New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Urgent] Fix reflected XSS in new_window.php #63

Closed
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
2 participants
@Framartin
Contributor

Framartin commented Aug 21, 2017

new_window.php is vulnerable to 2 reflected XSS:

  • from the url parameter: /wp-content/plugins/share-on-diaspora/new_window.php?url=%3Cimg%20src=x%20onerror=alert(%22xss%22)%3E. Note that this XSS was publicly disclosed (not by me), so fixing the vulnerability is urgent.
  • from the title parameter in the following condition on line 264 is true: /wp-content/plugins/share-on-diaspora/new_window.php?url=test.com&title=>%27>"><img%20src=x%20onerror=alert(0)>

Please check that there is no other XSS left (for example using the name of dispora* pods). I didn't checked other files for XSS.

@ciubotaru

This comment has been minimized.

Owner

ciubotaru commented Aug 22, 2017

First of all, please calm down. Nothing bad happened or going to happen. The problem that you described is not a vulnerability. You provide a weird input and the plugin gives you a weird output. This does not affect the users of this plugin (owners of WordPress sites). It does not affect the users of Diaspora either. Nobody gets hurt. Not a vulnerability.

Well, yes, I can see how this can be used against WordPress site owners (or people registered on such websites). Given a relatively small number of plugin installations, the possibilities of attack are very moderate.

Of course, I will look at the patch, but please do not push it as urgent.

@Framartin

This comment has been minimized.

Contributor

Framartin commented Aug 22, 2017

Thanks for your reply. I'm glad that you have figure it out :-) If you have any questions on XSS, feel free to ask.

Yes, you're right: this vulnerability isn't critical (exploiting a reflected XSS requires to target specific users and an interaction from them). But it's still a publicly available vuln and finding the vulnerable websites is as easy as a Google search.

I marked it as urgent, because, to be honest, as the last commit was 2 years ago, I was afraid that the project was abandoned and that I will never get a response from you. I'm happy to see that it's not the case. I don't know the exact usage statistics (Google found 966 results though). But if you are bothered by the [urgent] tag in the title, I can remove it. I don't care.

@ciubotaru

This comment has been minimized.

Owner

ciubotaru commented Aug 23, 2017

Merged into unstable branch. See fb6fae2.

@ciubotaru ciubotaru closed this Aug 23, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment