015-7377: Unauthenticated Reflected XSS in Pie Register WordPress Plugin




Details
================
Software: Pie Register
Version: 2.0.18
Homepage: https://github.com/GTSolutions/Pie-Register
CVE: CVE-2015-7377 (Pending)
CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79

Description
================
An unauthenticated reflected XSS vulnerability in Pie Register 2.0.18 allows malicious script injection via the invitaion_code parameter.  Pie Register is a WordPress plugin with over 10,000 active installs.

Vulnerability
================
The vulnerability is due to the unsanitized GET parameter invitaion_code:

From: pie-register/pie-register.php:
647: $inv_code = base64_decode($_GET['invitaion_code']);
. . .
662: <h2><?php _e("Activation Code","piereg");echo " : ".$inv_code; ?></h2>

Proof of concept
================
The payload is Base64 encoded.

http://localhost/wordpress/?page=pie-
register&show_dash_widget=1&invitaion_code=PHNjcmlwdD5hbGVydCgxKTwvc2NyaX
B0Pg==

Tested on Firefox 41.0 and Chrome 45.0.2454.85.

Remediation
================
Upgrade the plugin to version 2.0.19.

Timeline
================
2015-09-23: Discovered
2015-09-24: Contacted vendor via website support form
2015-08-24: Requested CVE
2015-09-28: Vendor supplied security contact email
2015-09-30: Report sent to vendor and wordpress.org
2015-10-02: Vendor releases version 2.0.19 on Github - confirmed fixed
2015-10-12: Public Disclosure

References
================
[1] http://codex.wordpress.org/Data_Validation

Discovered by
================
David Moore @grajagandev

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород