Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

report reflected xss vulnerability #795

Closed
strongPiggg opened this issue Nov 13, 2019 · 4 comments
Closed

report reflected xss vulnerability #795

strongPiggg opened this issue Nov 13, 2019 · 4 comments

Comments

@strongPiggg
Copy link

strongPiggg commented Nov 13, 2019
edited
Loading

IF YOU DO NOT FOLLOW THIS TEMPLATE, YOUR ISSUE MAY BE CLOSED!!

Please provide the following information when creating your issues:

Site Info

WordPress Version: Latest
QSM Version: 6.3.3 and 6.3.4
Browser: chrome 78.0.3904.87

General description

Quiz And Survey Master – Best Quiz Plugin for WordPress for WordPress is affected by: Cross Site Scripting (XSS). The impact is: Allows an attacker to execute arbitrary HTML and JavaScript code via the from or till parameter. The component is: /quiz-master-next/php/admin/quiz-options-page.php:162. The attack vector is: When the Administrator is logged in, a reflected XSS may execute upon a click on a malicious URL.

special conditions must be met in order to exploit this vulnerability:
The wordpress security feature wp_magic_quotes(), which is enabled by default, has to be disabled.

Vulnerable code : /quiz-master-next/php/admin/quiz-options-page.php:162

161                                             <input type="text" id="edit_quiz_name" name="edit_quiz_name" value="<?php echo $quiz_name; ?>" />
162                                             <input type="hidden" id="edit_quiz_id" name="edit_quiz_id" value="<?php echo isset($_GET['quiz_id']) ? $_GET['quiz_id'] : ''; ?>" />
163                                             <?php wp_nonce_field( 'qsm_edit_name_quiz', 'qsm_edit_name_quiz_nonce' ); ?>
164                                     </form>

$_GET['quiz_id'] <= need to prevent escape.

Expected behavior

nothing.

Actual behavior

reflected XSS, victim may click the malicious url. (Administrator must be logged in.)

Steps to reproduce the behavior

https://domain.tld/wp-admin/admin.php?page=mlw_quiz_options&quiz_id=<PAYLOAD>
@vikasprogrammer
Copy link
Member

Thanks for finding a security flaw in our plugin and notifying us. Please give us an opportunity to fix it before you send a notification to WordPress.

@vikasprogrammer
Copy link
Member

Our team member has solved this issue using #796. Please verify this on the dev branch and then we will release in the next update.

@strongPiggg
Copy link
Author

what is changed? I can't understand. It looks like still be vulnerable. just add "space".
Please check again. I think something wrong.

samitshah7493 added a commit that referenced this issue Nov 20, 2019
@samitshah7493
Solved XSS Vulnerability #795
8eabe04
vikasprogrammer added a commit that referenced this issue Nov 20, 2019
@vikasprogrammer
Merge pull request #798 from QuizandSurveyMaster/dev-636
96602bf 
Solved XSS Vulnerability #795
@strongPiggg
Copy link
Author

good!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vikasprogrammer @strongPiggg